Length: 3 Days
Print Friendly, PDF & Email

DevSecOps Training Bootcamp

DevSecOps (development, security and operations) is the seamless integration of security testing and protection throughout the software development and deployment lifecycle.

Similar to DevOps, the goals of DevSecOps are to release better software faster, and to detect and respond to software flaws in production faster and with more efficiency.

DevSecOps is important because although security does slow down software releases, it remains essential as the benefits far outweigh the risk of a security breach.

Not only does implementing DevSecOps reduce risk but it also saves rework and time by introducing security early in the development process. This is done by using security tools that can be automated and integrated early on especially during the code commit and the pre-implementation stage.

Analysts contend that the greatest obstacle to DevSecOps is culture rather than technology.

Traditionally, security teams and dev teams work separately. To successfully move to a DevSecOps methodology, teams should make application security an integrated strategy and continue to encourage security awareness.

Experts in this field recommend several approaches to developing a DevSecOps culture in your organization, such as:

  • Integrate the security to DevSecOps
  • Analyze code and do a vulnerability assessment
  • Adopting the right DevSecOps tools
  • Train to code securely
  • Monitor continuous integration and continuous delivery
  • Automate the process as much as possible

Do DevSecOps right and reap the benefits. DevSecOps supports openness and Transparency right from the start of development as well as Secure by Design and the ability to measure. Organizations can also expect faster speed of recovery in the case of a security incident and an overall security improvement by enabling Immutable infrastructure which further involves security automation.

Perhaps the biggest benefit is rapid, cost-effective software delivery.

When software is developed in a non-DevSecOps environment, security problems can lead to huge time delays. Fixing the code and security issues can be time-consuming and expensive. The rapid, secure delivery of DevSecOps saves time and reduces costs by minimizing the need to repeat a process to address security issues after the fact.

This becomes more efficient and cost-effective since integrated security cuts out duplicative reviews and unnecessary rebuilds, resulting in more secure code.

DevSecOps Training Bootcamp Course by Tonex

DevSecOps Training Bootcamp is a 3-day practical DevSecOps course where participants gain in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.

DevSecOps training bootcamp focuses on the concepts, principles, processes, policies, guidelines, mitigation, applied risk management framework (RMF), technical skills and best practices to apply security and risk management/profiling a DevOps priority. Participants learn about DevOps and DevSecOps to take full advantage of the agility and responsiveness of a secure DevOps approach, IT security across SDLC and full life cycle of your apps.

As IT Modernization efforts Grow it’s important to understand the combination of development and operations as an approach that could help organizations modernize and speed new development efforts, especially as they migrate to cloud services.

Effective DevOps ensures rapid and frequent development cycles but inappropriate and outdated security practices and policies can undo even the most efficient DevOps initiatives. DevSecOps, integration of DevOps and security, is a shared responsibility to emphasize the need to build a security foundation into DevOps initiatives.

Who Should Attend?

  • Security Staff
  • IT Leadership
  • IT Infrastructure
  • CIOs / CTOs /CSO
  • Configuration Managers
  • Developers and Application Team Members and Leads
  • IT Operations Staff
  • IT Project & Program Managers
  • Product Owners and Managers
  • Release Engineers
  • Agile Staff and ScrumMasters
  • Software Developers
  • Software Team Leads
  • System Admin

Learning Objectives

Upon completion of DevSecOps Training Bootcamp, participants will learn how to:

  • Identify and explain the phases of the DevOps life cycle
  • Define the roles and responsibilities that support DevOps environments
  • Describe the security components of and identify the risk principles of DevOps
  • Analyze, assess, and automate DevOps application security across
    Software Development Life cycle (SDLC)
  • Identify and explain the characteristics required to satisfy the security definition of DevOps computing
  • Use DevOps-style security metrics to measure and monitor security practices and performance
  • Differentiate between various security models and frameworks that are incorporated into the DevOps environments
  • Contrast security aspects of SDLC in standard DevOps environments, technical use cases and software requirements
  • Discuss strategies for safeguarding DevOps approach
  • Explain strategies for protecting data at rest and data in motion
  • Conduct gap analysis between DevOps security baseline and industry-standard best practices
  • Evaluate and implement the security controls necessary to ensure confidentiality, integrity and availability (CIA) in DevOps environments
  • Conduct risk assessments of existing and proposed DevOps environments
  • Integrate the Risk Management Framework (RMF) with DevOps
  • Describe the role of encryption in protecting data and specific strategies for key management
  • Compare a variety of DevOps business continuity / disaster recovery strategies and select an appropriate solution to specific business requirements
  • Assess key DevSecOps metrics and tools to continuously monitor DevOps security risks

Course Agenda

DevOps vs. DevSecOps

  • Agile and DevOps
  • Intro to DevOps Practices
  • Principles of DevOps and DevOps Life cycle
  • Traditional SDLC
  • Requirements, Design, Implementation, Operations and Maintenance
  • Integration of Development, Software Engineering, Security and Operation
  • The “Sec” in DevSecOps
  • DevSecOps Benefits
  • DevOps, Security and Compliance
  • Continuous Integration and Continuous Delivery (CI/CD)
  • DevOps Security Policies, Roles and Compliance
  • DevOps Application Security across Software Development Life cycle (SDLC)
  • Assessing DevOps Security and Risks

