DevSecOps Essentials

Course

Intro Video

Photo of John Marx

John Marx

Training Architect

Length

07:01:59

Difficulty

Beginner

Course Details

This course covers the DevSecOps process with an emphasis on securing both legacy and hybrid cloud environments. Best practices for security are covered in a conventional Continuous Integration and Continuous Deployment (CI/CD) pipeline.

Syllabus

DevSecOps Essentials

Introduction

About The Author

00:00:36

Lesson Description:

This video is a brief introduction of the course author.

About The DevSecOps Essentials Course

00:07:35

Lesson Description:

This video is an introduction to the course itself and explains the content and rationale behind the course structure.

An Overview of DevSecOps

00:08:47

Lesson Description:

This video lesson covers the DevSecOps topic through a discussion of terms and the overall process of a DevSecOps Continuous Delivery pipeline.

Cyber Security Standards and Concepts (Part 1)

00:11:28

Lesson Description:

Video lesson Part 1 of 2. This video lesson introduces the student to many of the industry standard practices for cyber security. Important terms are also introduced to allow the student to gain familiarity with the material covered throughout the course.

Cyber Security Standards (NIST Intelligence NVD and NCP Demo)

00:05:44

Lesson Description:

This lesson is Part 2 of 2. In this lesson an overview of the NIST National Vulnerability Database and National Checklist Program are covered. Common Vulnerabilities Exposure (CVE) and Common Vulnerabilities Scoring System (CVSS) are demonstrated with the NIST online service.

Identity and Access Management

00:05:50

Lesson Description:

This lesson covers the fundamentals of identity and access management. The terms and concepts here are then applied throughout the course in other lessons.

Secure Software Onboarding

Clean Repositories

00:07:58

Lesson Description:

This lesson introduces the student to the use of software repositories. Specific attention is given to how the third-party software in repositories can be secured, and intentionally maintained to prevent the onboarding of malware and vulnerabilities.

Securing Public Repositories

00:14:28

Lesson Description:

This lesson covers the use of public repositories, or repositories that are off-premise and thus not controlled within an on-premise datacenter. The use case for a public repository is GitHub. In this lesson the key threats facing users of GitHub are discussed and suggestions are made on how to prevent and remediate vulnerabilities.

Secure Containerization

00:12:56

Lesson Description:

As containers such as Docker become more widely used it is important to discuss the CI/CD DevOps workflow and how security may be addressed in DevSecOps workflows that involve the containerization of applications. These practices involve the use of containers for isolation and portability of Private, Public and Hybrid Cloud workflows.

Docker Trusted Repositories

00:09:33

Lesson Description:

This lesson introduces the use of Docker Trusted Repositories. The use of digital signatures and maintenance of repository metadata is covered. This explains how container images may be pushed and pulled from repositories as part of the automated DevSecOps pipeline.

Docker Bench

00:09:02

Lesson Description:

This lesson introduces the Docker Bench utility. Docker Bench is an automated scanning tool based on the CIS Benchmark for hardening Docker implementations. This lesson discusses a sample of the Docker Bench output and how security practitioners might use it to secure their DevSecOps pipeline.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Secure Build Automation

Automated Provisioning with PaaS Tooling

00:04:23

Lesson Description:

The 'worked in dev' problem was a common challenge before orthodox practice implemented automation to ensure development, staging, test, and production environments all are consistent. PaaS (Platform as a Service) solutions help engineering create templates for development environments. Development teams are then able to spin up local sandboxes knowing that the components and frameworks are approved for production use.

Automated Provisioning with PaaS Tooling (OpenShift Demo)

00:11:57

Lesson Description:

This lesson covers the topic of PaaS tooling and provides a lesson against the backdrop of running software. The OpenShift Origin open source PaaS is used to illustrate how PaaS can help ensure security in DevOps pipelines by implementing tighter control of the frameworks used by developers.

Securing The Automated Build

00:08:12

Lesson Description:

This lesson covers the security practices involved when using automated build tooling in a DevSecOps environment. The popular tool Jenkins is discussed with an emphasis on security practices related to its use.

Securing The Automated Build (Jenkins Pipeline Demo)

00:09:20

Lesson Description:

This demo is the first part of a two part Jenkins demo. In this lesson the fundamentals of an automated build pipeline are covered. Jenkins Blue Ocean is used to illustrate how automation is used to ensure consistent and controlled access to repositories, and an automated build can prepare artifacts for deployment.

Vulnerability Detection and Remediation

00:16:22

Lesson Description:

Subsequent to our discussion of scanning, this lesson covers the response to the findings of scanning practice. Once vulnerabilities become known, security policy is used to determine appropriate remediation. This lesson will discuss comon vulnerabilities and why it is necessary to tolerate malware in many systems. Typical approaches to remediation is also covered.

Vulnerability Detection and Remediation (OWASP Dependency Check Demo)

00:12:53

Lesson Description:

In this demo we show the OWASP Dependency Check plugin in a Jenkins build process. The WebGoat-Legacy application is scanned and three different examples of vulnerabilities are reviewed.

Secure Staging

00:04:43

Lesson Description:

Once the build has created the binaries that will be promoted to QA, Staging and production environments, it is important to safeguard artifacts from tampering. This lesson uses Nexus3 as a use case for how a Jenkins Pipeline may be integrated with an on-premise secure repository.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

Release Gating

The 16 Gates

00:12:14

Lesson Description:

This lesson covers the sixteen specific criteria applied to gating practice at Capital One Bank. Capital One has implemented mature DevSecOps practices and the sixteen gates are based on an influential thought leader, Dr. Tapabrata Pal.

Continuous Delivery Release Automation

Automated Deployment

00:11:20

Lesson Description:

Automated deployment can be as simple as allowing an individual programmer to deploy his or her own code to production, or as complex as using business process management to allow stakeholders from a variety of corporate departments to authorize an application's release. This lesson covers some of the fundamentals associated with Application Release Automation (ARA) and demonstrates these concepts through an open source tool called DeployHub.

Configuration Management

00:07:08

Lesson Description:

Configuration management is the practice of automating deployments in such a way that rollback may be feasible when releases malfunction or vulnerabilities are detected. This lesson uses the Ansible configuration management tooling to illustrate how configuration management may be implemented to ensure security.

Production Monitoring and Ongoing Detection and Remediation

Production Monitoring

00:05:30

Lesson Description:

After applications are deployed new threats are detected every day. Production monitoring involves the practice of evaluating systems in production to ensure that they remain compliant with security policy. Both Static and Dynamic means of security testing are important to ongoing security. Penetration tests are likewise invaluable in preventing unwanted intrusion.

Dashboards and Automated Vulnerability Detection

00:08:50

Lesson Description:

While datacenter operations can be vigilant, the prolific use of applications in a 24 by 7 cadence requires that vulnerability detection be done without human review. Dashboards are useful for investigation of potential malfeasance, but automated vulnerability detection usually involves messaging and digital notifications to ensure appropriate stakeholders are notified in the event of breach or when baseline threashholds are exceeded.This lesson demonstrates how Elasticsearch and Kibana can be used for Continuous monitoring.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

Conclusion

Summation and Next Steps

00:05:00

Lesson Description:

This lesson quickly reviews the course content covered with suggestions on how students may extend their study. Suggestions for further study are made so the student can create a learning path appropriate to their individual goals.