YoVDO

DevSecOps Fundamentals

Offered By: Cybrary

Tags

DevSecOps Courses Cybersecurity Courses Jenkins Courses Static Code Analysis Courses Threat Modeling Courses Vulnerability Management Courses Software Composition Analysis Courses

Course Description

Overview

This DevSecOps course will provide students with the fundamental knowledge to integrate security controls, processes, and services into the DevOps pipeline. This course covers the distinct security challenges posed by custom software and web applications.

Security professionals have a robust suite of tools and methodologies for assessing the risk to operating systems, firewalls, and other components on the network. But they may have limited knowledge on how to review web applications and custom code. As demonstrated by the recent breaches, which have exploited third-party libraries, continuous monitoring and assessment do not always include a review of software dependencies.

Organizations rely on regular patches for commercial software and understand how to deploy updates. But maintaining secure custom software requires development team support or integration into a DevSecOps pipeline.

To gain a common understanding of these distinct security challenges, the course will include an overview of vulnerabilities such as XSS, CSRF, SQL injection, Local/Remote File Inclusion, and other findings identified in the OWASP Top 10. Additional insight will be provided into the susceptibility to “supply chain” risks when third-party libraries are loaded from public repositories such as NPM, Docker Hub, Python Package Index, or Cloud services marketplaces. The focus of the course is on open-source tools to perform static code analysis, dynamic code analysis, and third-party dependency checks.

We will pull in concepts from open resources such as the DoD Enterprise DevSecOps Reference Design, OWASP DevSecOps Maturity Model, and the DevSecOps group.

What is Secure Software Development?

It is a practice to ensure that the code and processes that go into developing applications are as secure as possible. Secure development entails the utilization of several processes, including the implementation of a Software Development Lifecycle (SDLC) and secure coding itself.

Every company is looking to save money and reduce risk. One way security-savvy organizations do so is by employing secure software development techniques in the creation and maintenance of their technical endeavors. These techniques you will learn include software acquisition strategy, development environment security controls, and software security effectiveness.

On a daily basis, someone in this type of role may be creating new tools for everything from virus, spyware, malware, and intrusion detection to traffic analysis. Or they could be working to ensure that security measures are included in any software your organization produces. Regardless of the specific role, there are certain skills needed to ensure the software being developed is in fact secure. This area of secure development also covers software acquisition strategy, development environment security controls, and software security effectiveness to ensure all aspects of security are covered from the perspective of a developer.

What Are the Prerequisites for This Course?

Individuals who wish to take this DevSecOps course should have a basic understanding of security controls, attack vectors, and cybersecurity principles. You will not need to understand programming, but some knowledge of the process from development to deployment would be helpful.

The course is based on an assumption of basic cybersecurity principles, but we will start with the need for integrating security into the DevOps cycle and identifying specific tools or processes to accomplish this goal.

Some understanding of existing automated security tools may be helpful, but students will be given a basic description of the tools. Additional research can be pursued as needed.

What Are the DevSecOps Course Goals?

By the end of this DevSecOps course, students should be able to:

  • Describe the need for implementing DevSecOps
  • Gain executive buy-in on DevSecOps
  • Develop a plan to integrate Security into DevOps
  • List the major steps of DevOps pipeline
  • Select tools to automate security testing into the DevOps pipeline
  • Identify certifications for Developers, Cyber Staff, and Operations
  • Differentiate between Static and Dynamic analysis
  • Discuss protection controls for specific attack vectors
  • Perform threat modeling to match security controls to attack vectors
  • Demonstrate the need for 3rd party library review
  • Identify methods for securing Cloud architecture
  • Implement continuous monitoring after deployment

In a world of cyberattacks and people falling victim to hacked personal information, developing software with strong security is essential. Some developers may see themselves as a coder at heart, writing language to make programs function. But even when developers are using basic coding,they can help protect software from being hacked by creating robust security features and continuously communicating with security teams.

What is DevSecOps?

DevSecOps is the IT industry term for development, security, and operations. DevSecOps is the philosophy that security features should be integrated into the software at each step of the development process. DevSecOps improves communication and merges traditional IT and security to deliver code quickly and safely.

When a developer uses DevSecOps practices, they’re putting building coding and creating security barriers in the same process. When using DevSecOps practices, security features are thought of, created, and integrated into the earliest stages of software development.

DevSecOps practices put the responsibility of security on everyone in an organization that is rolling out new software, writing code, or creating an application.

