DevSecOps Bootcamp

Course Description

We write code, we test code (or at least we should) and we deploy code. And throughout this process, hackers are trying to ruin our day by hacking into our infrastructure and our applications and doing mean things like stealing our customers’ data.

This 10-day hands-on intensive bootcamp is an all-in expedition that teaches your team how to store code in Git, how to use a CI/CD devops pipeline, how to create and spin-up infrastructure in the cloud, how to deploy applications in containers and how to orchestrate those containers, all with Security Scanning built in at every step along the way. The end result: only tested, approved, and vulnerability-free infrastucture will run your tested, approved, and vulnerability-free applications.

This class is a seamless combination of our DevSecOps Pipeline and our Deploying Hardened Infrastructure at Scale classes.

No prior DevOps knowledge is required.

Choose the exact tool chain you want below and generate a course outline, or choose the ‘generic’ options for a tool-neutral outline:

Generic Coding Languages
JavaScript
Python
Go
Java
C++
Ruby
TypeScript

Course Agenda 

  • Git source and version control management. This course will teach you the fundamentals of using git so you can effectively share, collaborate, backup and version any code.  We’ll scan all code as it is pushed to Git for known vulnerabilities.
  • SAST (Static Application Security Testing). You will learn about OWASP (Open Web Application Security Project) and the top known vulnerabilities from which you need protect your applications, as well as exactly how to do this. You’ll integrate SAST into your DevOps Pipeline, including how to stop a pipeline build when a vulnerability is discovered, and you’ll learn how to manage false positives. Third-party libraries are code developers get from other places. We’ll scan that code as well.
  • Configuration management. We’ll teach you how to configure and spin up servers (web, database, load balancer, or any application servers), using a configuration management tool and code stored in git.
  • Testing and continuous integration /  continuous deployment. Learn to integrate git and configuration management with a CI/CD tool to build, test, and deploy code into test, staging, and production environments, creating an automated end-to-end DevOps pipeline. We’ll use CI/CD to drive Security scanning so every push of code verifies a vulnerability-free application.
  • DAST (Dynamic Application Security Testing). No matter how hard you work to protect your code, someone could potentially break into your running application in Production. We’ll show you how to continually and dynamically scan running applications to make sure you are safe from the beginning of the code development process to the final customer experience.
  • Cloud Networking. You will learn a solid introduction to Cloud networking on AWS, GCE or Azure Cloud so you can confidently know your IGW from your RTA without embarrassing your VPC, as well as how to use the cloud CLI tools
  • Infrastructure Deployment. You will learn how to use ‘infrastructure as code’ tools like HashiCorp’s Terraform to describe and deploy VM’s in the cloud of your choice.   We’ll use infrastructure as code to create and destroy secure networking components automatically, as well as how to launch VM’s within those networking components 
  • Containerization. We’ll teach you how to create Docker containers to deploy your applications. 
  • Container Orchestration.  Once you have containers running, either Kubernetes or OpenShift can be used to manage containers, automatically replace damaged containers and scale containers to meet customer demand on your applications.

Course Duration as Configured: 9 Days

Infrastructure Platform: Generic Cloud Networking

  • Installing and using the CLI (Command Line Interface)
  • Cloud Networking
  • VPC's (Virtual Private Clouds)
  • Subnets
  • Internet Gateways
  • Route Tables
  • Route Table Associations

Git: Source Control Management: Generic Git

  • Purpose and overview of Git
  • Use cases for Git
  • Git flow
  • Git providers
  • Git configuration
  • Finding help on Git
  • Creating Local Git Repositories
  • Basic Commands: add, commit, status, log
  • Comparing commits: git diff
  • Using a Repository: git push
  • Branches: creating, merging and deleting
  • Resolving merge conflicts
  • Managing Pull Requests
  • Using SSH keys with git platform private repositories

Infrastructure Deployment: Generic Infrastructure Deployment

  • Intro to Infrastructure Deployment
  • Creating cloud buckets for storage
  • Separating code: Multiple Deployment Configuration Files
  • Storing state remotely
  • Git branching
  • Displaying resource outputs
  • Creating cloud networking components
  • Configuring cloud Security groups
  • Using SSH Public/Private Keys
  • Launching and Destroying cloud VM instances with Infrastructure as Code
  • Creating reusable code with modules
  • Using Infrastructure as Code variables

