LFS262 - DevSecOps Mastery

While DevOps brings operations up to the speed with the development resulting in rapid pace of software delivery, specially for cloud native container based applications, conventional security and compliance has not been able to keep up with this pace, resulting in either bringing down the speed of deployment or circumventing security measures resulting in vulnerable code to go through.

DevSecOps practices are created as an extension to existing DevOps practices which focus on automating security and incorporating it as part of the process, including Continuous Delivery, Infrastructure as a Code and Observability. This results not only in delivering safer code faster, but also facilitates early feedback to developers, helping them to build more reliable software.

This course begins by laying the foundation of DevSecOps, by explaining principles, practices, cultural aspects and the tools landscape and then goes on to show how to incorporate various practices into the continuous delivery pipeline. In order to make adoption of DevSecOps practices frictionless, this course focuses on usage of mostly open source software, at the same time providing enough flexibility to plug in a commercial alternative to match the implementation environment.

Course Learning Outcomes

By the end of this course, you should be able to:

• Learn the need for DevSecOps and its key principles, practices and tools involved.
• Learn how to extend the existing DevOps pipeline to incorporate Security Practices.
• Understand how to perform Software Composition Analysis (SCA) and add it to the CI Pipeline.
• Perform Static Code Analysis using SAST tools.
• Implement security best practices while writing Dockerfiles to build images.
• Scan container images for vulnerability and set up an automated process for it.
• Perform Dynamic Application Software Testing (DAST) on a live environment.
• Setup centralised Vulnerability Management System to provide visibility and alerting.
• Use Infrastructure as a Code effectively to enforce compliance. Also understand Compliance as a Code and how to set up automated scans with Inspec and DevSec Hardening Framework.
• Learn about Kubernetes and container runtime security aspects.
• Understand how to provide secrets to applications running in a Kubernetes environment securely
• Setup runtime security monitoring.
• Build a Cloud Native DevSecOps Pipeline

Course Audience

• Software Developers who would like to understand their role in secure application delivery and also learn how to ensure application code they are writing as well as components they are using can be made more secure.
• Site Reliability Engineers/Devops Practitioners as well as Security Professionals alike who are in charge of implementing DevOps as well as Security Practices and want to understand the key practices and technologies involved in DevSecOps so that they extending existing DevOps pipelines to enhance the security.
• Anyone who is part of designing, developing or delivering a modern, cloud native application running on kubernetes and wants to understand DevSecOps practices.

Knowledge/Skills Prerequisites

• Understanding of CI/CD Pipelines and Practices.
• Knowledge of building CI pipelines with Jenkins along with ability to read and write declarative Jenkinsfiles.
• Know how of running containers as well as building images with Docker (or similar container runtime)
• Working knowledge of Kubernetes including ability to write YAML manifests, create and manage pods, deployments, services etc.
• Working knowledge of using Helm (version 3) to install packages on Kubernetes
• Knowledge of writing Infrastructure as a Code (for Operations Professionals only)
• Knowledge of operating Linux Systems using the Command Line Interface (CLI).
• Working knowledge of Git.

Lab/System Prerequisites

• Windows/Mac/Linux Workstation (Any OS)
• Internet Access
• SSH Client
• Web Browser
• Git
• Cloud Account e.g. Google Cloud / AWS