DevSecOps Process and Implementation
DevOps is a set of software development principles that emphasize collaboration, communication, and automation among all stakeholders, including IT operations, testers, developers, customers, and security personnel at the inception of a project. A variety of tools help stakeholders collaborate and communicate. Automation is a greater challenge. When our system architecture and cybersecurity controls limit what can be automated, we can't move at DevOps speed. Teams must address this challenge at the beginning of a project and throughout the DevOps pipeline. This tutorial is designed for managers, developers, security, and operational teams and covers DevOps principles and processes for designing and building a secure development pipeline for project planning, gathering and meeting cybersecurity requirements, secure development, security testing, and deployment from start to finish. You will learn about reference architectures and use cases for architectural design principles on continuous integration (CI), continuous delivery/deployment (CD), and continuous authorization (CA) tools and practices, including technical demonstrations and practical scenarios.
Audience
Anyone working in software development, including technical managers, technical leads, developers, QA engineers, release/deployment engineers and operational support staff who
- want to bring DevOps to their organization
- want to improve their existing DevOps strategy to include security
- are looking for solutions to manage evolving software development needs
- are challenged by slow deployment cycles
- see a disconnect between business needs , development and operational teams
- are looking for strategies to convince their business of the benefits of DevOps
Objectives
Participants will come away with a solid understanding of the realities of DevSecOps, from tools and techniques to culture and specific organizational business and operational needs. By focusing on common pitfalls and missteps, instructors will help attendees navigate the challenging tasks of adapting DevOps theories, practices, and tools to meet their particular business needs, security requirements and to provide measurable value to their organizations.
Topics
- What is DevOps?
- DevOps Foundations: Business, Culture, Communication, Architecture
- Organizational Needs and linking Business into DevOps
- Communication and Collaboration
- Security culture
- Effective communication amongst all stakeholders
- Micro learning culture on security
- Infrastructure as Code
- Environments
- Environment hardening
- Compliance check with IaC
- First step to RMF/ATO
- Continuous Integration & Testing
- Automated Security Testing
- Application specific penetrating testing
- Various Gateways on security testing and verification
- Continuous Delivery/Deployment
- Concept of Delivery and Deployment
- Deployment scenarios
- Containerization and Orchestration
- Container Security
- Authenticity of build and dependencies
- Secure Deployment pipeline
- Process Monitoring and Measurement
- Monitoring
- What are the security metrics
- Where to collect and how to monitor them
- Secure DevOps
- DevOps Pipeline Security
- Application Security
- Security activities and automation
- Continuous Authorization
- Hands-on Exercise
- Setting up DevOps pipeline
- Project Configuration
- Build Configuration
- Security checks and Deployment
Materials
Students will receive the complete set of slides and recommendations for related papers and reference materials.
Prerequisites
There are no prerequisites for this course. It is recommended that participants have some experiences in the software development planning, delivering and deploying process.
Required Equipment
Hands-on exercise - students should have a laptop with following requirements:
- VirtualBox 5.1.18 (https://www.virtualbox.org/wiki/Download_Old_Builds_5_1)
- Vagrant 1.9.3 (https://releases.hashicorp.com/vagrant/)
- Docker,current version (https://www.docker.com/get-started)
- Sublime (https://www.sublimetext.com/3) or Visual Studio Code (https://code.visualstudio.com/)
- If it possible, preferred to have Host OS as Ubuntu OS (https://www.ubuntu.com/download/desktop) or MacOS
Course Fees [USD]
- U.S. Industry: $2,650.00
- U.S. Govt/Academic: $2,250.00
- International: $3,150.00
Schedule
This 2-1/2 day course meets at the following times:
Days 1-2, 8:30 a.m. - 4:30 p.m.
Day 3, 8:30 a.m. - 12:00 p.m. (Hands-on Exercise)
Course Questions?
Email: course-info@sei.cmu.edu
Phone: 412-268-7388
Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.