Video Activity

DevSecOps Fundamentals Introduction

Video Transcript

Welcome to def SEC ops fundamentals. This is the first module where we talk about securing the development cycle, and this this course is really structured around not just saying here's the tools run them. It's about understanding that the process that the requirements were set in place, all that just taking a look at it from a holistic point of view instead of just again. I said, Just automating the tools. We'll look at the tools and we'll actually create Ah, our own pipeline but and I just wanted to make it more more review around. How can you implement this in your organization First? Just a quick notes about myself. My name's Phil Cope. I have AH, bachelors in information systems, masters and e commerce and my doctors in cybersecurity doing cybersecurity for about 20 years now system administrator before that.

But now I do its response code review different areas like that, and when I'm not programming security, I try to get out a little bit. Maura Dusa hiking, mountain biking, running different areas like that. So the best way if you wanna connect with me or have questions, anything like that is on LinkedIn and addresses right there. If you want to take a look, this is the course over you again. Just kind of took through that. The structure and what you should be learning the prerequisites never really like to set up any hard requirements. So trying to structure this the best I can So that different, different areas, whether you're technical or we're gonna the management side, anybody in the cyber security you can really get, get some good knowledge from this.

So and if you kind of understand some cyber security, a little bit development operations, any of these terms and maybe a little bit for into. But I think we can step through them and you don't really need to have a full understanding to get some information out of this course, you'll see material they have referenced. Is the deal the 1st 1 of duty? Enterprise DEP SEC Ops Reference Design, The Great document. If they spent a lot of time creating a lot of the tool or identifying the tools, the processes, everything to make a good def sec ops implementation your organization and then the o Los de Disick cops maturity model, it's another great reference. I'll be actually using that, because I think that's a great desire, a reference to show this is how I can get from this point to, you know, a more mature process for depth set cops.

Even if I don't have anything instead of trying to go from zero to fully automated pipeline, what's a good way to get there? And how can I schedule that? And then the thinnest secure software development framework I'll be using that throughout kind of like, uh, again, That's another good reference because it's it's structured almost like missed 853 where its requirements. But it's specific to secure software development. So I could we can map all these these requirements that that they were saying should be part of your def SEC ops. And then there's a 801 90 which talk a little bit later, but about application container security. So Docker Cooper know these things like that. The target audience can be pretty much anybody in the in the organization that's interested in more secure her security software.

So this is so the eso anybody that's in charge of an application or multiple applications that might be interested in what they have. How can they improve what's in your organization? And then the even if you're a developer or on operation side or auditor might need to understand these concepts. It's already being done in your organization or maybe suggested, suggesting Here's how we can improve it. Or here's how we can start the rights. More secure code. The couple of notes here again they tried toe Try to balance this between technical procedural. Just so we get, ah, whole view of def SEC ops because we understand the why, but also the how how to do it. But why we're doing it. Why are we trying to secure this? You'll see a couple areas will have that little pencil icon. That's just let you know that I'm referencing. One of the resource is I defined the outline for the course so good I should do something little bit different here. I'm going to use Jenkins. We'll talk about a little bit later. If you've never heard of it, it's Ah, orchestration pipeline. Well, we'll do that throughout the course.

We'll start off with a basic Jenkins pipelines for building code, and then each module as we go through and work through a different part of the pipeline will start adding onto that Jenkins pipeline so that you can see we'll talk about the tools to see how it was actually implemented. So we go from the planning and awareness to the development of the actual testing deployment. The continuous monitoring see can understand a concept, but see how they're actually put in place. Nothing at the end, the last module kind of wrap up the concepts we talked about. You'll see as we go through. Ah, each one of the learning objectives screened at the begin of a module. Talk about. I used Bloom's taxonomy.

Just a way of organizing data, just kind of like the put it out there CC like At the bottom is the lowest kind where we just remember concept list concepts and get the top. It's actually creating new date or new information. So I have this date I learned, and I'm gonna create something new. So throughout this course, we're gonna learn it are creating get a maturity plan for def SEC ops for your organization will talk to the different steps the pipeline. Talk about some of the tools that automate the testing differentiate between static analysis, dynamic analysis. We're also looking the attack vector. So we understand what are we trying to secure? And then that that same concept looking at third party libraries because we developed code has to be secure. But also these third party your library. We bring in that we that it may enhance our our software, but we also make sure it's secure.

And as we get to the end, we'll talk about infrastructure as a code and how you can actually secure that that process. So I'm gonna put through here a couple of interactive as we go through module is just a kind of make you stop and think it's have just listening to me talk. So I'll ask question. Give it a minute so you can actually pause a video if you want to think about the question before I actually answer it. So the 1st 1 here is what does Dev ops mean to you? So from my perspective, Deva step ups is the integration peeling. Obviously, the development and the operations team and what are the touch points between them and where they hand off? How do they integrate? You know What kind of software did they use, What tools they used to communicate. How do they get issues back and forth, and how do they feed that into the loop back?

So, in the same idea, what is def sec offs mean to you? So from my perspective, it's the same way in an operating. The Dev Ops is just but integrating security now. How are they integrating? How security can integrate? We're going to the meetings. Do you have access to jeer? Uh uh. Do not now you need to find. Here's the tools we're going to use. Here's what we're gonna measure And then here's Here's a success cracked here before we can complete the process. So if I be seeing this before, this is the Infinity showing how Deborah Devon ups integrate. We'll go through as we go through each one of the modules and kind of step through this. But it's looking at the planning coding how you build test before gets handed off into a release and and operations as the deployment operations monitoring.

But from our perspective, or interested in these touchpoints, what can what's akin security add to the process? So let's have some security wearing this at the beginning, maybe explain what tools to use. Then we're going to review the code static with static analysis than with the applications built, washing do dynamic analysis, which is the Web tools for what's being run. And then, once it's deployed, verify that what we tested development is actually what production? Nothing changed. No configuration scenes the hard way or anything. My dad or the the infrastructure changed and then actually do the vulnerability. Scanning once. Once we, uh, once one has gone into the fully operational mode, there's just a quick view. You don't have to understand this completely again. If you've heard of Jenkins, it's ah, it's it's orchestration creating this pipeline of the steps.

So we're gonna do as I mentioned as you go through each one of modules, this will be This is what we're gonna end up with. But each one of these columns Here's what we're gonna do we're going to develop. So would building static analysis, dynamic analysis all the way to developing infrastructures a code and deploying it to a virtual machine. So I'm excited about the course, Thanks. In this video, we talked about the structure of the course and kind of concept that we're gonna learn and the next will to find the problem we're facing with integrating deficit cops.

Course link:
DevSecOps Fundamentals
Do you have basic knowledge of security controls, but want to learn more about threat modeling and integrating security into DevSecOps? Our DevSecOps course will help you to incorporate security features in all parts of the development process, as well as navigate security challenges in custom software and web applications.
Instructed by
Philip Kulp

I have been captivated by technology since I received my first computer at the age of 8. Currently, I test web applications and perform security code review for applications developed in Java, .Net, Python, JavaScript, and a few other languages.