November 14th, 2018
This course covers the DevSecOps process with an emphasis on securing both legacy and hybrid cloud environments. Best practices for security are covered in a conventional Continuous Integration and Continuous Deployment (CI/CD) pipeline.
About The Author
This video is a brief introduction of the course author.
About The DevSecOps Essentials Course
This video is an introduction to the course itself and explains the content and rationale behind the course structure.
An Overview of DevSecOps
This video lesson covers the DevSecOps topic through a discussion of terms and the overall process of a DevSecOps Continuous Delivery pipeline.
Cyber Security Standards and Concepts (Part 1)
Video lesson Part 1 of 2. This video lesson introduces the student to many of the industry standard practices for cyber security. Important terms are also introduced to allow the student to gain familiarity with the material covered throughout the course.
Cyber Security Standards (NIST Intelligence NVD and NCP Demo)
This lesson is Part 2 of 2. In this lesson an overview of the NIST National Vulnerability Database and National Checklist Program are covered. Common Vulnerabilities Exposure (CVE) and Common Vulnerabilities Scoring System (CVSS) are demonstrated with the NIST online service.
Identity and Access Management
This lesson covers the fundamentals of identity and access management. The terms and concepts here are then applied throughout the course in other lessons.
Secure Software Onboarding
This lesson introduces the student to the use of software repositories. Specific attention is given to how the third-party software in repositories can be secured, and intentionally maintained to prevent the onboarding of malware and vulnerabilities.
Securing Public Repositories
This lesson covers the use of public repositories, or repositories that are off-premise and thus not controlled within an on-premise datacenter. The use case for a public repository is GitHub. In this lesson the key threats facing users of GitHub are discussed and suggestions are made on how to prevent and remediate vulnerabilities.
As containers such as Docker become more widely used it is important to discuss the CI/CD DevOps workflow and how security may be addressed in DevSecOps workflows that involve the containerization of applications. These practices involve the use of containers for isolation and portability of Private, Public and Hybrid Cloud workflows.
Docker Trusted Repositories
This lesson introduces the use of Docker Trusted Repositories. The use of digital signatures and maintenance of repository metadata is covered. This explains how container images may be pushed and pulled from repositories as part of the automated DevSecOps pipeline.
This lesson introduces the Docker Bench utility. Docker Bench is an automated scanning tool based on the CIS Benchmark for hardening Docker implementations. This lesson discusses a sample of the Docker Bench output and how security practitioners might use it to secure their DevSecOps pipeline.
Secure Build Automation
Automated Provisioning with PaaS Tooling
The 'worked in dev' problem was a common challenge before orthodox practice implemented automation to ensure development, staging, test, and production environments all are consistent. PaaS (Platform as a Service) solutions help engineering create templates for development environments. Development teams are then able to spin up local sandboxes knowing that the components and frameworks are approved for production use.
Automated Provisioning with PaaS Tooling (OpenShift Demo)
This lesson covers the topic of PaaS tooling and provides a lesson against the backdrop of running software. The OpenShift Origin open source PaaS is used to illustrate how PaaS can help ensure security in DevOps pipelines by implementing tighter control of the frameworks used by developers.
Securing The Automated Build
This lesson covers the security practices involved when using automated build tooling in a DevSecOps environment. The popular tool Jenkins is discussed with an emphasis on security practices related to its use.
Securing The Automated Build (Jenkins Pipeline Demo)
This demo is the first part of a two part Jenkins demo. In this lesson the fundamentals of an automated build pipeline are covered. Jenkins Blue Ocean is used to illustrate how automation is used to ensure consistent and controlled access to repositories, and an automated build can prepare artifacts for deployment.
Vulnerability Detection and Remediation
Subsequent to our discussion of scanning, this lesson covers the response to the findings of scanning practice. Once vulnerabilities become known, security policy is used to determine appropriate remediation. This lesson will discuss comon vulnerabilities and why it is necessary to tolerate malware in many systems. Typical approaches to remediation is also covered.
Vulnerability Detection and Remediation (OWASP Dependency Check Demo)
In this demo we show the OWASP Dependency Check plugin in a Jenkins build process. The WebGoat-Legacy application is scanned and three different examples of vulnerabilities are reviewed.
Once the build has created the binaries that will be promoted to QA, Staging and production environments, it is important to safeguard artifacts from tampering. This lesson uses Nexus3 as a use case for how a Jenkins Pipeline may be integrated with an on-premise secure repository.
The 16 Gates
This lesson covers the sixteen specific criteria applied to gating practice at Capital One Bank. Capital One has implemented mature DevSecOps practices and the sixteen gates are based on an influential thought leader, Dr. Tapabrata Pal.
Continuous Delivery Release Automation
Automated deployment can be as simple as allowing an individual programmer to deploy his or her own code to production, or as complex as using business process management to allow stakeholders from a variety of corporate departments to authorize an application's release. This lesson covers some of the fundamentals associated with Application Release Automation (ARA) and demonstrates these concepts through an open source tool called DeployHub.
Configuration management is the practice of automating deployments in such a way that rollback may be feasible when releases malfunction or vulnerabilities are detected. This lesson uses the Ansible configuration management tooling to illustrate how configuration management may be implemented to ensure security.
Production Monitoring and Ongoing Detection and Remediation
After applications are deployed new threats are detected every day. Production monitoring involves the practice of evaluating systems in production to ensure that they remain compliant with security policy. Both Static and Dynamic means of security testing are important to ongoing security. Penetration tests are likewise invaluable in preventing unwanted intrusion.
Dashboards and Automated Vulnerability Detection
While datacenter operations can be vigilant, the prolific use of applications in a 24 by 7 cadence requires that vulnerability detection be done without human review. Dashboards are useful for investigation of potential malfeasance, but automated vulnerability detection usually involves messaging and digital notifications to ensure appropriate stakeholders are notified in the event of breach or when baseline threashholds are exceeded.This lesson demonstrates how Elasticsearch and Kibana can be used for Continuous monitoring.
Summation and Next Steps
This lesson quickly reviews the course content covered with suggestions on how students may extend their study. Suggestions for further study are made so the student can create a learning path appropriate to their individual goals.