Applied DevSecOps

Are you interested in developing DevSecOps skills for secure software development? Do you want to learn how to integrate security into your software development lifecycle (SDLC) and automate security testing? Then our DevSecOps training program is perfect for you!

What is DevSecOps?

DevSecOps is a software development methodology that integrates security into every phase of the SDLC. By adopting DevSecOps, organizations can build more secure applications and reduce the risk of data breaches and other cyber attacks.

Benefits of DevSecOps:

• Improve security: By integrating security into the SDLC, organizations can identify and remediate security issues earlier in the development process.
• Reduce risk: DevSecOps helps organizations reduce the risk of data breaches and other cyber attacks by building more secure applications.
• Increase speed: By automating security testing, DevSecOps enables organizations to release software faster without sacrificing security.
• Enhance collaboration: DevSecOps encourages collaboration between development, security, and operations teams, leading to better communication and more effective security practices.

What our DevSecOps training program covers:

In Applied DevSecOps training, you will learn how to handle security at scale using DevSecOps practices. We will start with the basics of the DevOps, and DevSecOps principles and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration Management as code, Infrastructure as code, etc.,

The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learned as part of the course.

We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening, and Security Monitoring as part of the Secure SDLC and how to select tools that fit your organization’s needs and culture.

After the training, the students will be able to successfully hack and secure applications before hackers do. The training will also include a challenge at the end as part of the assessment, where the students will use skills learned in the training to solve the challenges. The students will be provided with tools, lab material, and virtual machines used during the course.

Syllabus

This course will cover the following DevSecOps topics and techniques:

1. Introduction to DevOps and DevSecOps

• What is DevOps?
• DevOps Principles: Culture, Automation, Measurement, and Sharing (CAMS)
• Benefits of DevOps: Speed, Reliability, Availability, Scalability, Automation, Cost, and
Visibility.
• What are Continuous Integration(CI), Continuous Deployment(CD)?
• Continuous Delivery vs Continuous Deployment.
• General workflow of CI/CD pipeline.
• Designing a CI/CD pipeline for web applications.
• Common Challenges faced when implementing DevOps practices

2. DevSecOps Tools of the trade including DevSecOps Studio

• GitLab, GitLab Runner, GitLab CI
• Ansible
• Docker
• Inspec
• threatspec
• Hands-On Labs: Building a CI Pipeline using GitLab
• Hands-On Labs: Integrating security tools to create a DevSecOps pipeline in GitLab.

3. Secure SDLC and CI/CD pipeline

• What is Secure SDLC?
• Threat Modeling (Design)
• Static Analysis and Secure by Default (Implementation)
• Dynamic Analysis (Testing)
• OS Hardening, Web/Application Hardening (Deploy)
• Security Hardening/Compliance (Maintain)
• DevSecOps Maturity Model (DSOMM)
• Embedding Security as part of the CI/CD pipeline
• DevSecOps and challenges & Use cases

4. SCA (Software Component Analysis) in CI/CD pipeline

• What is Software Component Analysis?
• Finding the right SCA tool for CI
• Embedding SCA tools like Safety, RetireJS, and NPM Audit,
to find bugs in the pipeline.
• Hands-On Lab: using NPM to scan third-party component vulnerabilities in
JavaScript Code Base.
• Hands-On Lab: using safety tool to scan third-party component vulnerabilities in the Python code base.
• Software Component Analysis and Its challenges.

5. SAST (Static Analysis) in CI/CD pipeline

• What is Static Application Security Testing?
• Static Analysis and Its challenges.
• Finding the right SAST tools for CI
• Embedding SAST tools like a bandit, and findbugs into the pipeline.
• Hands-On Lab: using bandit to scan and Python Code Base.
• Hands-On Lab: using truffle hog, gitleaks to scan for secrets as part of code base.

