DEV534: Secure DevOps: A Practical Introduction
This course, Secure DevOps: A Practical Introduction (DEV534) explains the fundamentals of DevOps, and how DevOps teams can build and deliver secure software. It will explain the principles and practices and tools in DevOps and how they can be leveraged to improve the reliability, integrity and security of systems.
What Does the Course Cover?
This course will introduce students to DevOps principles, practices and tools and explain how Secure DevOps can be implemented, using lessons from successful DevOps security programs.
Students will build up a DevOps CI/CD toolchain, understand how code is automatically built, tested and deployed, using popular open source tools including git, Puppet, Jenkins and Docker.
In a series of labs they will inject security into a CI/CD toolchain, and learn about the tools, patterns and techniques to do this.
The course will make extensive use of open source materials and tooling for automated configuration management ("Infrastructure as Code"), Continuous Integration, Continuous Delivery and Continuous Deployment, containerization and micro-segmentation, and automated compliance ("Compliance as Code") and monitoring.
You Will Learn:
- Foundations and principles of DevOps, Continuous Delivery and Continuous Deployment
- The security risks and challenges that DevOps introduces
- The keys to successful DevOps security programs
- How to build security into Continuous Delivery and Continuous Deployment. The tools, patterns and techniques of security automation in DevOps
- How to secure your build and deployment environment and tool chain
- How to leverage Infrastructure as Code for secure configuration management and provisioning
- How manual security practices (risk assessments, audits and pen tests) can be adapted to continuously changing environments, and the important role that they still play
- Security risks and challenges that containers introduce - and how to secure container technology
- How to automate compliance in DevOps, using the DevOps Audit Defense Toolkit
|DEV534.1: Introduction to Secure DevOps|
An introduction to DevOps practices, principles and tooling. How DevOps works, and how work is done in DevOps. The importance of culture, collaboration and automation in DevOps.
We will look at case studies of DevOps "Unicorns": the Internet tech leaders who have created the DNA for DevOps, and understand how and why they succeeded. We will also introduce the keys to their DevOps security programs.
Then we will explain Continuous Delivery - the automation engine in DevOps - and explain how to build up a Continuous Delivery or Continuous Deployment pipeline. We'll map out how security controls and gates can be folded into or wired into the CD pipeline, and how to automate security checks and tests in CD.
CPE/CMU Credits: 6
|DEV534.2: Moving to Production|
Building on the ideas and frameworks developed in Day 1, we'll explain how vulnerability management and manual testing (including pen testing) fits into DevOps and CD.
Then we'll look at run-time security options, including RASP and other run-time defense technologies.
Because the automated CD pipeline is so critically important to DevOps, we'll look at how to secure the pipeline, including how to protect the secrets that all of these automated tools require.
Then we'll look at security and the run-time environment. We'll explain the keys to secure Infrastructure as Code, using modern automated configuration management tools like Puppet, Chef and Ansible. We will also look at containerization and security issues when using containers like Docker.
Finally we will explain how to build compliance into Continuous Delivery, using the security controls and gates that we've already built in.
CPE/CMU Credits: 6
!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.
Please download and install VMware Workstation, VMware Fusion, or VMware Player on your system prior to class beginning. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 10, VMware Fusion 7.0, or VMware Player 7.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.
VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
Mandatory Laptop Requirements
Mandatory Host Hardware Requirements
Mandatory Host Operating System Requirements
You must bring a laptop with one of the following operating systems. These operating systems have been verified to be compatible with course VMware image:
Mandatory Software Requirements
Please ensure the following software is installed on the host operating system prior to class:
IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:
If you have additional questions about the laptop specifications, please contact email@example.com.
|Who Should Attend|
This course is intended for:
Students should have the following:
|Other Courses People Have Taken|
|What You Will Receive|
|You Will Be Able To|
|Press & Reviews|
"A fast-paced and illustrative two-days on the current state of security for DevOps. Well worth the time invested to take the class." - Michael Machado, Ring Central
"I have read a lot, and watched a lot of webinars, about DEV Sec Ops. But none of those told me how to implement security in the DEV Ops pipeline. This course provided me with a ton of concrete steps I can take to integrate the security into our company." - Matthew Theobald, Schneider Electric
"Given the substantial breadth of security topics covered, I was impressed by the incredible technical depth throughout this course, and the well-researched links to resources to facilitate further learning and practical implementation." - Brett Vasconcellos
"The material/contents of this class is excellent. It help me learn all the tools that are relevant to work." - Hoan Le, Ring Central