• Online, Instructor-Led
  • Online, Self-Paced
  • Classroom
Course Description

SEC534: Secure DevOps: A Practical Introduction explains the fundamentals of DevOps and how DevOps teams can build and deliver secure software. You will learn DevOps principles, practices, and tools and how they can be leveraged to improve the reliability, integrity, and security of systems.

Using lessons from successful DevOps security programs, this course will explain how Secure DevOps can be implemented. Students will gain hands-on experience using popular open-source tools such as Puppet, Jenkins, GitLab, Vault, Grafana, and Docker to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. The lab environment starts with a CI/CD pipeline that automatically builds, tests, and deploys infrastructure and applications. Leveraging the Secure DevOps toolchain, students perform a series of labs injecting security into the CI/CD pipeline using a variety of security tools, patterns, and techniques.

You Will Learn

  • Foundations and principles of DevOps, Continuous Delivery, and Continuous Deployment
  • The security risks and challenges posed by DevOps
  • The keys to successful DevOps security programs
  • How to build security into Continuous Delivery and Continuous Deployment
  • The tools, patterns, and techniques of security automation in DevOps
  • How to secure your build and deployment environment and tool chain
  • How to leverage Infrastructure as Code for secure configuration management and provisioning
  • How manual security practices (risk assessments, audits, and pen tests) can be adapted to continuously changing environments, and the important role that they still play
  • Security risks and challenges posed by containers, and how to secure container technology
  • How to automate compliance in DevOps, using the DevOps Audit Defense Toolkit

Learning Objectives

  • Understand the core principles and patterns behind DevOps, how work is done in DevOps, and what the keys to success in DevOps are
  • Map out and implement a Continuous Delivery/Deployment pipeline
    • How to do a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations
    • How Continuous Integration, Continuous Delivery, and Continuous Deployment work, including workflows, patterns, and tools
    • How to identify the security risks and issues in DevOps and Continuous Delivery
  • Map out where security controls and checks can be added in Continuous Delivery and Continuous Deployment
    • Conduct effective risk assessments and threat modeling in a rapidly changing environment
    • Design and write automated security tests and checks in CI/CD
    • Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
    • Implement self-service security services for developers
    • Inventory your software dependencies and secure them
    • Threat model and secure your build and deployment environment
  • Integrate security into production operations
    • Automate security policies
    • Leverage container technologies (such as Docker) for security
    • Automate compliance and run-time defense
    • Create continuous feedback loops from production to engineering
  • Create a plan for introducing or improving security in a DevOps environment
  • How to use DevOps to secure DevOps

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.