Certified DevSecOps Expert (CDE)
I. Overview:
The most comprehensive DevSecOps certification in the world, become a Certified DevSecOps Expert by learning to write custom roles for OS hardening, infrastructure as code, compliance as code and perform vulnerability management at scale, with hands-on advanced training in our state of the art labs.
II. Duration: 40 hours
III. Prerequisites:
- Course participants must have the Certified DevSecOps Professional (CDP) certification.
- Course participants should have a basic understanding of Application Security Practices like SAST, DAST, etc.,
IV. Course outlines:
1. Chapter 1: Overview of DevSecOps
- DevOps Building Blocks- People, Process and Technology.
- DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
- Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
- Overview of the DevSecOps critical toolchain.
- Repository management tools.
- Continuous Integration and Continuous Deployment tools.
- Infrastructure as Code (IaC) tools.
- Communication and sharing tools.
- Security as Code (SaC) tools.
SDLC
- Overview of secure SDLC and CI/CD.
- Review of security activities in secure SDLC.
- Continuous Integration and Continuous Deployment.
- How to move from DevSecOps Maturity Model (DSOMM) Level 2 to Level 4.
- Best practices and considerations for Maturity Level 3.
- Best practices and considerations for Maturity Level 4.
- Security automation and its limits.
- DSOMM level 3 and level 4 challenges and solutions.
2. Chapter 2: Security Requirements and Threat Modelling (TM)
- What is Threat Modelling?
- STRIDE vs DREAD approaches
- Threat modeling and its challenges.
- Classical Threat modeling tools and how they fit in CI/CD pipeline
- Hands-On Labs:
- Automate security requirements as code.
- Using ThreatSpec to do Threat Modelling as Code.
- Using BDD security to codify threats.
3. Chapter 3: Advanced Static Analysis(SAST) in CI/CD pipeline
- Why pre-commit hooks are not a good fit in DevSecOps.
- Writing custom rules to weed out false positives and improve the quality of the results.
- Various approaches to write custom rules in free and paid tools.
- Regular expressions
- Abstract Syntax Trees
- Graphs ( Data and Control Flow analysis)
- Hands-On Labs: Writing custom checks in the bandit for your enterprise applications.
4. Chapter 4: Advanced Dynamic Analysis(DAST) in CI/CD pipeline
- Embedding DAST tools into the pipeline.
- Leveraging QA/Performance automation to drive DAST scans.
- Using Swagger (OpenAPI) and ZAP to scan APIs iteratively.
- Ways to handle custom authentications for ZAP Scanner.
- Using Zest Language to provide better coverage for DAST scans.
- Hands-On Labs: using ZAP + Selenium + Zest to configure in-depth scans
- Hands-On Labs: using Burp Suite Pro to configure per commit/weekly/monthly scans.
Note: Students need to bring their Burp Suite Pro License to use in CI/CD
5. Chapter 5: Runtime Analysis(RASP/IAST) in CI/CD pipeline
- What is Runtime Analysis Application Security Testing?.
- Differences between RASP and IAST.
- Runtime Analysis and challenges.
- RASP/IAST and its suitability in CI/CD pipeline.
- Hands-On Labs: A commercial implementation of the IAST tool.
6. Chapter 6: Infrastructure as Code(IaC) and Its Security
- Configuration management (Ansible) security.
- Users/Privileges/Keys – Ansible Vault vs Tower.
- Challenges with Ansible Vault in CI/CD pipeline.
- Introduction to Packer
- Benefits of Packer.
- Templates, builders, provisioners, and post processors.
- Packer for continuous security in DevOps Pipelines.
- Tools and Services for practicing IaaC ( Packer + Ansible + Docker )
- Hands-On Labs: Using Ansible to harden on-prem/cloud machines for PCI-DSS
- Hands-On Labs: Create hardened Golden images using Packer + Ansible
7. Chapter 7: Container (Docker) Security
- What is Docker
- Docker vs Vagrant
- Basics of Docker and its challenges
- Vulnerabilities in images (Public and Private)
- Denial of service attacks
- Privilege escalation methods in Docker.
- Security misconfigurations.
- Container Security.
- Content Trust and Integrity checks.
- Capabilities and namespaces in Docker.
- Segregating Networks.
- Kernel Hardening using SecComp and AppArmor.
- Static Analysis of container(Docker) images.
- Dynamic Analysis of container hosts and daemons.
- Hands-On Labs:
- Scanning docker images using Trivy and its APIs.
- Auditing Docker daemon and host for security issues.
8. Chapter 8: Secrets management on mutable and immutable infra
- Managing secrets in traditional infrastructure.
- Managing secrets in containers at Scale.
- Secret Management in Cloud
- Version Control systems and Secrets.
- Environment Variables and Configuration files.
- Docker, Immutable systems and its security challenges.
- Secrets management with Hashicorp Vault and consul.
- Hands-On Labs: Securely store Encryption keys and other secrets using Vault/Consul.
9. Chapter 9: Advanced vulnerability management
- Approaches to manage the vulnerabilities in the organization.
- False positives and False Negatives.
- Culture and Vulnerability Management.
- Creating different metrics for CXOs, devs and security teams.
- Hands-On Labs: Using Defect Dojo for vulnerability management.
Học trực tuyến
Học tại Hồ Chí Minh
Học tại Hà Nội