I. Overview:

The DevSecOps Professional course is our most sought-after DevSecOps Training and Certification program.

II. Objectives:

In this DevSecOps certification course, you will learn:

• DevSecOps processes, tools, and techniques.
• Major components in a DevOps Pipeline.
• How to create and maintain DevSecOps pipelines using SCA, SAST, DAST, and Security as Code.
• How to mature an organization’s DevSecOps Program
• Learn to understand and apply the principles, values, and practices that enable DevSecOps.

III. Duration:  40 hours

IV. Prerequisites:

• Course participants should have knowledge of running basic linux commands like ls, cd, mkdir etc.,
• Course participants should have basic understanding of application Security practices like OWASP Top 10.
• You don’t need any experience with DevOps or DevOps tools.

V. Course outlines:

• What is DevOps?
• DevOps Building Blocks- People, Process and Technology.
• DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
• Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
• What is Continuous Integration and Continuous Deployment?.
  • Continuous Integration to Continuous Deployment to Continuous Delivery.
  • Continuous Delivery vs Continuous Deployment.
  • General workflow of CI/CD pipeline.
  • Blue/Green deployment strategy
  • Achieving full automation.
  • Designing a CI/CD pipeline for web application.
• Common Challenges faced when using DevOps principle.
• Case studies on DevOps of cutting edge technology at Facebook, Amazon and Google
• Demo: A full enterprise grade DevSecOps Pipeline.

2. Chapter 2: Introduction to the Tools of the trade

• Gitlab/Github
• Docker
• Gitlab CI/Github Actions/Circle CI/Jenkins/Travis/
• OWASP ZAP
• Ansible
• Inspec
• Hands-On Labs: Building a CI Pipeline using  Gitlab CI/Jenkins/Travis and Gitlab/Github Actions.
• Hands-On Labs: Use the above tools to create a complete CI/CD pipeline.
• Note: Once you learn the above tools, you will be able to create DevSecOps Pipelines in Cloud providers like AWS, Azure DevOps etc.,

3. Chapter 3: Secure SDLC and CI/CD pipeline

• What is Secure SDLC
• Secure SDLC Activities and Security Gates
  • Security Requirements (Requirements)
  • Threat Modelling (Design)
  • Static Analysis and Secure by Default (Implementation)
  • Dynamic Analysis(Testing)
  • OS Hardening, Web/Application Hardening (Deploy)
  • Security Monitoring/Compliance (Maintain)
• DevSecOps Maturity Model (DSOMM)
  • Maturity levels and tasks involved
  • 4-axes in DSOMM
  • How to go from Maturity Level 1 to Maturity Level 4
  • Best practices for Maturity Level 1
  • Considerations for Maturity Level 2
  • Challenges in Maturity Level 3
  • Dream of achieving Maturity Level 2
• Usings tools of the trade to do the above activities in CI/CD
• Embedding Security as part of CI/CD pipeline
• DevSecOps and challenges with Pentesting and Vulnerability Assessment.
• Hands-on: Create a CI/CD pipeline suitable for modern application.
• Hands-on: Manage the findings in a fully automated pipeline.

4. Chapter 4: Software Component Analysis (SCA) in CI/CD pipeline

• What is Software Component Analysis.
• Software Component Analysis and Its challenges.
• What to look in a SCA solution (Free or Commercial).
• Embedding SCA tools like OWASP Dependency Checker, Safety, RetireJs and NPM Audit, Snyk into the pipeline.
• Demo: using OWASP Dependency Checker to scan third party component vulnerabilities in Java Code Base.
• Hands-On Labs: using RetireJS and NPM to scan third party component vulnerabilities in Javascript Code Base.
• Hands-On Labs: using Safety/pip to scan third party component vulnerabilities in Python Code Base.

5. Chapter 5: SAST (Static Analysis) in CI/CD pipeline

• What is Static Application Security Testing.
• Static Analysis and Its challenges.
• Embedding SAST tools like Find Bugs into the pipeline.
• Secrets scanning to prevent secret exposure in the code.
• Writing custom checks to catch secrets leak age in an organization.
• Hands-On Labs:
  • Using SpotBugs to scan Java code.
  • Using trufflehog/gitrob to scan for secrets in CI/CD pipeline.
  • Using brakeman/bandit to scan Ruby on Rails and Python Code Base.

6. Chapter 6: DAST (Dynamic Analysis) in CI/CD pipeline

• What is Dynamic Application Security Testing.
• Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling )
• Embedding DAST tools like ZAP and Burp Suite Dastardly into the pipeline.
• SSL misconfiguration testing
• Server Misconfiguration Testing like secret folders and files.
• Creating baseline scans for DAST.
• Hands-On Labs: using ZAP to configure per commit/weekly/monthly scans.

7. Chapter 7: Infrastructure as Code and Its Security

• What is Infrastructure as Code and its benefits.
• Platform + Infrastructure Definition + Configuration Management.
  • Introduction to Ansible.
    • Benefits of Ansible.
    • Push and Pull based configuration management systems
    • Modules, tasks, roles and Playbooks
  • Tools and Services which helps to achieve IaaC
  • Hands-On Labs: Docker and Ansible
  • Hands-On Labs: Using Ansible to create Golden images and harden Infrastructure.

8. Chapter 8: Compliance as code

• Different approaches to handle compliance requirements at DevOps scale
• Using configuration management to achieve compliance.
• Manage compliance using Inspec/OpenScap at Scale.
• Hands-On Labs: Create a Inspec profile to create compliance checks for your organization
• Hands-On Labs: Use Inspec profile to scale compliance.

9. Chapter 9: Vulnerability Management with custom tools

• Approaches to manage the vulnerabilities in the organization.
• Hands-On Labs: Using Defect Dojo for vulnerability management.