Certified DevSecOps Expert (CDE)

I. Overview:

The most comprehensive DevSecOps certification in the world, become a Certified DevSecOps Expert by learning to write custom roles for OS hardening, infrastructure as code, compliance as code and perform vulnerability management at scale, with hands-on advanced training in our state of the art labs.

II. Duration:  40 hours
III. Prerequisites:
  • Course participants must have the Certified DevSecOps Professional (CDP) certification.
  • Course participants should have a basic understanding of Application Security Practices like SAST, DAST, etc.,
IV. Course outlines:

1. Chapter 1: Overview of DevSecOps

  • DevOps Building Blocks- People, Process and Technology.
  • DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
  • Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
  • Overview of the DevSecOps critical toolchain.
    • Repository management tools.
    • Continuous Integration and Continuous Deployment tools.
    • Infrastructure as Code (IaC) tools.
    • Communication and sharing tools.
    • Security as Code (SaC) tools.

SDLC

  •  Overview of secure SDLC and CI/CD.
  • Review of security activities in secure SDLC.
  • Continuous Integration and Continuous Deployment.
  • How to move from DevSecOps Maturity Model (DSOMM) Level 2 to Level 4.
    • Best practices and considerations for Maturity Level 3.
    • Best practices and considerations for Maturity Level 4.
    • Security automation and its limits.
    • DSOMM level 3 and level 4 challenges and solutions.

2. Chapter 2: Security Requirements and Threat Modelling (TM)

  • What is Threat Modelling?
  • STRIDE vs DREAD approaches
  • Threat modeling and its challenges. 
  • Classical Threat modeling tools and how they fit in CI/CD pipeline
  • Hands-On Labs:
    • Automate security requirements as code.
    • Using ThreatSpec to do Threat Modelling as Code.
    • Using BDD security to codify threats.

3. Chapter 3: Advanced Static Analysis(SAST) in CI/CD pipeline

  • Why pre-commit hooks are not a good fit in DevSecOps.
  • Writing custom rules to weed out false positives and improve the quality of the results.
  • Various approaches to write custom rules in free and paid tools.
    • Regular expressions
    • Abstract Syntax Trees
    • Graphs ( Data and Control Flow analysis)
  • Hands-On Labs:  Writing custom checks in the bandit for your enterprise applications.

4. Chapter 4: Advanced Dynamic Analysis(DAST) in CI/CD pipeline

  • Embedding DAST tools into the pipeline.
  • Leveraging QA/Performance automation to drive DAST scans.
  • Using Swagger (OpenAPI) and ZAP to scan APIs iteratively.
  • Ways to handle custom authentications for ZAP Scanner.
  • Using Zest Language to provide better coverage for DAST scans. 
  • Hands-On Labs: using ZAP + Selenium + Zest to configure in-depth scans
  • Hands-On Labs: using Burp Suite Pro to configure per commit/weekly/monthly scans.

Note: Students need to bring their Burp Suite Pro License to use in CI/CD 

5. Chapter 5: Runtime Analysis(RASP/IAST) in CI/CD pipeline

  • What is Runtime Analysis Application Security Testing?.
  • Differences between RASP and IAST.
  • Runtime Analysis and challenges.
  • RASP/IAST and its suitability in CI/CD pipeline.
  • Hands-On Labs: A commercial implementation of the IAST tool.

6. Chapter 6: Infrastructure as Code(IaC) and Its Security

  • Configuration management (Ansible) security.
    • Users/Privileges/Keys – Ansible Vault vs Tower.
    • Challenges with Ansible Vault in CI/CD pipeline.
    • Introduction to Packer
      • Benefits of Packer.
      • Templates, builders, provisioners, and post processors.
      • Packer for continuous security in DevOps Pipelines.
  • Tools and Services for practicing IaaC ( Packer + Ansible + Docker )
  • Hands-On Labs: Using Ansible to harden on-prem/cloud machines for PCI-DSS
  • Hands-On Labs: Create hardened Golden images using Packer + Ansible

7. Chapter 7: Container (Docker) Security

  • What is Docker
  • Docker vs Vagrant
  • Basics of Docker and its challenges
    • Vulnerabilities in images (Public and Private)
    • Denial of service attacks
    • Privilege escalation methods in Docker.
    • Security misconfigurations.
  • Container Security.
    • Content Trust and Integrity checks.
    • Capabilities and namespaces in Docker.
    • Segregating Networks.
    • Kernel Hardening using SecComp and AppArmor.
  • Static Analysis of container(Docker) images.
  • Dynamic Analysis of container hosts and daemons.
  • Hands-On Labs:
    • Scanning docker images using Trivy and its APIs.
    • Auditing Docker daemon and host for security issues.

8. Chapter 8: Secrets management on mutable and immutable infra

  • Managing secrets in traditional infrastructure.
  • Managing secrets in containers at Scale.
  • Secret Management in Cloud
    • Version Control systems and Secrets.
    • Environment Variables and Configuration files.
    • Docker, Immutable systems and its security challenges.
    • Secrets management with Hashicorp Vault and consul.
  • Hands-On Labs: Securely store Encryption keys and other secrets using Vault/Consul.

9. Chapter 9: Advanced vulnerability management

  • Approaches to manage the vulnerabilities in the organization. 
  • False positives and False Negatives.
  • Culture and Vulnerability Management.
  • Creating different metrics for CXOs, devs and security teams.
  • Hands-On Labs: Using Defect Dojo for vulnerability management.

 

  • Học trực tuyến

  • Học tại Hồ Chí Minh

  • Học tại Hà Nội

Các khóa học khác