DevOps Security Requirements

  • Architecture, Design and Threat Modeling Requirements
  • Data Storage and Privacy Requirements
  • Cryptography Requirements
  • Authentication and Session Management Requirements
  • Network Communication Requirements
  • Platform Interaction Requirements
  • Code Quality and Build Setting Requirements
  • Resilience Requirements
  • Integrating security within DevOps
  • Problems with traditional controls
  • A New Secure SDLC Approach
  • Steps to DevOps security
  • Traditional Web Application Security Controls
  • Penetration Testing
  • WAF (Web Application Firewall)
  • Penetration Testing
  • Code Analysis

DevOps Typical Security Activities

  • DevOps Typical Activities
  • Traditional Secure SDLC
  • Security foundation into DevOps initiatives
  • AppSec in a DevOps World
  • Applications Architectural Concepts & Design Requirements
  • DevOps Application Security
  • CI/CD pipeline to Embed Security
  • Securing CI/CD
  • Self Service
  • Security Champions
  • Use Maturity Models

Tools for Securing DevOps

  • DevOps Toolchain
  • Tools to secure software development at various stages of the CI/CD pipeline
  • Vulnerabilities and Applications Safety
  • DevOps Security Tools
  • OWASP SonarQube
  • OWASP ZAP
  • OWASP Dependency-Check
  • OWASP Glue
  • Anchore
  • Clair-CoreOS
  • FOSSA
  • Cyberark Conjur

Principles Behind DevSecOps

  • DevOps, IT Modernization, and Information Security
  • DevSecOps and Principles behind “DevOps” Security
  • Uniting DevOps and Security
  • DevOps Vulnerabilities
  • Business Requirements
  • Development Teams
  • DevSecOps and SDLC Activities
  • Tools versus Processes
  • Strengthen and Scale security using DevSecOps
  • Assessment and Certification
  • Everything as Code (EaC)
  • Compliance as Code
  • Hardening via configuration management systems
  • DevOps Data Security
  • Legal & Compliance
  • Security Tools in CI/CD
  • Compliance as Code and hardening via configuration management systems
  • Use Secure by Default Frameworks
  • Services Shift Security Left

DevSecOps and Application Security

  • DevOps and Security
  • OWASP AppSec Pipeline
  • The OWASP AppSec Rugged DevOps Pipeline Project Security as a DevOps practice
  • Application Security Risk Assessment and Testing
  • Application Threat Modeling
  • Security shifting to the left
  • Static Code Analysis (SAST)
  • Dynamic Testing (DAST)
  • Runtime Protection
  • Infrastructure/Platform Vulnerability Scanning
  • Platform configuration & compliance
  • Deployment of controls
  • Firewalling, micro-segmentation
  • WAFs, DBSGs, etc.
  • RASP
  • Identity & Access Management
  • Automated & programmatically provisioned

How to DevSecOps

  • Culture
  • Measurements
  • Automation and Sharing
  • Core Values of DevOps
  • Scale security with DevOps
  • DevSecOps Implementation
  • Shift Security Left
  • Use CI/CD pipeline to Embed Security
  • Self Service
  • Gives developers and operations visibility into security activities
  • Security Champions
  • DevSecOps and Operations
  • Change management and DevSecOps
  • DevSecOps for Defense and Government Agencies

DevSecOps Maturity

  • DevSecOps Maturity Model (DSOMM)
  • Static versus Dynamic Depth
  • Static Code Analysis and Dynamic Depth
  • Intensity
  • Consolidation
  • OWASP DevSecOps Studio Project

Risk Management Framework (RMF), DevOps and DevSecOps

  • DevSecOps and RMF
  • Encryption in protecting data and specific strategies for key management
  • DevSecOps Metrics
  • Tools to Monitor DevOps Security Risks
  • Applying DevOps to DoD5000 Processes
  • DevSecOps and Authority to Pperate (ATO)
  • Integration of DevSecOps and RMF for Continuous ATO
  • Software integrated tools, services, and standards

Workshops and Group Activities

Workshop 1:  Plan for DevSecOps

  • DevOps, developers and operations
  • Improving the quality
  • DevOps culture to ensure secure, high-quality software
  • Unsecured APIs and frameworks
  • Security sensitive code portions
  • Regulatory problems
  • Identity and Access Management (IAM)

Workshop 2:   Secure Code Overview

  • Tools for Automating Secure Coding
  • Developer guidelines & checklists
  • Coding Standards
  • Common pitfalls and mitigation
  • Security Testing
  • (RASP)

Workshop 3:   Create a DevSecOps plan

  • DevOps and security
  • Tools you need to implement DevSecOps
  • Train your team in the culture of DevSecOps
  • Patterns for security
  • Scanning

 

DevSecOps Training Bootcamp

Request More Information

Please enter contact information followed by your questions, comments and/or request(s):
  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.