DevSecops is an evolution of DevOps, by including more and more security into the process. You may have heard the term "shift-left security" in many marketing materials. We're going to help you understand what that means!
Modern-day IT involves a complex interplay of on-premises infrastructure, cloud resources, automation and software development. In order to safely operate in today's hostile environment, everyone in IT needs to understand fundamental concepts of secure software and service delivery.
Enterprises, both large and small, rely heavily on DevOps processes to efficiently and securely manage their IT environments. DevOps brings with it specific requirements and skill sets which haven't been part of traditional IT education for very long.
This introductory training will provide you with an understanding of fundamental DevOps and DevSecOps concepts. It serves as your first few steps in becoming an experienced DevOps engineer.
Regardless of your current or future roles, you will need to feel comfortable:
The following topics will be touched upon in this five-day training.
After these five days of introductory training, students will have attained a level which, in language learning, is called "A1": you have started your discovery of a new subject and have learned the terms and concepts relevant to putting further learning into context.
Students will be able to:
In order to get the fullest experience in this class, students will need the following prior knowledge.
Ideally, students will have a conceptual understanding of common software vulnerabilities as described in the OWASP Top 10. This is not a hard requirement, but it will absolutely help in understanding the goal of DevSecOps.
Programming experience is not needed. We will work with a demo project in Angular/NodeJS, but we will not be working on the actual source code.
To participate in this class, students need a laptop of their own.
Unfortunately I do not have lab setup which is compatible with Apple ARM.
Students will be provided with a Vagrantfile, to build the lab VM before class.
This training is best suited for a group of 5-15 students.
Trainings can occur fully online/remote, for small groups, via MS Teams or Zoom.
Unixerius can offer training at our own site, in Almere Buiten. We can host up to 15 students and will arrange lunch. Hotels and shops are relatively close, but not within walking distance. Bus 22 will take you from railway station Almere Buiten to our MAC3Park office in a few minutes (departing every 15min).
We can also perform the training in-house at your office, although this will be geographically limited to the triangle Amsterdam - Utrecht - Zwollle.
Day 1
Day 2
Day 3
Day 4
Day 5
Organisational learning needs
Modern-day IT involves a complex interplay of on-premises infrastructure, cloud resources, automation and software development. In order to safely operate in today's hostile environment, everyone in IT needs to understand fundamental concepts of secure software and service delivery.
Enterprises, both large and small, rely heavily on DevOps processes to efficiently and securely manage their IT environments. DevOps brings with it specific requirements and skill sets which haven't been part of traditional IT education for very long.
This introductory training will provide you with an understanding of fundamental DevOps and DevSecOps concepts. It serves as your first few steps in becoming an experienced DevOps engineer.
Regardless of your current or future roles, you will need to feel comfortable:
- Working in project teams, instead of just individually.
- Using modern-day DevOps and cloud platforms.
- With concepts as CI/CD, Git and automation.
- With security concepts such as secure development, security testing and secure operations.
Course objectives
The following topics will be touched upon in this five-day training.
- How do modern-day IT organisations work?
- Project management
- The SDLC: software development life cycle
- Waterfall, Agile, Scrum, Kanban
- SDLC phases, from design through operation
- DevOps concepts and software deployment practices.
- Creating software in a team, cooperatively.
- Git fundamentals.
- Virtualisation and cloud platforms.
- A quick repeat of virtualization and container fundamentals.
- Serverless platforms
- Virtualised hosting in the cloud.
- CI/CD pipelines.
- Automation as part of the SDLC.
- Going from source code, to a running service.
- Security in DevOps:
- Software vulnerabilities
- Secure design, threat modelling
- Static code analysis, software composition analysis, secrets detection
- Functional testing, testing for security, test automation
- Deployment gates, releasing to production
- Vulnerability management & scanning
- Pen-testing, dynamic application testing
- WAF, application gateways
End result of the training
After these five days of introductory training, students will have attained a level which, in language learning, is called "A1": you have started your discovery of a new subject and have learned the terms and concepts relevant to putting further learning into context.
Students will be able to:
- Identify and explain key concepts of DevSecOps.
- Link these concepts to activities they may encounter in the work field.
- Form a framework of knowledge into which further learning can be contextualized.
Required prior knowledge
In order to get the fullest experience in this class, students will need the following prior knowledge.
- At least one year of working with Linux and Windows server operating systems.
- Fundamental conceptual knowledge of computer networks: TCP/IP, DNS, firewalls, load balancers.
- At least one year of experience with a scripting language, like Bash or Powershell.
Ideally, students will have a conceptual understanding of common software vulnerabilities as described in the OWASP Top 10. This is not a hard requirement, but it will absolutely help in understanding the goal of DevSecOps.
Programming experience is not needed. We will work with a demo project in Angular/NodeJS, but we will not be working on the actual source code.
Required system
To participate in this class, students need a laptop of their own.
- With Windows 10/11, Linux, or MacOS.
- With a recent i5/i7/i9 or AMD Ryzen2 processor
- With at least 8GB of RAM.
- With at least 60GB of available storage space.
- Virtualbox 6.1.x and Vagrant pre-installed.
Unfortunately I do not have lab setup which is compatible with Apple ARM.
Students will be provided with a Vagrantfile, to build the lab VM before class.
Training options
This training is best suited for a group of 5-15 students.
Trainings can occur fully online/remote, for small groups, via MS Teams or Zoom.
Unixerius can offer training at our own site, in Almere Buiten. We can host up to 15 students and will arrange lunch. Hotels and shops are relatively close, but not within walking distance. Bus 22 will take you from railway station Almere Buiten to our MAC3Park office in a few minutes (departing every 15min).
We can also perform the training in-house at your office, although this will be geographically limited to the triangle Amsterdam - Utrecht - Zwollle.
Course structure
Day 1
- Introduction
- Working in an enterprise setting
- LAB: Meeting Azure DevOps
- The SDLC, how is software made?
- LAB: A first build of our software project.
- GROUP: Exploring our software project
Day 2
- Project management
- LAB: Azure DevOps Boards
- Cooperative programming / team work, Git fundamentals
- LAB: Branches, (forks), cooperative coding
- VMs, containers, cloud hosting
- LAB: Running our project in Docker
- CI/CD pipelines
- LAB: Building and deploying to Azure
Day 3
- Functional testing, automation
- LAB: Building and deploying to TEST, with functional tests.
- DevSecOps fundamentals
- Software vulnerabilities, CVE and CVSS
- LAB: Software composition analysis (SCA)
- LAB: SCA for containers
- GROUP: threat modelling
Day 4
- SAST (Static analysis) basics
- LAB: SAST in the pipeline
- Secrets management, key materials
- LAB: Secrets detection
- Safely deploying to prod
- LAB: Gated pull to prod, block merge to prod/master
- LAB: Deploy to prod
Day 5
- Vulnerability management
- LAB: Centralized vulnerability scanning
- Pen-testing
- LAB: Automated abuse tests
- Dynamic testing (DAST)
- LAB: DAST in the pipeline
- Protection in the cloud
- LAB: WAF
- Closing