DevSecOps 'Hands-on'

Provided by

Enquire about this course

About the course

DevSecOps has been described as 'security as code', 'a marriage of DevOps and Security' and 'Shifting security to the left'. Traditional security approaches are inefficient and largely ineffective for organisations using Agile, DevOps and Cloud - as illustrated by the massive amount of recent data breaches. DevSecOps is a new approach which embeds security to each DevOps team, with automated security testing at all stages of the software development lifecycle. Security infrastructure, policies, controls, compliance, audit and even secure operations are all coded and automated, with almost no manual processes.

This three day hands-on course begins with an overview of the DevSecOps approach, framework and DevSecOps toolkit, then looks at application security, the elements of a secure software development lifecycle, and the use of automated application security tests as part of the continuous integration / continuous deployment pipeline. Next we move on to cloud security, infrastructure as code, and potential security issues which can arise from the agile DevOps process. We cover the implementation of security controls as code, ranging from security policies, secrets management, encryption, identity and access management, to logging, monitoring and alerting. Containers and serverless architectures are introduced and potential security issues highlighted, with a review of container security technologies. A DevSecOps approach is used to integrate automated security tests and mitigate security risks. Continuous compliance as code is covered, using different approaches and appropriate DevSecOps tools for prevention, detection and remediation, leading to the concept of audit as code.

A new model for Security Operations is presented with security incident identification, management and response as code, making use of big data analysis, artificial intelligence and machine learning, alongside more traditional techniques such as signature detection and threat intelligence feeds. Finally, we look at the people aspect of DevSecOps, moving away from technology and code, to organisational and cultural aspects, skills development, team effectiveness and recruitment approaches.

The course is delivered through presentations, practical demonstrations and labs. You will gain practical hands-on experience of DevSecOps tools, automated security tests and serverless applications. You will implement security improvements to infrastructure as code, and deploy continuous compliance tools to provide ongoing security assurance for a cloud environment.

Due to the interactive nature of the course and labs, it will be delivered on site at QA training centres and is not suitable for online learning.


Prerequisites

This course is primarily aimed at:

Application developers, DevOps engineers, team leaders and managers wishing to improve their knowledge of security and DevSecOps
Security and information risk professionals looking to develop their understanding of DevSecOps framework and tools, coding, automation and the changes needed to ensure effective security in a DevOps culture

There are no particular pre-requisites, however delegates will benefit from any knowledge and experience of DevOps, application and infrastructure security.


Delegates will learn how to

Delegates will learn about the following topics:

    DevSecOps approach, framework and toolkit
    Automated application security testing integrated to CI/CD pipeline
    Cloud security, infrastructure as code, unit and integration tests
    Containers, security issues and container security solutions
    Continuous compliance as code
    Serverless functions, architectures, automated remediation
    A DevSecOps model for security operations
    People aspects of DevSecOps


Outline

DAY ONE

Introduction

    Introductions
    Objectives of course
    Agenda


DevSecOps Approach, Framework and Toolkit

    DevOps fundamentals
    Lab: Application Development Pipeline
    Why a traditional security approach doesn't work
    What is DevSecOps?
    DevSecOps approach
    DevSecOps framework
    DevSecOps toolkit


Automated Application Security Testing

    OWASP Top 10
    Secure Software Development Lifecycle
    Application Security Testing Tools
    Lab: Integrate Application Security Test to Pipeline


Infrastructure as Code and Unit Tests

    Infrastructure as Code
    Unit Tests
    Lab: InSpec


DAY TWO

Cloud Security

    AWS EC2
    Lab: Infrastructure as Code
    AWS Security
    Cloud automation
    Secrets management


Continuous Compliance

    Continuous Compliance Framework
    Policy as code
    Audit as code
    Lab: Cloud Compliance
    Lab: Discover Secrets
    Demo: Policy as code in Azure


DAY THREE

Containers

    Concept of containers
    Docker
    Security Issues of containers
    Orchestration
    Container security solutions
    Integration to CI / CD pipeline
    Lab: Container security


Serverless

    Concept of serverless
    AWS Lambda, Azure Cloud Functions, Google Cloud Functions
    Serverless application architecture
    Security implications
    Lab: Deploy serverless application to cloud using CI / CD pipeline


A DevSecOps model for Security Operations

    Why the traditional Security Operations Center is no longer effective
    A DevSecOps model for Security Operations
    Data analysis, security incident identification and analysis as code
    Elastic stack (formerly ELK stack)
    Artificial Intelligence, machine learning and data discovery tools
    Security Incident Response as code
    Red Teams and Blue Teams
    Real-life Cloud Security Issues
    Demonstrations of real-life cloud security issues


People aspects of DevSecOps

    Culture
    Organisation
    Skills and training
    Security champions
    Recruitment
    Team effectiveness

Enquire

Start date Location / delivery
26 Feb 2019 Manchester Book now
04 Mar 2019 London Book now
08 May 2019 Manchester Book now
24 Jun 2019 London Book now
05 Aug 2019 London Book now
05 Aug 2019 Online Book now
27 Aug 2019 Manchester Book now
14 Oct 2019 London Book now
11 Nov 2019 London Book now
26 Nov 2019 Manchester Book now
16 Dec 2019 London Book now
16 Dec 2019 Online Book now
16 Mar 2020 London Book now
16 Mar 2020 Online Book now

Related article

As we become more reliant on digital technologies, the cyber security industry has grown in order to protect organisations against online attacks. ...