Continuous Integration / Continuous Delivery (CI/CD): Generic CI/CD

  • CI/CD = Continuous Integration / Continuous Deployment
  • Purpose & history
  • Architecture
  • Initializing CI/CD
  • Project and Workflow configurations
  • CI/CD as Code
  • Managing your Projects and Workflows
  • Managing credentials and secrets
  • Distributing workloads
  • Integrating with Source Control Management
  • Triggering builds automatically
  • Notifications: Approvals, Successes and Failures
  • Requiring human input
  • Automated configuration management with linting
  • Integration testing using CI/CD
  • CI/CD Integration with managed nodes
  • Continuous deployment through CI/CD

Configuration Management: Generic Configuration Management

  • Purpose and Use Cases for configuration management
  • Architecture and Call Flow
  • Creating idempotent policies to manage server configurations
  • Linting and Integration Testing
  • Adding managed nodes to your infrastructure

Notifications: Generic Notifications

  • Integrating CI/CD with instant messaging
  • Using instant messaging for CI/CD approvals and notifications

Containerization: Docker

  • Purpose and use case for Docker
  • Docker Hub
  • Basic Docker commands
  • Docker Networking
  • Launching and debugging NGINX containers
  • Mounting Volumes to containers
  • Docker mount points: Multiple containers, one shared code location
  • Launching Docker hosts and Docker containers automatically
  • Port mapping with containers
  • Launching multi-tiered architectures (web servers and load balancers): an automated approach
  • Customizing containers with Docker Hub and Dockerfiles
  • Reducing infrastructure bloat: Buster-Slim Docker containers

Managed OS: Linux Only

  • Management of Linux Servers only

Container Management: Generic Orchestration

  • Container Orchestration overview and use case
  • Orchestration architecture
  • Installation and configuration
  • Master and node server components
  • Creating load-balanced clusters
  • Deploying Apps through Container Orchestration
  • Scaling Apps
  • Monitoring and App repair
  • Updating Containerized Applications

Issue Tracking: Jira

  • Project management and issue tracking software
  • Bug and issue tracking overview and use case
  • Working with Kanban
  • Jira Packages
  • Setting up Jira
  • Creating Jira projects
  • Creating issues
  • Automatic Jira updates from CI/CD
  • Epics, Stories, Tasks and Bugs
  • Linking git platforms to Jira
  • Using commit messages to update issues
  • Deployment notifications
  • Using CI/CD as Code for Jira integration

Artifact Storage: Generic Artifact Storage

  • Artifact overview
  • Common artifact platforms
  • Repository types
  • Integrating artifact storage with CI/CD
  • Uploading files from CI/CD to artifact storage
  • Deploying Code & Artifacts

SAST (Static Application Security Testing): Generic SAST

  • Source code validation
  • Security aspects
  • OWASP Top 10 Security vulnerabilities
  • How SAST Scanning tools work
  • The SAST Scanning process
  • Manual SAST Runs
  • Pipeline integration
  • SAST tool components
  • Managing False Positives
  • Breaking CI CD builds in case of security vulnerabilities

3rd Party Library Scans: Generic Library Scanning

  • Software Component Analysis (SCA)
  • Understanding the OWASP Dependency Checker
  • Scanning 3rd party component vulnerabilities
  • Embedding SCA Tool in Pipelines
  • Triaging Results
  • Stopping Builds that Contain Vulnerabilities
  • Working with Identified Vulnerabilities
  • Reducing Scan Time

DAST (Dynamic Application Security Testing): Generic DAST

  • Understanding web application security testing
  • Intro to DAST
  • Understanding OWASP
  • Top OWASP vulnerabilities
  • DAST tool components
  • Executing DAST scans
  • Embedding DAST scans in the DevOps Pipeline
  • Notifying for vulnerabilities
  • Reading scan results
  • Issue logging
  • Blue-Green Deployments: continual uptime

Requirements:

  • Access to *.docker.com/*
  • Access to *.atlassian.com/*
  • Access to *.jira.com/*

Course Availability: Contact for Availability