Teach your teams how to improve the DevSecOps practice
This training course runs from 12:00 to 20:00 each day.
All times given are in the local timezone for the date of the course.
Led by a senior expert, teach your teams how to improve the DevSecOps practice – from guiding principles to daily technical execution.
This DevSecOps training boot camp is the most practical, in-depth educational solution for teams who want to understand, apply, and improve their skills on “shifting left” in IT security. This expert-led boot camp focuses on the principles, processes, and technical skills necessary to make security and risk profiling a front-end priority: embracing a “quality first” mindset. Teams will leave class understanding that they have a responsibility for how applications and IT services perform when they are complete and in production…even if they are involved primarily in design, development or testing applications. For IT teams primarily on the end of the operations of the spectrum, this class will teach them how to shift left and collaborate on the upstream work that ultimately impacts the IT security environment, the organisation’s risk management, and their own daily jobs.
7. Continuous Integration
8. Continuous Delivery
1. Risk review
4. Compliance, regulatory and GRC
5. The Pipeline Model
6. Exercise A: Value Stream Mapping
1. Traditional vs. “DevOps” security
2. Tools vs. processes
3. Security, not compliance
4. Prioritizing testing for risk
5. Reducing source code footprint
6. Static analysis for secure code
7. Feature toggles for security
8. DevSecOps and technical debt management
1. Designing for security
2. Assessing risk appetite
3. Modeling threats
4. Product architecture
5. Use cases, antipatterns, and abuse cases
6. Dataflows and trust boundaries
7. Exercise B: Threat Modeling
1. Secure code overview
2. OWASP review
3. Tools for automating OWASP
4. Developer guidelines & checklists
5. Tools to use
6. Coding Standards (top 5 languages)
7. Common pitfalls
8. Identifying Unsafe Code
1. Testing before commit
2. Scanning for secrets
3. Hook examples
4. Application security testing
5. Testing dependencies
6. How to treat manual testing
7. Performance Testing
8. Testing in parallel
10. Mutation testing and tools for performing it
11. User role testing
1. IAM overview
2. Identity profiles
3. Using IAM for automation
4. IAM practices in the cloud
5. IAM as an application building block
6. IAM antipatterns
7. Guided discussion: IAM in a Microservices use case
1. Canary candidates
2. Dark launches
3. Streamlining libraries and dependencies
4. Keeping packages up to date
5. Keeping deploys repeatable and reliable
6. OpenSCAP for scanning baselines before and after deployments
7. Scanning web server configuration
8. Database exploitation through applications
9. Infrastructure scanning
10. Scanning web applications
1. Where does Ops security begin and end?
2. Infrastructure as Secure Code
3. Incident response planning and emergency drills
4. Release Archives
5. OS Protections:
7. Monitoring, logging and intelligent alerts
8. Log management
9. Penetration Testing
10. Exercise C: Profiling a DevSecOps Hybrid model
1. GRC review
2. Coding for compliance
3. DevOps and the “segregation of duties”
4. Tooling example: Chef InSpec
5. Change management and policy
6. Exercise D: Automated vs. Manual, to comply with Audit requirements
1. Three types of “change”
2. When and why to use CAB boards
3. Peer review vs. change management
4. Automating change management
ITIL in 2020
1. The core toolkit of metrics
2. The best way to institute alerts
3. Managing alerts
4. Proactive vs. reactive metrics
5. Measurement antipatterns
1. Security fails and breakdowns
2. Incentive, fear, and reward
3. Getting outside IT
4. How to shift left
5. Building security in
6. Cost and the business case for proactive security
7. Overcoming conventions of the past
8. Bridging silos – why and how
9. Exercise E: Rearranging incentives
1. Class recap and final questions
2. What will you do differently when you return to work?
In this class you will learn how to:
This DevSecOps training is for those who have at least an introductory-level understanding of DevOps and Agile topics.
Professionals who may benefit include:
Students should have an introductory level understanding of DevOps and Agile Topics before taking this course.
This course does not require any pre-course preparation.
This course does not include a formal certification or exam.
Three days (24 hours) of high-quality instruction from one of our experienced trainers. Also included are:
Large portfolio of training courses available, with certifications from most industry bodies or from Radtac.
Our trainers have years of both on the job and teaching experience. Learn from their real-life experience, not just from theory.
From booking your course, practical examples and hands-on exercises, to high exam pass rates, training with us is a smooth journey.
Even after your training, we’re there for you if you have questions about applying your learning in the workplace.
Looking for more support on your Agile journey? We’ve got you covered with additional services such as coaching, consulting and more.
Be part of a great community where you can join your peers, learn from each other and find new networking opportunities.