Course 832:
DevSecOps Foundations: Hands-On

(3 days)

 

Course Description

DevSecOps is a set of practices that combines software development (Dev), security (Sec), and IT operations (Ops) with the goal of “shifting left” on security. This hands-on course provides students the knowledge and experience to start using DevOps tools to manage and automate application development and deployment. The impact of DevOps is expanded by adding security practices to the software development and delivery process.  Students learn how to build continuous integration and deployment pipelines using tools such as Git, Docker, Kubernetes, Terraform, Jenkins, and others while integrating security into the entire process.

Learning Objectives

This course teaches participants the following skills:

  • Understand the key concepts of DevSecOps
  • Manage applications using DevOps automation and tools
  • Architect applications using microservices
  • Manage source code and versions using Git
  • Deploy microservices using Docker containers
  • Scan container images for vulnerabilities
  • Orchestrate container deployment using Kubernetes
  • Automate deployment resources using Infrastructure as Code tools
  • Build CI/CD pipelines
  • Integrate security into a DevOps pipeline
  • Infrastructure as Code (IaC) security
  • Threat modeling and risk assessment techniques
  • Assess your organization’s DevSecOps maturity level

Who Should Attend

  • IT and DevOps professionals
  • Software engineers
  • Security professionals
  • Software architects
  • Anyone else who wants to learn more about DevSecOps

Prerequisites

  • Familiarity with Linux operating systems and commands
  • Experience with software development and IT operations
  • Some training and experience with cloud services
  • Scripting experience relevant for cloud/DevOps with languages like Python or bash shell

Activities

The course includes tutorials/hands-on labs to provide attendees the opportunity to get hands-on experience with the topics covered.

Course Outline

1. DevSecOps Introduction

  • What Is DevOps? What Is DevSecOps?
    • DevOps Practices
    • Siloed Teams vs. Collaborative
    • Why DevSecOps Is Important
    • DevSecOps Culture and Mindset
    • DevOps Automation
    • Cloud-Native Development
    • Common Security Models
    • General Security Considerations
    • Shift Left Security
  • Activity: DevOps Quick Check

2. Microservices

  • Introduction to Microservices
    • Monolithic vs. Microservice Applications
    • Recognizing Microservice Boundaries
    • Stateful vs. Stateless Services
    • Managing Databases
  • Activity: Running the Course Case Study
  • Twelve-Factor Apps
    • Twelve-Factors
  • Activity: Implementing Twelve-Factor Apps
  • Secure Application Development Lifecycle
    • Terms and Concepts
    • DevSecOps Tools for Application Development
    • SCA, SAST, DAST, SaC

3. Application Lifecycle Management

  • Package Management
    • Managing Application Dependencies
    • Secure Your Application Supply Chain
  • Activity: Managing Packages
  • Source Control
    • Source Control Choices
    • Tools
    • Git
    • Basic Git Commands
    • Hosted Git Repositories
    • Cloud-Based Git Repositories
    • Source Control Security
  • Version Control
    • Tags
    • Branches
    • Branching and Merging Strategies
  • Activity: Using Git

4. Docker

  • Understanding Docker
    • Containers
    • Advantages of Containers
    • Images
  • Using Docker
    • Building Docker Images
    • Dockerfile
    • Starting Containers
    • Stopping Containers
    • Deleting Containers and Images
  • Activity: Running Docker Containers
  • Deploying Docker Containers
    • Container Registries
    • Push and Pull
    • Vulnerability Scanning
  • Activity: Container Registries

5. Kubernetes

  • Kubernetes Clusters
    • Kubernetes Architecture
    • EKS
    • GKE
    • AKS
    • OpenShift
    • Minikube
    • Cluster Security
  • Activity: Creating Kubernetes Clusters
  • Kubernetes
    • Pods
    • Deployments
    • Services
    • Autoscalers
    • Health Checkers
    • Liveness and Readiness Probes
    • Configuration
  • Activity: Deploying Applications with Kubernetes
  • Kubernetes Security
    • Securing a Cluster
    • Role-Based Access Control
    • Encryption
    • Secrets
  • Activity: Kubernetes Security

6. Infrastructure as Code

  • Leveraging Cloud Infrastructure
    • Infrastructure on Demand
    • Disposable Infrastructure
  • IaC tools
    • Ansible, Chef, Puppet, Pulumi
    • AWS CloudFormation
    • Azure Resource Manager
    • HashiCorp Terraform
  • Activity: Deploying Infrastructure with Terraform
  • IaC and DevSecOps
    • Security in an IaC-Forward Environment
    • Identify Misconfigurations and Security Issues
    • IaC Scanning

7. DevOps Automation (CI/CD)

  • Automated Builds
    • CI/CD Pipelines
    • Git Hooks
    • Cloud Build Tools
  • Activity: Automating Builds
  • Integrating Security Into the CI/CD Pipeline
    • Managing Pipeline Authentication and Authorization
    • Supply Chain Security
    • Managing IAM Resources
    • Security Scanning at Each Stage of the Pipeline
    • Automated Vulnerability Remediation
  • Code Quality Tools
    • SonarQube
    • Selenium
  • GitHubActions (GHA)
  • Activity: Building a Secure CI/CD Pipeline with GHA
  • Version Management
    • Rolling Updates
    • Canary Deployments
    • Blue/Green Deployments
  • Activity: Version Management

8. Introducing Site Reliability Engineering (SRE)

  • Site Reliability Engineering
  • How SRE Implements DevOps
    • SLOs, SLIs, and SLAs
  • Activity: Defining SLOs and SLIs

9. DevSecOps Maturity

  • The DevSecOps Maturity Model
  • Assess Your Organization’s Maturity Level
  • Activity: DevSecOps Maturity Model
  • Continual Improvement

Please Contact Your ROI Representative to Discuss Course Tailoring!