6. DAST (Dynamic Analysis) in CI/CD pipeline

• What is Dynamic Application Security Testing?
• Finding the right tool that fits into CI/CD
• Embedding DAST tools like ZAP into the pipeline.
• SSL misconfiguration testing
• Server Misconfiguration Testing like secret folders and files.
• Hands-On Labs: Performing scans using nuclei, nmap, sslyze etc..
• Hands-On Labs: Performing ZAP baseline scans.
• Hands-On Labs: Performing ZAP Active – Authenticated scans.
• Dynamic Analysis and Its challenges (Session Management, AJAX Crawling)

7. Threat Modeling as Code in CI

• What is Threat Modeling?
• Finding the right Threat Modeling tool that fits into CI/CD
• Hands-On Lab Performing threat modeling as code using threatspec.

8. Infrastructure as Code and Its Security

• Managing configurations with Ansible
• Infrastructure as Code and its benefits
• Tools and Services which help to achieve IaaC
• Hands-On Lab: Vagrant, Docker, and Ansible
• Hands-On Lab: Server hardening using Ansible

9. Container Security

• Overview of container technology
• Docker Security
• Hands-On Lab: Auditing the deployed docker containers with CIS benchmarks
• Hands-On Labs: Scanning for container vulnerabilities using Trivy.

10. Vulnerability Management with custom tools

• Approaches to managing the vulnerabilities in the organization.
• False positives vs False Negatives.
• Different metrics for stakeholders, devs, and security teams.
• Hands-On Labs: Using Defect Dojo for vulnerability management.

11. Compliance as Code as part of CI

• Different approaches to handle compliance requirements at the DevOps scale
• Using configuration management to achieve compliance.
• Manage compliance using Inspec.
• Hands-On Lab: Using Inspec as of CI to verify the compliance checks.

Why choose Eracorp Technologies for DevSecOps training?

• Our trainers have years of experience in software development and security and are experts in DevSecOps methodologies.
• We can tailor our training program to meet the specific needs and requirements of your organization.
• We offer both online and in-person training(for corporates) options to accommodate your schedule and location.
• We offer competitive pricing for our training program, so you can get the training you need without breaking the bank.
  

Target audience:

This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments.

• Security Professionals
• Penetration Testers
• Red Teamers
• IT managers
• Developers and DevOps Engineers.

Knowledge Requirements

• Familiarity with the GNU/Linux commands like ls, mkdir, etc.
• Basic knowledge of security concepts like OWASP Top 10, and basic networking.

Hardware & Software Requirements:

• Laptop with minimum 16GB of RAM, 80GB free hard disk space, and should be able to run 3 virtual machines simultaneously.
• Administrator access to install software like virtual box, python, etc.,
• Trainer will provide all needed software and utilities during the first day of the course

Delivery Method:

• Instructor-led training
• Hands-on labs and exercises
• Q&A sessions

Materials:

• Hands-on lab exercises
• Code and scripts used.
• Reading materials and resources
• DevSecOps Studio VM

Assessment & Certification:

• The instructor will provide a set of tasks to be completed.
• Certificate of completion for participants who complete the assessment.

Testimonials

Appreciate the partnership in customizing the course rightly to meet our needs well. Very professional, supportive and effective. Thanks for the support and looking forward to the next session.

Amlan, Infosys

I am thankful for the DevSecOps classes by Raghunath. Being a Pen-Tester, these DevSecOps classes gave me more insight into the critical importance of security in both DevOps. The classes were interactive, and my doubts were well received and cleared. The practical classes were highly informative and gave me hands-on experience in the topic. I’m glad that I took the classes from Mr. Raghunath from Eracorp.

Arvind V, ADP/

This course offers a unique, rich program in skills that are highly sought after today. I had a wonderful experience with highly trained and helpful trainer Raghu, who is a leader in this field and went out of his way to make sure I understood the how and why of our training. I came with a security background looking to learn security implementation in DevOps (training that is not easy to find) and I successfully learned with the ability to implement security in the DevOps pipeline and have a stronger understanding of many concepts in DevOps.

Naveen Yellani, Student

Raghu is an excellent trainer, He explained the devsecops big picture and cleared my doubts, I feel more confident about configuring client’s security pipeline with the notes provided.

Vamsi Kishore, Infosys