Integrating security practices into DevOps, such as Security as Code, is a way for security practitioners to operate and contribute value with less friction. Security practices must adapt dynamically to ensure data security and privacy issues are not left behind in the fast-paced world of DevOps.
DevSecOps Foundation? is a registered trademark of the PeopleCert group. Used under licence from PeopleCert. All rights reserved.
TARGET AUDIENCE:
Target audience:
– Anyone involved or interested in learning about DevSecOps strategies and automation
– Anyone involved in Continuous Delivery toolchain architectures
– Compliance Team
– Delivery Staff
– DevOps Engineers
– IT Managers
– IT Security Professionals, Practitioners, and Managers
– Maintenance and support staff
– Managed Service Providers
– Project & Product Managers
– Quality Assurance Teams
– Release Managers
– Scrum Masters
– Site Reliability Engineers
– Software Engineers
– Testers
COURSE PREREQUISITES:
None
COURSE CONTENT:
Cyber Threat Landscape (CTL)
Tactics, techniques and procedures (TTPs) describe how threat agents orchestrate and manage attacks. Threat Models optimize security by identifying objectives and vulnerabilities such as OWASP top ten, before defining counter-measures. Continuous Delivery practices are engaged to realize continuous governance, risk management and compliance.
Responsive DevSecOps Model
Security is made continuously adaptive and auditable by breaking security silos, cultivating a symbiotic relationship between security and other business units. Security specific practices and integrated toolsets as code (such as security scans) enable automated security KPIs and observable security practices into the DevOps value stream.
DevSecOps Stakeholders
Gaps between traditional waterfall security cultures and fast-paced DevOps cultures, are removed by building collaboration and trust. Through improving credibility, reliability and empathy while reducing self-interest. Decisions are based on advice from everyone affected and people with expertise using systems thinking. Shared metrics assure adaptable governance using discipline, with automation, transparency and accountability.
Realizing DevSecOps Outcomes
Security is built into the value stream efficiently with empowered development teams implementing features securely, shift-left security testing, tools for automated feedback. Culture improvements instead of policy enforcements ensure security and software engineers are continuously cross-skilling and collaborating.
Pipelines & Continuous Compliance
Security test and scanning tools are integrated into the CI/CD pipeline to finding known vulnerabilities (published CVEs) and common software weaknesses (CWEs). Repetitive security tasks are automated such as configurations, Fuzz testing and long running security tasks. Compliance as Code helps in automating compliance requirements to foster collaboration, repeatability, and continuous compliance.
DevSecOps Practices
Security is integrated into people, process, technology and governance practices. Continuous security practices for DevSecOps are implemented in onboarding processes for stakeholders. Security practices and outcomes are monitored and improved using data-driven decision making and response patterns. Lean and value stream thinking ensure that security does not cause waste, delays or constraints for flow.
Getting Started
Value Stream Mapping establishes where security activities and bottlenecks currently happen. Collaborative design of a target value state map addresses security requirements, communication and automation improvements. Scope of the design includes practices for Artifact Management, Risk Management, Identity Access Management, Secrets Management, Encryption, Governance, Risk and Compliance, Monitoring and Logging, Incident response and learning
Learning Using Outcomes
Continuous DevSecOps learning programs are implemented to meet evolving security requirements for the organization and individuals using strategies such as lunch and learns, mentoring, professional education, employee learning plans, structured training classes, Dojos, retrospective learning, gamification, and DevOps Institute SKILup Days.
COURSE OBJECTIVE:
Not available. Please contact.
FOLLOW ON COURSES:
Not available. Please contact.
