Length: 3 Days
Print Friendly, PDF & Email

DevSecOps Training Bootcamp

DevSecOps stands for development, security and operations. Its mantra is to make everyone accountable for security with the objective of implementing security decisions and actions at the same scale and speed as development and operations decisions and actions.

Organizations with a DevOps framework should be thinking about moving to a DevSecOps mindset and bringing individuals of all abilities and across all technology disciplines to a higher level of proficiency in security.

From testing for potential security exploits to building business-driven security services, a DevSecOps framework that uses DevSecOps tools ensures security is built into applications rather than being applied later.

By ensuring that security is present during every stage of the software delivery life cycle, organizations experience continuous integration where the cost of compliance is reduced and software is delivered and released faster.

Automation is a major factor in DevSecOps. It’s crucial to run automated tests and dependency checks at every stage of the dev pipeline. By automating manual processes and building tools into continuous integration and continuous delivery (CI/CD) pipelines, development and operations teams have increased workflow efficiencies and trust between groups, which is essential as these once-disparate teams now merge to tackle critical issues as a single new team.

Organizations are also realizing there is value in applying and sharing the value of automation by incorporating security principles earlier in the software development life cycle (SDLC). This creates shorter feedback loops and decreases friction, which allows engineers to detect and fix security and compliance issues faster and more naturally as part of software development workflows.

Although critical, automation is not a substitute for all manual efforts. You still need to focus on the design of applications and on infrastructure support of application and security controls. It is important to identify potential weaknesses that may increase your system’s susceptibility to an attack, including where your design violates secure design patterns, your system omits security controls, or those security controls suffer from misconfiguration, weakness or misuse.

Besides automation, there are other principles that can help guide a DevSecOps program, such as:

  • Using agile methodologies to deliver code in small, frequent releases. An agile approach to SecOps helps teams check for vulnerabilities quickly and embed code analysis into the quality assurance process.
  • Always be prepared for threats. DevSecOps professionals recommend conducting regular scans, code reviews, and penetration tests to make sure you are ready for anything—and remember that the vast majority of successful cyberattacks can be attributed to human error.
  • Investing in advanced training also pays dividends. Training can increase an entire team’s knowledge of and investment in security. It also ensures that all team members are on the same page in the DevSecOps process.

The major benefit of DevSecOps: Enhanced automation throughout the software delivery pipeline eliminates mistakes and reduces attacks and downtime. For teams looking to integrate security into their DevOps framework, the process can be completed seamlessly using the right DevSecOps tools and processes.

DevSecOps Training Bootcamp Course by Tonex

DevSecOps Training Bootcamp is a 3-day practical DevSecOps course where participants gain in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.

DevSecOps training bootcamp focuses on the concepts, principles, processes, policies, guidelines, mitigation, applied risk management framework (RMF), technical skills and best practices to apply security and risk management/profiling a DevOps priority. Participants learn about DevOps and DevSecOps to take full advantage of the agility and responsiveness of a secure DevOps approach, IT security across SDLC and full life cycle of your apps.

As IT Modernization efforts Grow it’s important to understand the combination of development and operations as an approach that could help organizations modernize and speed new development efforts, especially as they migrate to cloud services.

Effective DevOps ensures rapid and frequent development cycles but inappropriate and outdated security practices and policies can undo even the most efficient DevOps initiatives. DevSecOps, integration of DevOps and security, is a shared responsibility to emphasize the need to build a security foundation into DevOps initiatives.

Who Should Attend?

  • Security Staff
  • IT Leadership
  • IT Infrastructure
  • CIOs / CTOs /CSO
  • Configuration Managers
  • Developers and Application Team Members and Leads
  • IT Operations Staff
  • IT Project & Program Managers
  • Product Owners and Managers
  • Release Engineers
  • Agile Staff and ScrumMasters
  • Software Developers
  • Software Team Leads
  • System Admin

Learning Objectives

Upon completion of DevSecOps Training Bootcamp, participants will learn how to:

  • Identify and explain the phases of the DevOps life cycle
  • Define the roles and responsibilities that support DevOps environments
  • Describe the security components of and identify the risk principles of DevOps
  • Analyze, assess, and automate DevOps application security across
    Software Development Life cycle (SDLC)
  • Identify and explain the characteristics required to satisfy the security definition of DevOps computing
  • Use DevOps-style security metrics to measure and monitor security practices and performance
  • Differentiate between various security models and frameworks that are incorporated into the DevOps environments
  • Contrast security aspects of SDLC in standard DevOps environments, technical use cases and software requirements
  • Discuss strategies for safeguarding DevOps approach
  • Explain strategies for protecting data at rest and data in motion
  • Conduct gap analysis between DevOps security baseline and industry-standard best practices
  • Evaluate and implement the security controls necessary to ensure confidentiality, integrity and availability (CIA) in DevOps environments
  • Conduct risk assessments of existing and proposed DevOps environments
  • Integrate the Risk Management Framework (RMF) with DevOps
  • Describe the role of encryption in protecting data and specific strategies for key management
  • Compare a variety of DevOps business continuity / disaster recovery strategies and select an appropriate solution to specific business requirements
  • Assess key DevSecOps metrics and tools to continuously monitor DevOps security risks

