DevSecOps 'Hands-on'
Provided by QA
About the course
DevSecOps 'Hands-on'
DevSecOps has been described as 'security as code', 'a marriage of DevOps and Security' and 'Shifting security to the left'. Traditional security approaches are inefficient and largely ineffective for organisations using Agile, DevOps and Cloud - as illustrated by the massive amount of recent data breaches. DevSecOps is a new approach which embeds security to each DevOps team, with automated security testing at all stages of the software development lifecycle. Security infrastructure, policies, controls, compliance, audit and even secure operations are all coded and automated, with almost no manual processes.
This three day hands-on course begins with an overview of the DevSecOps approach, framework and DevSecOps toolkit, then looks at application security, the elements of a secure software development lifecycle, and the use of automated application security tests as part of the continuous integration / continuous deployment pipeline. Next we move on to cloud security, infrastructure as code, and potential security issues which can arise from the agile DevOps process. We cover the implementation of security controls as code, ranging from security policies, secrets management, encryption, identity and access management, to logging, monitoring and alerting. Containers and serverless architectures are introduced and potential security issues highlighted, with a review of container security technologies. A DevSecOps approach is used to integrate automated security tests and mitigate security risks. Continuous compliance as code is covered, using different approaches and appropriate DevSecOps tools for prevention, detection and remediation, leading to the concept of audit as code.
A new model for Security Operations is presented with security incident identification, management and response as code, making use of big data analysis, artificial intelligence and machine learning, alongside more traditional techniques such as signature detection and threat intelligence feeds. Finally, we look at the people aspect of DevSecOps, moving away from technology and code, to organisational and cultural aspects, skills development, team effectiveness and recruitment approaches.
The course is delivered through presentations, practical demonstrations and labs. You will gain practical hands-on experience of DevSecOps tools, automated security tests and serverless applications. You will implement security improvements to infrastructure as code, and deploy continuous compliance tools to provide ongoing security assurance for a cloud environment.
Prerequisites
This course is primarily aimed at:
Application developers, DevOps engineers, team leaders and managers wishing to improve their knowledge of security and DevSecOps
Security and information risk professionals looking to develop their understanding of DevSecOps framework and tools, coding, automation and the changes needed to ensure effective security in a DevOps culture
There are no particular pre-requisites, however delegates will benefit from any knowledge and experience of DevOps, application and infrastructure security.
Delegates will learn how to
Delegates will learn about the following topics:
DevSecOps approach, framework and toolkit
Automated application security testing integrated to CI/CD pipeline
Cloud security, infrastructure as code, unit and integration tests
Containers, security issues and container security solutions
Continuous compliance as code
Serverless functions, architectures, automated remediation
A DevSecOps model for security operations
People aspects of DevSecOps
Outline
DAY ONE
Introduction
Introductions
Objectives of course
Agenda
DevSecOps Approach, Framework and Toolkit
DevOps fundamentals
Lab: Application Development Pipeline
Why a traditional security approach doesn't work
What is DevSecOps?
DevSecOps approach
DevSecOps framework
DevSecOps toolkit
Automated Application Security Testing
OWASP Top 10
Secure Software Development Lifecycle
Application Security Testing Tools
Lab: Integrate Application Security Test to Pipeline
Infrastructure as Code and Unit Tests
Infrastructure as Code
Unit Tests
Lab: InSpec
DAY TWO
Cloud Security
AWS EC2
Lab: Infrastructure as Code
AWS Security
Cloud automation
Secrets management
Continuous Compliance
Continuous Compliance Framework
Policy as code
Audit as code
Lab: Cloud Compliance
Lab: Discover Secrets
Demo: Policy as code in Azure
DAY THREE
Containers
Concept of containers
Docker
Security Issues of containers
Orchestration
Container security solutions
Integration to CI / CD pipeline
Lab: Container security
Serverless
Concept of serverless
AWS Lambda, Azure Cloud Functions, Google Cloud Functions
Serverless application architecture
Security implications
Lab: Deploy serverless application to cloud using CI / CD pipeline
A DevSecOps model for Security Operations
Why the traditional Security Operations Center is no longer effective
A DevSecOps model for Security Operations
Data analysis, security incident identification and analysis as code
Elastic stack (formerly ELK stack)
Artificial Intelligence, machine learning and data discovery tools
Security Incident Response as code
Red Teams and Blue Teams
Real-life Cloud Security Issues
Demonstrations of real-life cloud security issues
People aspects of DevSecOps
Culture
Organisation
Skills and training
Security champions
Recruitment
Team effectiveness