Certified DevSecOps Professional CDP
The DevSecOps Professional course is our most sought-after DevSecOps Training and Certification program.
In this course, you will learn:
- DevSecOps processes, tools, and techniques.
- Major components in a DevOps Pipeline.
- How to create and maintain DevSecOps pipelines using CSA, SAST, DAST, and Security as Code.
- How to mature an organization’s DevSecOps Program.
This DevSecOps Certification Course is practical in nature with 30+ guided hands-on exercises in our state of the art online labs.
After the training, you will be able to:
- Course participants should have knowledge of running basic linux commands like ls, cd, mkdir etc.,
- Course participants should have basic understanding of application Security practices like OWASP Top 10.
- You don’t need any experience with DevOps tools.
Chapter 1: An Introduction to the Basics
- What is DevOps?
- DevOps Building Blocks- People, Process and Technology.
- DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
- Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
- What is Continuous Integration and Continuous Deployment?.
- Continuous Integration to Continuous Deployment to Continuous Delivery.
- Continuous Delivery vs Continuous Deployment.
- General workflow of CI/CD pipeline.
- Blue/Green deployment strategy
- Achieving full automation.
- Designing a CI/CD pipeline for web application.
- Common Challenges faced when using DevOps principle.
- Case studies on DevOps of cutting edge technology at Facebook, Amazon and Google
Demo: A full enterprise grade DevSecOps Pipeline.
Chapter 2: Introduction to the Tools of the trade
- Gitlab CI/Bitbucket/Jenkins/Travis/
- OWASP ZAP/
- Hands-On Labs: Building a CI Pipeline using Gitlab CI/Jenkins/Travis and Gitlab/Github/bitbucket.
- Hands-On Labs: Use the above tools to create a complete CI/CD pipeline.
Note: Once you learn the above tools, you will be able to create DevSecOps Pipelines in Cloud providers like AWS
Chapter 3: Secure SDLC and CI/CD pipeline
- What is Secure SDLC
- Secure SDLC Activities and Security Gates
- Security Requirements ( Requirements)
- Threat Modelling (Design)
- Static Analysis and Secure by Default ( Implementation)
- Dynamic Analysis(Testing)
- OS Hardening, Web/Application Hardening (Deploy)
- Security Monitoring/Compliance (Maintain)
- DevSecOps Maturity Model (DSOMM)
- Maturity levels and tasks involved
- 4-axes in DSOMM
- How to go from Maturity Level 1 to Maturity Level 4
- Best practices for Maturity Level 1
- Considerations for Maturity Level 2
- Challenges in Maturity Level 3
- Dream of achieving Maturity Level 2
- Usings tools of the trade to do the above activities in CI/CD
- Embedding Security as part of CI/CD pipeline
- DevSecOps and challenges with Pentesting and Vulnerability Assessment.
- Hands-on: Create a CI/CD pipeline suitable for modern application.
- Hands-on: Manage the findings in a fully automated pipeline.
Chapter 4: Software Component Analysis (SCA) in CI/CD pipeline
- What is Software Component Analysis.
- Software Component Analysis and Its challenges.
- What to look in a SCA solution (Free or Commercial).
- Embedding SCA tools like OWASP Dependency Checker, Safety, RetireJs and NPM Audit, Snyk into the pipeline.
- Demo: using OWASP Dependency Checker to scan third party component vulnerabilities in Java Code Base.
- Hands-On Labs: using Safety/pip to scan third party component vulnerabilities in Python Code Base.
Chapter 5: SAST (Static Analysis) in CI/CD pipeline
- What is Static Application Security Testing.
- Static Analysis and Its challenges.
- Embedding SAST tools like Find Bugs into the pipeline.
- Secrets scanning to prevent secret exposure in the code.
- Writing custom checks to catch secrets leak age in an organization.
- Hands-On Labs:
- using SpotBugs to scan Java code.
- using trufflehog/gitrob to scan for secrets in CI/CD pipeline.
- using brakeman/bandit to scan Ruby on Rails and Python Code Base.
Chapter 6: DAST (Dynamic Analysis) in CI/CD pipeline
- What is Dynamic Application Security Testing.
- Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling )
- Embedding DAST tools like ZAP and Burp Suite into the pipeline.
- SSL misconfiguration testing
- Server Misconfiguration Testing like secret folders and files.
- Creating baseline scans for DAST.
- Hands-On Labs: using ZAP to configure per commit/weekly/monthly scans.
Chapter 7: Infrastructure as Code and Its Security
- What is Infrastructure as Code and its benefits.
- Platform + Infrastructure Definition + Configuration Management.
- Introduction to Ansible.
- Benefits of Ansible.
- Push and Pull based configuration management systems
- Modules, tasks, roles and Playbooks
- Tools and Services which helps to achieve IaaC
- Hands-On Labs: Docker and Ansible
- Hands-On Labs: Using Ansible to create Golden images and harden Infrastructure.
Chapter 8: Compliance as code
- Different approaches to handle compliance requirements at DevOps scale
- Using configuration management to achieve compliance.
- Manage compliance using Inspec/OpenScap at Scale.
- Hands-On Labs: Create a Inspec profile to create compliance checks for your organization
- Hands-On Labs: Use Inspec profile to scale compliance.
Chapter 9: Vulnerability Management with custom tools
- Approaches to manage the vulnerabilities in the organization.
- Hands-On Labs: Using Defect Dojo for vulnerability management.
Practical DevSecOps Certification Process
- After completing the course schedule the exam on your prefered date.
- Pass the exam to get Certified DevSecOps Professional Certification.
- Process of achieving practical devsecops course certifications can be found here.
Ready to learn DevSecOps?
Get in touch, or Register now!