Module 1: Securing the Development Cycle
Module 2: What are we Defending?
Module 3: Pipeline: Planning and Awareness
Module 4: Pipeline: Development
Module 5: Pipeline: Delivery
Module 6: Pipeline: Deployment
Module 7: Pipeline: Operation and Monitor
Module 8: Conclusion
This course will provide students with the fundamental knowledge to integrate security controls, processes, and services into the DevOps pipeline. This course cover the distinct security challenges posed by custom software and web applications.
Cybersecurity professionals have a robust suite of tools and methodologies for assessing the risk to operating systems, firewalls, and other components on the network but may have limited knowledge on how to review web applications and custom code. As demonstrated by the recent breaches, which have exploited third-party libraries, continuous monitoring and assessment do not always include a review of software dependencies. Organizations rely on regular patches for commercial software and understand how to deploy updates, but maintaining secure custom software requires development team support or integration into a DevSecOps pipeline.
To gain a common understanding of these distinct security challenges, the course will include an overview of vulnerabilities such as XSS, CSRF, SQL injection, Local/Remote File Inclusion, and other findings identified in the OWASP Top 10. Additional insight will be provided into the susceptibility to “supply chain” risks when third-party libraries are loaded from public repositories such as NPM, Docker Hub, Python Package Index, or Cloud market places. The focus of the course is on open-source tools to perform static code analysis, dynamic code analysis, and third-party dependency checks.
We will pull in concepts from open resources such as the DoD Enterprise DevSecOps Reference Design, OWASP DevSecOps Maturity Model, and the DevSecOps group.
What is Secure Software Development? It is a practice to ensure that the code and processes that go into developing applications are as secure as possible. Secure development entails the utilization of several processes, including the implementation of a Secure Development Lifecycle (SDLC) and secure coding itself. Every company is looking to save money and reduce risk. One way security-savvy organizations do so is by employing secure software development techniques in the creation and maintenance of their technical endeavors. What will I learn? Software acquisition strategy Development environment security controls Software security effectiveness.
On a daily basis, someone in this type of role may be creating new tools for everything from virus, spyware, malware, and intrusion detection, to traffic analysis. Or, they could be working to ensure that security measures are included in any software your organization produces. Regardless of the specific role, there a certain skills needed to ensure the software being developed is in fact secure. This area of secure development also covers software acquisition strategy, development environment security controls, and software security effectiveness to ensure all aspects of security is covered from the perspective of a developer.
Individuals who wish to take this course should have a basic understanding of security controls, attack vectors, and cybersecurity principles. You will not need to understand programming, but some knowledge of the process from development to deployment would be helpful. The course is based on an assumption of basic cybersecurity principles, but we will start with the need for integrating security into the DevOps cycle and identify specific tools or processes to accomplish this goal. Some understanding of existing automated security tools may be helpful, but the students will be given a basic description of the tools and could perform their own research for additional knowledge.
By the end of this course, students should be able to:
- Describe the need for implementing DevSecOps
- Gain executive buy-in on DevSecOps
- Develop a plan to integrate Security into DevOps
- List the major steps of DevOps pipeline
- Select tools to automate security testing into the DevOps pipeline
- Identify certifications for Developers, Cyber Staff, and Operations
- Differentiate between Static and Dynamic analysis
- Discuss protection controls for specific attack vectors
- Perform threat modeling to match security controls to attack vectors
- Demonstrate the need for 3rd party library review
- Identify methods for securing Cloud architecture
- Implement continuous monitoring after deployment
In a world of cyber-attacks and people falling victim to hacked personal information, developing software with strong security is essential. Some developers may see themselves as a coder at heart, writing language to make programs function. But even when developers are using basic coding, creating robust security features and continuously communicating with security professionals helps protect software against hackers.
What is DevSecOps?
DevSecOps is the IT industry term for development, security, and operations. DevSecOps is the philosophy that security features should be integrated into the software at each step of the development process. DevSecOps improves communication and merges traditional IT and security to deliver code quickly and safely.
When a developer uses DevSecOps practices, they’re putting building coding and creating security barriers in the same process. When using DevSecOps practices, security features are thought of, created, and integrated into the earliest stages of software development.
DevSecOps practices put the responsibility of security on everyone in an organization that is rolling out new software, writing code, or creating an application.
“DevOps has become second nature for agile, high-performing enterprises and a foundation for the success of their online business,” Pascal Geenens, a security evangelist and researcher at Radware, told CSO Online. “Continuous change in technology and consumer demand means there is a continuous cycle of updates to run that will keep a very varied set of functions from page upload times to shopping and search features up to date and running at their best.”
What is the difference between DevOps and DevSecOps?
DevSecOps differs from its similar-sounding counterpart, DevOps.
DevOps is the practice of combining software development and IT operations to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps doesn’t have the same security integration of DevSecOps. Each team within an organization would have its own responsibilities, with security being sectioned off.
DevSecOps merges the creation of applications, code, and software with the best security practices.
Why are DevSecOps practices important?
Technology has evolved rapidly to allow cloud sharing among multiple users, cloud computing, and allowing data to be delivered quicker than ever. However, security practices have not kept pace with evolving technology. With multiple users accessing data remotely, security risks increase.
DevSecOps practices are essential because they protect data, users, and the software from security breaches before they happen.
How do you become a DevSecOps engineer?
For people who aspire to infuse more security protections throughout the development process, they can work to become a DevSecOps engineer. Since the field is relatively new, most engineers don’t have prior experience other than a technical degree from a university.
In place of a degree, students can obtain DevSecOps certification by taking online DevSecOps courses through programs such as Cybrary’s. Before getting started, students would already have a basic understanding of security controls, attack vectors, and cybersecurity principles.
Cybrary’s DevSecOps course starts with an introduction to security during the development cycle. Then, students will learn about the possible security breaches a system could have, as well as static and dynamic analyses. Then, students will learn how to plan for security integration throughout the development pipeline. Next, they’ll learn about the delivery and deployment of the software with DevSecOps practices in mind. Finally, students will gain skills to monitor the system on an ongoing basis after it is completed.
Cybrary offers DevSecOps training broken into short, on-demand video modules, allowing students to learn at their own pace. For students who want to devour the content, the course can be completed in less than five hours. For those who have a busier schedule, the longest module takes 10 minutes to watch.
At the end of the course, students will receive a DevSecOps certification they can use to get a job in the industry.
The typical DevSecOps engineer earns more than $142,000 a year, according to Neuvoo. In cities, such as New York, DevSecOps professionals can earn as much as $175,000.
As a DevSecOps engineer, professionals will collaborate with DevOps engineers, stay up to date on the latest security trends, and help their organization build secure, fast software to execute the company’s goals.
Certificate of Completion
Complete this entire course to earn a DevSecOps Fundamentals Certificate of Completion