“DevOps has become second nature for agile, high-performing enterprises and a foundation for the success of their online business,” Pascal Geenens, a security evangelist and researcher at Radware, told CSO Online. He argues, “Continuous change in technology and consumer demand means there is a continuous cycle of updates to run that will keep a very varied set of functions from page upload times to shopping and search features up to date and running at their best.”

What is the difference between DevOps and DevSecOps?

DevSecOps differs from its similar-sounding counterpart, DevOps.

DevOps practices involve combining software development and IT operations to shorten the systems’ development life cycle and provide continuous delivery with high software quality. DevOps doesn’t have the same security integration as DevSecOps. Each team within an organization would have its own responsibilities, with security being sectioned off.

DevSecOps merges the creation of applications, code, and software with the best security practices.

Why are DevSecOps practices important?

Technology has evolved rapidly to allow cloud sharing among multiple users, cloud computing, and rapid data delivery. However, security practices have not kept pace with evolving technology. With multiple users accessing data remotely, security risks increase.

DevSecOps practices are essential because they protect data, users, and software from security breaches before they happen.

How do you become DevSecOps certified?

You can obtain a DevSecOps certification by taking online DevSecOps courses through platforms such as Cybrary. Before getting started, students should already have a basic understanding of security controls, attack vectors, and cybersecurity principles.

Cybrary’s DevSecOps course starts with an introduction to security during the development cycle. The course covers possible security breaches a system could have, as well as static and dynamic analyses. Students will learn how to plan for security integration throughout the development pipeline, as well as deliver and deploy software with DevSecOps practices in mind. Finally, students will gain skills to monitor the system on an ongoing basis.

Cybrary offers DevSecOps training broken into short, on-demand video modules, allowing students to learn at their own pace. The full course is five hours long.

At the end of the course, you can go on to pursue certification by taking the official exams for numerous DevSecOps certifications, including:

  • DevSecOps Foundation Certification
  • DevSecOps Practitioner Certification
  • EXIN DevSecOps Manager
  • GIAC Cloud Security Automation (GCSA)
  • GSDC Certified DevSecOps Engineer
  • Certified DevSecOps Professional

The typical DevSecOps engineer earns more than $142,000 a year, according to Neuvoo. In cities such as New York, DevSecOps professionals can earn as much as $175,000. As a DevSecOps engineer, professionals will collaborate with DevOps engineers, stay up to date on the latest security trends, and help their organization build secure, fast software to execute the company’s goals.


Syllabus

  • Securing the Development Cycle
    • Introduction
    • What is the Problem?
    • Integrate Security Into DevOps
    • Module 1 Summary
  • What are we Defending?
    • Module 2 Introduction
    • Static vs. Dynamic Analysis
    • Security in the Stack
    • Jenkins Overview
    • Module 2 Summary
  • Pipeline: Planning and Awareness
    • Module 3 Introduction
    • Jenkins Demo: DevOps
    • DevSecOps Metrics
    • Security for Developers
    • SpotBugs Demo
    • DevOps for Security Staff
    • Threat Modeling
    • Module 3 Summary
  • Pipeline: Development
    • Module 4 Introduction
    • Pipeline Orchestration
    • Static App Security Test (SAST)
    • Software Composition Analysis (SCA)
    • Jenkins Demo: SAST/SCA
    • OWASP DevSecOps Security Model
    • Module 4 Summary
  • Pipeline: Delivery
    • Module 5 Introduction
    • Dynamic App Security Test (DAST)
    • Logic Flaws, Automation, Defect Tracking
    • Jenkins Demo: DAST
    • Interactive App Security Test (IAST)
    • Contrast IAST Demo
    • Delivery Maturity
    • Module 5 Summary
  • Pipeline: Deployment
    • Module 6 Introduction
    • Continuous Development
    • Infrastructure as Code (IaC)
    • Jenkins Demo: IaC
    • Deployment Maturity
    • Kubernetes
    • Module 6 Summary
  • Pipeline: Operation and Monitor
    • Module 7 Introduction
    • RASP and SCA
    • RASP Demo
    • Operation Maturity
    • Continuous Monitoring
    • Module 7 Summary
  • Conclusion
    • Conclusion

Taught by

Philip Kulp

Related Courses

DevSecOps: Adding Security Testing Tools to Pipelines
Pluralsight
Inspecting Open Source Software Packages for Security and License Compliance
Pluralsight
Security Instrumentation - The Future of Software Security
LASCON via YouTube
5 Open Source Security Tools All Developers Should Know About
All Things Open via YouTube
5 Open Source Security Tools All Developers Should Know About
DevSecCon via YouTube