Banner

DevSecOps Boot Camp

Live Classroom
Duration: 3 days
Live Virtual Classroom
Duration: 3 days
Pattern figure

Overview

DevSecOps is a well-established set of skills, tools and team practices for proactively building security into applications and IT services. DevSecOps represents a renewed focus on the importance of security in the development lifecycle and its implications for downstream IT. The DevSecOps boot camp is a practical, in-depth training solution for participants who want to understand, apply and improve their skills in the field. The boot camp focusses on principles, processes and technical skills necessary to make security and risk profiling a front-end priority – embracing a ‘quality-first’ mindset. Through this boot camp, participants will understand the responsibility of how applications and IT services perform when they are complete and in production, even if the participants themselves are involved primarily in design, development or testing of the applications. For participants on the Operations side of businesses, the boot camp will understand how to shift left and collaborate on the upstream work that significantly impacts the IT security environment, organization’s risk management and their own regular work.

What You'll Learn

  • Assess, specify and automate much of the work associated with application security
  • Bridge the typical functional silos in IT that prevent proactive security measures
  • Translate common risks into technical use cases and software requirements
  • Apply ‘security-first’ engineering and testing practices throughout the entire application pipeline
  • Use static analysis, broader unit test coverage and code quality reviews specifically for security
  • Translate the OWASP risks into practical, actionable software development best practices
  • Deploy for security
  • Tie secure development practices and automated engineering to GRC and audit requirements
  • Try new approaches to change management for increased speed, automation and security
  • Use DevOps-style metrics to measure and monitor security practices and performance
  • Promote cultural practices that lead to improved responsibility for security outcomes
  • Go back to work with a plan to implement concepts learnt

Curriculum

  • DevOps
  • Security
  • Risk
  • Culture
  • Agility
  • Testing
  • Continuous ‘X’ (Integration, Delivery, etc.)

  • Risk review
  • Policy
  • Roles
  • Compliance, regulatory and GRC
  • The 50% hack rule
  • The Pipeline model

  • Traditional vs. ‘DevOps’ security
  • Tools vs. processes
  • Security, not compliance
  • Prioritizing testing for risk
  • Reducing source code footprint
  • Static analysis for secure code
  • Feature toggles for security
    • Toggle points
    • Toggle router
    • Toggle configuration
    • Others
  • DevSecOps and technical debt management

  • Designing for security
  • Assessing risk appetite
  • Modelling threats
  • Product architecture
  • Use cases, anti-patterns and abuse cases
  • Dataflows with trust boundaries

  • Secure code overview
  • OWASP review
  • Tools for automating OWASP
    • OWASP dependency checkers
    • OWASP Zap during regular functional tests
  • Developer guidelines and checklists
  • Compiler security settings (per)
  • Tools to use
  • Coding standards (per language)
  • Common pitfalls (per language)
  • Secure/safe functions/methods
    • Stack canaries
    • Encrypted pointers
    • Memory initialization
    • Function return checking (e.g. malloc)
    • Dereferencing pointers
  • Integer type selection
    • Range checking
    • Pre/post checking
  • Synchronization primitives

  • Testing before commit
  • Scanning for secrets
  • Hook examples
  • Application security testing
    • Static
    • Dynamic
  • Testing dependencies
  • How to treat manual testing
  • Performance testing
    • Testing for load
    • Testing for stress
    • Soak tests
    • Spike testing
  • Testing in parallel
  • Staging
  • Mutation testing and tools for performing it
  • User role testing

  • IAM overview
  • Identity profiles
  • Using IAM for automation
  • IAM practices in the cloud
  • IAM as an applicable building block
  • IAM anti-patterns

  • Canary candidates
  • Dark launches
  • Streamlining libraries and dependencies
  • Keeping packages up to date
  • Keeping deploys repeatable and reliable
  • OpenSCAP for scanning baselines before and after deployments
  • Scanning web server configuration
  • Database exploitation through applications
  • Infrastructure scanning
    • OpenVAS
    • NMAP
  • Scanning web applications
    • W3AF
    • Wapiti

  • Where does Ops security begin and where does it end?
  • Infrastructure as secure code
  • Incident response planning and emergency drills
  • Release archives
  • OS protections:
    • Address space layout randomization
    • Non-executable stacks
    • W^X
    • Data execution prevention
  • Monitoring, logging and intelligent alerts
    • Splunk mini-tour: a transformative tool for analyzing machine data, operational risk and application health
  • Log management
  • Penetration testing

  • GRC review
  • Coding for compliance
  • DevOps and the ‘segregation of duties’
  • Tooling example: Chef InSpec
  • Change management and policy

  • Three types of ‘change’
  • When and why to use CAB boards
  • Peer review vs. change management
  • Automating change management
  • ITIL in 2020

  • The core toolkit of metrics
  • The best way to institute alerts
  • Managing alerts
  • Proactive vs. reactive metrics
  • Measurement anti-patterns

  • Security fails and breakdowns
  • Incentive, fear and reward
  • Getting outside IT
  • How to shift left
  • Building security in
  • Cost and the business case for proactive security
  • Overcoming conventions of the past
  • Bridging silos – why and how
waves
Ripple wave

Who should attend

The DevSecOps boot camp is strongly recommended for –
  • Anyone in an IT leadership role
  • CIOs/CTOs/CSOs
  • Security administrators
  • Security professionals
  • IT operations staff
  • Release engineers
  • Configuration managers
  • Anyone involved with IT infrastructure
  • Developers and application team leads
  • ScrumMasters
  • Software managers and team leads
  • IT project and program managers
  • Product owners and managers

Prerequisites

There are no prerequisites for this course.

Interested in this Course?

    Ready to recode your DNA for GenAI?
    Discover how Cognixia can help.

    Get in Touch
    Pattern figure
    Ripple wave