4 hours 39 minutes
welcome back. So we're starting Module three is the first. This should be an exciting modules is the 1st 1 You'll see the imitation of pipeline that you see all the ones after this we're working. We're gonna work slowly through the def sec ops
pipeline. So this would be planning an awareness is where we're developing everything before we Thebes Elop er's actually start coding. So picking our tools,
giving them the tools they need to write successful, secure code.
We'll start off in less than 3.1, just over you in the module and the concepts we're gonna learn.
So in this module, we're gonna start off with the Jenkins Dev ops demo saw in a previous one. I kind of give ah brief overview of it and showed what Jenkins file looks like this time. Well, actually, she opened up Jenkins application and run through Ah, quick pipeline to show you how easy it is.
And I want to introduce the desist Secure software development framework mentioned is all the way back at the beginning was one of the resource is a good place to introduce it now, So we'll use the requirements in the concepts throughout the rest of the course.
We'll take a look at metrics for measuring deaf sick cops. Success failures. Dev offs does it, so we'll have to do it on on security as well.
We'll take a look at some of the tools and activities that used during this this planning phase. Look at security for the non security, the developers that the operations
on Then they We need to do Dev ops for the security people. So they also understand what their teams they're working with.
I'll demo spot bugs for the through the i. D. So you can get a perspective of the developer as their writing code seeing, you know, thes bugs pop up and how to actually fix them. And then they'll do a demo of the OAS Threat Dragon as well.
The objectives for the course. Or start for this module. When a critique critique the Sussex successfactors of death spec ops acceptance
difference. It categories metrics. Look, we're look at coding standards. Explain why assessors need Dev ops, knowledge and then the same way that why the developers in the operation seemed a load of security knowledge and then take a look at the threat dragon for threat modelling, which is important concept of
understanding the threats that are specific to your
your application or your business.
We had this graph told at the beginning,
uh, get will start using this E 3 20 modules that kind of follow as how we're progressing on the pipeline. So this is the first part. This is the planning phase. So we need to have some security and awareness so that we start doing three things right right away
instead of waiting to start coding. And I'm like, Oh, what tools were supposed to using What are we supposed to do? Let's play about So we were successful
here's than this stick your software development framework. The reason I brought it in again it It's similar to 853. We're familiar with that where they've set up these requirements and he's
family. So there's Prepare the organization, which is P O protected software PS. You can read through the different factors this way and within each one of those families there, there's a number so
but what they've done is define
ah security requirements specific again for developing secure software and have a framework so one of the first ones is the prepare the organization. So you have security requirements?
Uh, this is what we should be doing in the planning phase. This is p 0.1 is what are we testing? What? What do we expect to be the successful criterion? What do we What do we think is as an organization? What does secure code mean to us?
This is policies that we're gonna be using coding standards. How often will we review the software to make sure it's secure?
And then the next one is p 03 which means implementing or start, which defines implementing a security tool chain. Which is really what we're gonna be doing is def SEC ops courses, Looking at the different tools that we can use to evaluate the
the application as it's being built as it's being composed. Thea, from this source code to the third party libraries all the way down to infrastructure code. All the pieces Is it secure?
One of the first steps is security needs a plan. So if you expect if you if you God and you're expecting to convince an executive
say, Hey, I think we need to make this huge shift
change the way we do. We need into the Dev Ops. We need def SEC ops and it might slow it down. But here's it's probably gonna be better if you say that they're going to say no. Show me an actual plan. So the plan needs to have roles and responsibilities, which is P 02 from S S D F.
Uh, explain the problem, get the benefits. Cost savings. How are you going to communicate you need? These are all part of the components that need to be part of a security plan.
And there's another one of these requirements are gonna jumping through. Some of these just kind of give you an example. You go take a look at the S S d F.
But it's a good idea of what
all the different parts that we need to protect. So we need to protect the coat from tampering, which is PS one. So within the source code, the repository, whether we're doing version control, siding, hashing all of these are steps to make sure
that the code is secure through the whole life cycle.
So there's a a quick module, just a brief understanding what the whole module is going to be about.
Eso We talked about the concepts, the structure of it introduced s S d f. Just because we're going to see this throughout the whole the rest of the course. And next
module, I'm gonna demo the Jenkinson's that orchestration.