DevSecOps CI/CD Pipeline

Course Description

When a developer writes code, the only way to ensure that code works as it’s supposed to is to test it, but testing is time consuming and so sometimes testing just doesn’t happen the way it needs to (you know who you are :).  Without proper testing, bad code can cause seriously expensive production-down issues.  This class teaches how to automate code building, testing and deploying so your developers can focus on updating and creating new applications without worrying if they’ve broken something along the way.

While your developer is working on their DevOps Pipeline, hackers are continually trying to disrupt your business.  We teach your developers and operations engineers how to build DevSecOps and Security Scanning directly into the DevOps Pipeline.  This process (known as Shift Left) catches known vulnerabilities before they can disrupt your business or your development process.

Then we teach your teams how to detect vulnerabilities once your application is up and running in production.  If a hacker breaks into your infrastructure and even into your applications, we’ll show you how to continually monitor your apps for hacker-driven mutations so you can protect your business and your customers around the clock.

This course teaches exactly how to implement DevOps CI/CD & DevSecOps throughout the entire application creation and deployment process, catching known vulnerabilities during development (SAST) and while the application is actively running (DAST).  Students will learn how to create and use an end-to-end CI/CD pipeline to build, lint, test and deploy vulnerability-free, secure and approved code, at every stage of the Software Development Lifecycle.

No prior DevOps knowledge is required.

Choose the exact tool chain you want below and generate a course outline, or choose the ‘generic’ options for a tool-neutral outline:

DevSecOps CI/CD Pipeline

Course Agenda 

  • Git source and version control management. This course will teach you the fundamentals of using git so you can effectively share, collaborate, backup and version any code.  We’ll scan all code as it is pushed to Git for known vulnerabilities.
  • SAST (Static Application Security Testing). You will learn about OWASP (Open Web Application Security Project) and the top known vulnerabilities from which you need protect your applications, as well as exactly how to do this. You’ll integrate SAST into your DevOps Pipeline, including how to stop a pipeline build when a vulnerability is discovered, and you’ll learn how to manage false positives. Third-party libraries are code developers get from other places. We’ll scan that code as well.
  • Configuration management. We’ll teach you how to configure and spin up servers (web, database, load balancer, or any application servers), using a configuration management tool and code stored in git.
  • Testing and continuous integration /  continuous deployment. Learn to integrate git and configuration management with a CI/CD tool to build, test, and deploy code into test, staging, and production environments, creating an automated end-to-end DevOps pipeline. We’ll use CI/CD to drive Security scanning so every push of code verifies a vulnerability-free application.
  • DAST (Dynamic Application Security Testing). No matter how hard you work to protect your code, someone could potentially break into your running application in Production. We’ll show you how to continually and dynamically scan running applications to make sure you are safe from the beginning of the code development process to the final customer experience.

Course Duration as Configured: 5 Days

Git: Source Control Management: Generic Git

  • Purpose and overview of Git
  • Use cases for Git
  • Git flow
  • Git providers
  • Git configuration
  • Finding help on Git
  • Creating Local Git Repositories
  • Basic Commands: add, commit, status, log
  • Comparing commits: git diff
  • Using a Repository: git push
  • Branches: creating, merging and deleting
  • Resolving merge conflicts
  • Managing Pull Requests
  • Using SSH keys with git platform private repositories

Continuous Integration / Continuous Delivery (CI/CD): Generic CI/CD

  • CI/CD = Continuous Integration / Continuous Deployment
  • Purpose & history
  • Architecture
  • Initializing CI/CD
  • Project and Workflow configurations
  • CI/CD as Code
  • Managing your Projects and Workflows
  • Managing credentials and secrets
  • Distributing workloads
  • Integrating with Source Control Management
  • Triggering builds automatically
  • Notifications: Approvals, Successes and Failures
  • Requiring human input
  • Automated configuration management with linting
  • Integration testing using CI/CD
  • CI/CD Integration with managed nodes
  • Continuous deployment through CI/CD

Configuration Management: Generic Configuration Management

  • Purpose and Use Cases for configuration management
  • Architecture and Call Flow
  • Creating idempotent policies to manage server configurations
  • Linting and Integration Testing
  • Adding managed nodes to your infrastructure

Notifications: Generic Notifications

  • Integrating CI/CD with instant messaging
  • Using instant messaging for CI/CD approvals and notifications

Managed OS: Linux Only

  • Management of Linux Servers only

Quality Scanning: Generic Quality Scan Tools

  • Defining Quality Scans
  • Quality Scan Architecture
  • Quality Scan Components
  • Quality Gates, Quality Profiles, Language Support and Rule Sets
  • Test Coverage, Linting, Code Duplicity, Code Complexity, Code Smells
  • Project Management and settings, User Accounts & User Tokens
  • License Administration
  • Quality Scan Authentications/Authorization
  • Integrating Build Tools into the Workflow
  • Working with Code coverage tools
  • Monitoring via the Dashboard
  • Scan Backup and Restore
  • Breaking CI CD builds in case of quality failures

SAST (Static Application Security Testing): Generic SAST

  • Source code validation
  • Security aspects
  • OWASP Top 10 Security vulnerabilities
  • How SAST Scanning tools work
  • The SAST Scanning process
  • Manual SAST Runs
  • Pipeline integration
  • SAST tool components
  • Managing False Positives
  • Breaking CI CD builds in case of security vulnerabilities

3rd Party Library Scans: Generic Library Scanning

  • Software Component Analysis (SCA)
  • Understanding the OWASP Dependency Checker
  • Scanning 3rd party component vulnerabilities
  • Embedding SCA Tool in Pipelines
  • Triaging Results
  • Stopping Builds that Contain Vulnerabilities
  • Working with Identified Vulnerabilities
  • Reducing Scan Time

DAST (Dynamic Application Security Testing): Generic DAST

  • Understanding web application security testing
  • Intro to DAST
  • Understanding OWASP
  • Top OWASP vulnerabilities
  • DAST tool components
  • Executing DAST scans
  • Embedding DAST scans in the DevOps Pipeline
  • Notifying for vulnerabilities
  • Reading scan results
  • Issue logging
  • Blue-Green Deployments: continual uptime

Course Availability: Contact for Availability