DevSecOps Fundamentals
Course Content
This DevSecOps course will provide students with the fundamental knowledge to integrate security controls, processes, and services into the DevOps pipeline. This course covers the distinct security challenges posed by custom software and web applications.
Security professionals have a robust suite of tools and methodologies for assessing the risk to operating systems, firewalls, and other components on the network. But they may have limited knowledge on how to review web applications and custom code. As demonstrated by the recent breaches, which have exploited third-party libraries, continuous monitoring and assessment do not always include a review of software dependencies.
Organizations rely on regular patches for commercial software and understand how to deploy updates. But maintaining secure custom software requires development team support or integration into a DevSecOps pipeline.
To gain a common understanding of these distinct security challenges, the course will include an overview of vulnerabilities such as XSS, CSRF, SQL injection, Local/Remote File Inclusion, and other findings identified in the OWASP Top 10. Additional insight will be provided into the susceptibility to “supply chain” risks when third-party libraries are loaded from public repositories such as NPM, Docker Hub, Python Package Index, or Cloud services marketplaces. The focus of the course is on open-source tools to perform static code analysis, dynamic code analysis, and third-party dependency checks.
We will pull in concepts from open resources such as the DoD Enterprise DevSecOps Reference Design, OWASP DevSecOps Maturity Model, and the DevSecOps group.
What is Secure Software Development?
It is a practice to ensure that the code and processes that go into developing applications are as secure as possible. Secure development entails the utilization of several processes, including the implementation of a Software Development Lifecycle (SDLC) and secure coding itself.Every company is looking to save money and reduce risk. One way security-savvy organizations do so is by employing secure software development techniques in the creation and maintenance of their technical endeavors. These techniques you will learn include software acquisition strategy, development environment security controls, and software security effectiveness.
On a daily basis, someone in this type of role may be creating new tools for everything from virus, spyware, malware, and intrusion detection to traffic analysis. Or they could be working to ensure that security measures are included in any software your organization produces. Regardless of the specific role, there are certain skills needed to ensure the software being developed is in fact secure. This area of secure development also covers software acquisition strategy, development environment security controls, and software security effectiveness to ensure all aspects of security are covered from the perspective of a developer.
What Are the Prerequisites for This Course?
Individuals who wish to take this DevSecOps course should have a basic understanding of security controls, attack vectors, and cybersecurity principles. You will not need to understand programming, but some knowledge of the process from development to deployment would be helpful.The course is based on an assumption of basic cybersecurity principles, but we will start with the need for integrating security into the DevOps cycle and identifying specific tools or processes to accomplish this goal.
Some understanding of existing automated security tools may be helpful, but students will be given a basic description of the tools. Additional research can be pursued as needed.
What Are the DevSecOps Course Goals?
By the end of this DevSecOps course, students should be able to:What is DevSecOps?
DevSecOps is the IT industry term for development, security, and operations. DevSecOps is the philosophy that security features should be integrated into the software at each step of the development process. DevSecOps improves communication and merges traditional IT and security to deliver code quickly and safely.When a developer uses DevSecOps practices, they’re putting building coding and creating security barriers in the same process. When using DevSecOps practices, security features are thought of, created, and integrated into the earliest stages of software development.
DevSecOps practices put the responsibility of security on everyone in an organization that is rolling out new software, writing code, or creating an application.
“DevOps has become second nature for agile, high-performing enterprises and a foundation for the success of their online business,” Pascal Geenens, a security evangelist and researcher at Radware, told CSO Online. He argues, “Continuous change in technology and consumer demand means there is a continuous cycle of updates to run that will keep a very varied set of functions from page upload times to shopping and search features up to date and running at their best.”
What is the difference between DevOps and DevSecOps?
DevSecOps differs from its similar-sounding counterpart, DevOps.DevOps practices involve combining software development and IT operations to shorten the systems’ development life cycle and provide continuous delivery with high software quality. DevOps doesn’t have the same security integration as DevSecOps. Each team within an organization would have its own responsibilities, with security being sectioned off.
DevSecOps merges the creation of applications, code, and software with the best security practices.
Why are DevSecOps practices important?
Technology has evolved rapidly to allow cloud sharing among multiple users, cloud computing, and rapid data delivery. However, security practices have not kept pace with evolving technology. With multiple users accessing data remotely, security risks increase.DevSecOps practices are essential because they protect data, users, and software from security breaches before they happen.
How do you become DevSecOps certified?
You can obtain a DevSecOps certification by taking online DevSecOps courses through platforms such as Cybrary. Before getting started, students should already have a basic understanding of security controls, attack vectors, and cybersecurity principles.Cybrary’s DevSecOps course starts with an introduction to security during the development cycle. The course covers possible security breaches a system could have, as well as static and dynamic analyses. Students will learn how to plan for security integration throughout the development pipeline, as well as deliver and deploy software with DevSecOps practices in mind. Finally, students will gain skills to monitor the system on an ongoing basis.
Cybrary offers DevSecOps training broken into short, on-demand video modules, allowing students to learn at their own pace. The full course is five hours long.
At the end of the course, you can go on to pursue certification by taking the official exams for numerous DevSecOps certifications, including:
The typical DevSecOps engineer earns more than $142,000 a year, according to Neuvoo. In cities such as New York, DevSecOps professionals can earn as much as $175,000. As a DevSecOps engineer, professionals will collaborate with DevOps engineers, stay up to date on the latest security trends, and help their organization build secure, fast software to execute the company’s goals.
Instructed by
I have been captivated by technology since I received my first computer at the age of 8. Even at a young age I enjoyed programming since it provided a virtual method of creating building blocks toward a final project; I have been coding ever since. My first job was as a web developer and part-time system administrator. I transitioned to system/network administrator managing Linux systems and connectivity for a local Internet service provider. I continued in several different fields of IT before transitioning to a dedicated cybersecurity role.
My roles in cybersecurity have been as an auditor, security plan writer, controls implementer, architecture, incident responder, and penetration tester. In my current role, I test web application and perform security code review for applications developed in Java, .Net, Python, JavaScript, and a few other languages. I try to get away from IT as much as possible and enjoy the outdoors. My favorite hobbies are mountain biking, hiking, and photography. When I’m lucky, I can combine a couple of hobbies at onetime.
I have always enjoyed teaching and analogizing technology into terms everyone can understand without the complexity of IT.I also enjoy teaching concepts to IT professionals to expand their knowledge and assist in furthering their careers. During my doctoral studies, I attended a pedagogy class, which helped me understand how to formalize methods of teaching and organize the structure of knowledge transfer. I have recently taken on roles as a committee chair and mentor to doctoral students to support them through the process from development to defense of their dissertations. I also love talking about IT and cybersecurity, which makes teaching an enjoying endeavor.
