About the course
DEV540: Secure DevOps and Cloud Application Security
Mon, March 11 - Fri, March 15, 2019
Contents | Additional Info
Instructor: Eric Johnson
Thank you. I loved this course! Really informative content, great approach.
Jonathan Gardner, Cisco
My company is just entering into the DevOps world. We are highly regulated, and many concerns exist around security. This class provided me with insight on how to address those concerns. I can instantly use this information when I return to work.
Chris Sellards, HCH
DEV540 gives developers and security professionals the tools needed to build and deliver secure software using DevOps and cloud services, specifically Amazon Web Services (AWS). It explains how the principles, practices, and tools of DevOps and AWS can improve the reliability, integrity, and security of applications.
The first two days of the course examine the implementation of Secure DevOps using lessons from successful DevOps security programs. Using popular open-source tools such as GitLab, Puppet, Jenkins, Vault, Graphana, and Docker, you will create a secure DevOps CI/CD toolchain that can automatically build, test, and deploy infrastructure and applications. In a series of labs, you will inject security into your CI/CD toolchain using a variety of security tools, patterns, and techniques.
The final three days of the course will teach you to shift your DevOps workloads to the cloud and secure software using AWS. With your CI/CD toolchain, you will build a cloud infrastructure that can deploy applications and microservices to the cloud, instead of to local servers. You'll also analyze and fix cloud infrastructure and application vulnerabilities using AWS security services and tools such as API Gateway, IAM, CloudFront Signed URLs, Security Token Service, KMS, encryption, WAF, Lambda for Serverless computing, CFN NAG scanner, AWS Security Benchmark, and much more.
DEV540 makes extensive use of open-source materials and tooling for automated configuration management ("Infrastructure as Code"xf), Continuous Integration, Continuous Delivery, Continuous Deployment, containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. It also uses Jenkins and AWS developer tools such as CloudFormation, CodeCommit, CodeBuild, CodePipeline, and other cloud application services, so you can experience the use of these services when securing infrastructure and applications.
DEV540 will prepare you to:
- Understand the core principles and patterns behind DevOps:
- Recognize how work is done in DevOps and identify keys to success
- Map and implement a Continuous Delivery/Deployment pipeline:
- Create a Value Stream Map of the processes and workflows to make code or configuration changes, from check-in to deployment and operations
- Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools
- Identify the security risks and issues associated with DevOps and Continuous Delivery
- Map where security controls and checks can be added in Continuous Delivery and Continuous Deployment:
- Conduct effective risk assessments and threat modeling in a rapidly changing environment
- Design and write automated security tests and checks in CI/CD
- Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
- Implement self-serve security services for developers
- Inventory and patch your software dependencies
- Threat model and secure your build and deployment environment
- Integrate security into production operations:
- Automate security policies
- Use container technologies (such as Docker) to enhance security
- Automate compliance and run-time defense
- Create continuous feedback loops from production to engineering
- Create a plan to introduce or improve security in a DevOps environment
- Use DevOps practices to secure DevOps tools and workflows
- Move your DevOps workloads to the cloud:
- Secure your Amazon Web Services account
- Use CloudFormation to create Infrastructure as Code
- Build CI/CD pipelines using CodePipeline
- Wire security scanning into CodePipeline using CodeBuild.
- Containerize applications with EC2 Container Registry and EC2 Container Service
- Scale horizontally with load balancers and auto-scaling groups
- Consume cloud services to secure cloud applications:
- Protect sensitive secrets with KMS and the SSM Parameter Store
- Protect static content with CloudFront Signing
- Secure REST APIs with API Gateway
- Implement an API Gateway custom authorization Lambda function
- Deploy the AWS WAF and build custom WAF rules
- Monitor security events using CloudWatch
DEV540.1: Introduction to Secure DevOps
DEV540.2: Moving to Production
DEV540.3: Moving to the Cloud
DEV540.4: Cloud Application Security
DEV540.5: Cloud Security Automation
"DevOps and cloud are radically changing the way that organizations design, build, deploy, and operate online systems. Leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet 'Unicorns' and cloud providers into enterprises.
Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams that have broken down the 'walls of confusion' in their organizations are increasingly leveraging new kinds of automation, including Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms. The question is: can security take advantage of the tools and automation to better secure its systems?"
Security must be reinvented in a DevOps and cloud world.
- Ben Allen, Jim Bird, Eric Johnson, and Frank Kim