Course Agenda

DevOps vs. DevSecOps

  • Agile and DevOps
  • Intro to DevOps Practices
  • Principles of DevOps and DevOps Life cycle
  • Traditional SDLC
  • Requirements, Design, Implementation, Operations and Maintenance
  • Integration of Development, Software Engineering, Security and Operation
  • The “Sec” in DevSecOps
  • DevSecOps Benefits
  • DevOps, Security and Compliance
  • Continuous Integration and Continuous Delivery (CI/CD)
  • DevOps Security Policies, Roles and Compliance
  • DevOps Application Security across Software Development Life cycle (SDLC)
  • Assessing DevOps Security and Risks

DevOps Security Requirements

  • Architecture, Design and Threat Modeling Requirements
  • Data Storage and Privacy Requirements
  • Cryptography Requirements
  • Authentication and Session Management Requirements
  • Network Communication Requirements
  • Platform Interaction Requirements
  • Code Quality and Build Setting Requirements
  • Resilience Requirements
  • Integrating security within DevOps
  • Problems with traditional controls
  • A New Secure SDLC Approach
  • Steps to DevOps security
  • Traditional Web Application Security Controls
  • Penetration Testing
  • WAF (Web Application Firewall)
  • Penetration Testing
  • Code Analysis

DevOps Typical Security Activities

  • DevOps Typical Activities
  • Traditional Secure SDLC
  • Security foundation into DevOps initiatives
  • AppSec in a DevOps World
  • Applications Architectural Concepts & Design Requirements
  • DevOps Application Security
  • CI/CD pipeline to Embed Security
  • Securing CI/CD
  • Self Service
  • Security Champions
  • Use Maturity Models

Tools for Securing DevOps

  • DevOps Toolchain
  • Tools to secure software development at various stages of the CI/CD pipeline
  • Vulnerabilities and Applications Safety
  • DevOps Security Tools
  • OWASP SonarQube
  • OWASP ZAP
  • OWASP Dependency-Check
  • OWASP Glue
  • Anchore
  • Clair-CoreOS
  • FOSSA
  • Cyberark Conjur

Principles Behind DevSecOps

  • DevOps, IT Modernization, and Information Security
  • DevSecOps and Principles behind “DevOps” Security
  • Uniting DevOps and Security
  • DevOps Vulnerabilities
  • Business Requirements
  • Development Teams
  • DevSecOps and SDLC Activities
  • Tools versus Processes
  • Strengthen and Scale security using DevSecOps
  • Assessment and Certification
  • Everything as Code (EaC)
  • Compliance as Code
  • Hardening via configuration management systems
  • DevOps Data Security
  • Legal & Compliance
  • Security Tools in CI/CD
  • Compliance as Code and hardening via configuration management systems
  • Use Secure by Default Frameworks
  • Services Shift Security Left

DevSecOps and Application Security

  • DevOps and Security
  • OWASP AppSec Pipeline
  • The OWASP AppSec Rugged DevOps Pipeline Project Security as a DevOps practice
  • Application Security Risk Assessment and Testing
  • Application Threat Modeling
  • Security shifting to the left
  • Static Code Analysis (SAST)
  • Dynamic Testing (DAST)
  • Runtime Protection
  • Infrastructure/Platform Vulnerability Scanning
  • Platform configuration & compliance
  • Deployment of controls
  • Firewalling, micro-segmentation
  • WAFs, DBSGs, etc.
  • RASP
  • Identity & Access Management
  • Automated & programmatically provisioned

How to DevSecOps

  • Culture
  • Measurements
  • Automation and Sharing
  • Core Values of DevOps
  • Scale security with DevOps
  • DevSecOps Implementation
  • Shift Security Left
  • Use CI/CD pipeline to Embed Security
  • Self Service
  • Gives developers and operations visibility into security activities
  • Security Champions
  • DevSecOps and Operations
  • Change management and DevSecOps
  • DevSecOps for Defense and Government Agencies

DevSecOps Maturity

  • DevSecOps Maturity Model (DSOMM)
  • Static versus Dynamic Depth
  • Static Code Analysis and Dynamic Depth
  • Intensity
  • Consolidation
  • OWASP DevSecOps Studio Project

Risk Management Framework (RMF), DevOps and DevSecOps

  • DevSecOps and RMF
  • Encryption in protecting data and specific strategies for key management
  • DevSecOps Metrics
  • Tools to Monitor DevOps Security Risks
  • Applying DevOps to DoD5000 Processes
  • DevSecOps and Authority to Pperate (ATO)
  • Integration of DevSecOps and RMF for Continuous ATO
  • Software integrated tools, services, and standards

Workshops and Group Activities

Workshop 1:  Plan for DevSecOps

  • DevOps, developers and operations
  • Improving the quality
  • DevOps culture to ensure secure, high-quality software
  • Unsecured APIs and frameworks
  • Security sensitive code portions
  • Regulatory problems
  • Identity and Access Management (IAM)

Workshop 2:   Secure Code Overview

  • Tools for Automating Secure Coding
  • Developer guidelines & checklists
  • Coding Standards
  • Common pitfalls and mitigation
  • Security Testing
  • (RASP)

Workshop 3:   Create a DevSecOps plan

  • DevOps and security
  • Tools you need to implement DevSecOps
  • Train your team in the culture of DevSecOps
  • Patterns for security
  • Scanning

 

 

DevSecOps Training Bootcamp

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.