I. Overview:

EC-Council's DevSecOps course covers both application and infrastructure security across on-premises environments and leading cloud-native platforms. It features the latest DevSecOps course concepts, tools, and practices, and also addresses security considerations across all 8 stages of the DevOps lifecycle. With 70% hands-on labs, this DevSecOps training program aligns with the real-world roles and responsibilities of a DevSecOps engineer.

II. Duration: 40 hours (5 days)

III. Objective:

By the end of the course, you will:

• Understand DevOps culture and principles, along with the tools and technologies that facilitate the adoption of DevOps methodologies.
• Identify and overcome security challenges in DevOps by embracing a DevSecOps culture, philosophy, practices, and tools to enhance collaboration and communication between development and operations teams.
• Transform traditional security practices by embedding security into continuous delivery workflows throughout the development process.
• Understand the DevSecOps toolchain and integrate security controls into automated DevOps pipelines.
• Integrate Eclipse and GitHub with Jenkins to streamline application development and build processes.
• Align key security practices, such as requirements gathering, threat modeling, and secure code reviews, with development workflows.
• Integrate threat modeling tools like Threat Dragon, ThreatModeler, and Threatspec.
• Integrate Jira and Confluence to effectively manage security requirements throughout the development lifecycle.
• Integrate security plugins, scanners, and software composition analysis (SCA) tools within integrated development environments (IDEs) to detect and mitigate vulnerabilities early.
• Use Jenkins to create and manage secure continuous integration and continuous deployment (CI/CD) pipelines.
• Gain expertise with various security testing tools, including:
  • Static application security testing (SAST): Snyk, SonarQube, Checkmarx
  • Dynamic application security testing (DAST): StackHawk, OWASP ZAP, Invicti
  • Interactive application security testing (IAST): CxFlow IAST, Invicti Shark
  • Software composition analysis (SCA): Debricked, Mend, OWASP Dependency-Check
• Integrate runtime application self-protection (RASP) tools like Contrast Security, Datadog, and Dynatrace to protect applications during runtime with minimal false positives and effective vulnerability remediation.
• Integrate tools like SonarLint with Eclipse, Visual Studio, and Visual Studio Code (VS Code) to enhance code quality and security within the development environment.
• Automate security testing within the CI/CD pipeline using the JFrog Security IDE Plugin, Snyk IDE Plugin, and Codacy.
• Leverage various automation tools and practices to streamline development, security, and operations across on-premises and cloud environments.
• Use automated scanning tools like Nessus, SonarQube, SonarCloud, Amazon Macie, and Probely Vulnerability Scanning to conduct continuous vulnerability scans on product builds.
• Use penetration testing tools like GitGraber, Gitleaks, and GitMiner to secure the CI/CD pipeline against vulnerabilities.
• Use AWS, Azure, and GCP DevSecOps tools for securing applications in the cloud.
• Integrate automated tools to detect and address security misconfigurations that could expose sensitive information.
• Provision and configure infrastructure using infrastructure as code (IaC) tools like Ansible, Puppet, and Chef.
• Monitor infrastructure, networks, and applications using tools and services designed for both on-premises and cloud environments.
• Implement comprehensive logging and monitoring using tools like Sumo Logic, Datadog, Splunk, Elasticsearch, Logstash, and Kibana (ELK), and Nagios to audit processes from code pushes to compliance activities.
• Use automated monitoring and alerting tools, such as Splunk, Paessler Router Traffic Grapher (PRTG), and Nagios, to build real-time alerting and control systems.
• Integrate compliance as code (CaC) tools like Cloud Custodian and DevSec to meet regulatory requirements without disrupting production.
• Scan and secure infrastructure using container and image scanners (Trivy, Qualys) and infrastructure security scanners (Prisma Cloud, Checkov).
• Integrate continuous feedback mechanisms into the DevSecOps pipeline using tools like email notifications in Jenkins and Microsoft Teams.
• Integrate alerting tools like Opsgenie with log management and monitoring tools to improve operational performance and security.
• Integrate tools like Incident.io, PagerDuty, and Splunk for effective incident response within the DevSecOps pipeline.
• Implement automated backups, configure failover, conduct disaster recovery testing, automate replication, and perform rollbacks to ensure high availability, fault tolerance, and disaster recovery in both on-premises and cloud environments.
• Integrate AI in DevSecOps, exploring AI-powered tools within DevOps/DevSecOps pipelines, conducting AI-based secure code reviews, and leveraging AI-driven SAST to enhance security and automation.

IV. Intended Audience:

• CASE Certified Professionals
• Application Security Professionals
• DevOps Engineers
• Software Engineers/Testers
• IT Security Professionals
• Cyber Security Engineer/Analyst
• Anyone with prior knowledge of application security and an interest in pursuing a career as a certified DevSecOps professional.

V. Prerequisites:

• Basic understanding of DevOps concepts and CI/CD pipelines
• Familiarity with software development or application security fundamentals
• Basic knowledge of Linux, networking, and cloud computing concepts
• Prior exposure to DevOps tools or scripting is beneficial but not mandatory

VI. Course outlines:

1. Module 01: Understanding DevOps Culture

This module introduces the principles and concepts of DevOps. It covers the cultural and technical foundations of DevOps, emphasizing collaboration between development and operations teams. Key topics include the significance of automation, continuous integration/deployment (CI/CD), and fostering a culture of continuous improvement. The module also covers DevOps values, benefits, and challenges, along with the role of collaboration, communication, and feedback loops in achieving faster and more reliable software delivery.

2. Module 02: Introduction to DevSecOps

This module covers the foundational concepts of DevSecOps, focusing on integrating security into the DevOps lifecycle. It explains the principles and importance of DevSecOps, emphasizing the shift from traditional security approaches to a more collaborative, automated, and continuously integrated security approach. The module introduces key components such as culture, automation, monitoring, and feedback loops, along with commonly used tools and practices. It also discusses the benefits of adopting DevSecOps, addresses its key challenges, and provides insights into establishing a DevSecOps culture within organizations.

3. Module 03: DevSecOps Pipeline – Plan Stage

This module covers the planning phase of the DevSecOps pipeline. It focuses on identifying security requirements, conducting threat modeling, and establishing a security-focused plan. It also highlights the importance of collaboration between development, security, and operations teams to ensure alignment with security goals.

4. Module 04: DevSecOps Pipeline – Code Stage

This module discusses secure coding practices and the integration of security into the development process. Topics include static code analysis, secure coding guidelines, and the implementation of security controls within the integrated development environment (IDE). Developers learn to write secure code using industry best practices.

5. Module 05: DevSecOps Pipeline – Build and Test Stage

In this module, learners explore how to integrate security into the build and testing processes. It covers automated security testing, including SAST and DAST. It also emphasizes the use of continuous integration (CI) pipelines.

6. Module 06: DevSecOps Pipeline – Release and Deploy Stage

This module explains how to maintain security during the release and deployment phases. It highlights secure deployment techniques, IaC security, and the use of container security tools. It also covers release management and secure configuration practices.

7. Module 07: DevSecOps Pipeline – Operate and Monitor Stage

The final module focuses on securing the operational environment and monitoring applications for security incidents. It includes topics like logging, monitoring, and incident detection and response. It also discusses continuous security monitoring using security information and event management (SIEM) tools.