Expert
Certified DevSecOps Expert
The most comprehensive DevSecOps certification in the world, become a Certified DevSecOps Expert by learning to write custom roles for OS hardening, infrastructure as code, compliance as code and perform vulnerability management at scale, with hands-on advanced training in our state of the art labs.
Training Schedule
Features
16 hours of Instructor-led training classes
Share relevant Industry Insights
Shares real-world experience
Course Objective
We all have heard about DevSecOps, Shifting Left, Rugged DevOps but there are no clear examples or frameworks available for security professionals to implement in their organization. This hands-on course will teach you exactly that, tools and techniques to embed security as part of the DevOps pipeline. We will learn how unicorns like Google, Facebook, Amazon, Etsy handle security at scale and what we can learn
from them to mature our security programs.
Course Agenda
Module 1: Overview of DevSecOps
- DevOps Building Blocks- People, Process and Technology.
- DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
- Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
- Overview of the DevSecOps critical toolchain.
SDLC
- Overview of secure SDLC and CI/CD.
- Review of security activities in secure SDLC.
- Continuous Integration and Continuous Deployment.
- How to move from DevSecOps Maturity Model (DSOMM) Level 2 to Level 4.
Module 2: Security Requirements and Threat Modelling (TM)
- What is Threat Modelling?
- STRIDE vs DREAD approaches
- Threat modeling and its challenges.
- Classical Threat modeling tools and how they fit in CI/CD pipeline
Module 3: Advanced Static Analysis(SAST) in CI/CD pipeline
- Why pre-commit hooks are not a good fit in DevSecOps.
- Writing custom rules to weed out false positives and improve the quality of the results.
- Various approaches to write custom rules in free and paid tools.
Module 4: Advanced Dynamic Analysis(DAST) in CI/CD pipeline
- Embedding DAST tools into the pipeline.
- Leveraging QA/Performance automation to drive DAST scans.
- Using Swagger (OpenAPI) and ZAP to scan APIs iteratively.
- Ways to handle custom authentications for ZAP Scanner.
- Using Zest Language to provide better coverage for DAST scans.
Module 5: Runtime Analysis(RASP/IAST) in CI/CD pipeline
- What is Runtime Analysis Application Security Testing?.
- Differences between RASP and IAST.
- Runtime Analysis and challenges.
- RASP/IAST and its suitability in CI/CD pipeline.
Module 6: Infrastructure as Code(IaC) and Its Security
- Configuration management (Ansible) security.
- Users/Privileges/Keys – Ansible Vault vs Tower.
- Challenges with Ansible Vault in CI/CD pipeline.
- Introduction to Packer
- Benefits of Packer.
- Templates, builders, provisioners, and post processors.
- Packer for continuous security in DevOps Pipelines.
- Tools and Services for practicing IaaC ( Packer + Ansible + Docker )
Module 7: Container (Docker) Security
- What is Docker
- Docker vs Vagrant
- Basics of Docker and its challenges
- Container Security.
- Static Analysis of container(Docker) images.
- Dynamic Analysis of container hosts and daemons
Module 8: Secrets management on mutable and immutable infra
- Managing secrets in traditional infrastructure.
- Managing secrets in containers at Scale.
- Secret Management in Cloud
Module 9: Advanced vulnerability management
- Approaches to manage the vulnerabilities in the organization.
- False positives and False Negatives.
- Culture and Vulnerability Management.
- Creating different metrics for CXOs, devs and security teams.
Exam & Certification
Our certifications are well recognized in the industry as we ensure our students gain practical skills to
implement DevSecOps. To ensure we deliver on our promise, we have a rigorous certification program.
CDE exam is an online, task-oriented exam where you attempt to solve 5 challenges (tasks) in a
span of 24 hours. The exam is based on the content covered in the course but might require further
research to pass the exam. Once the exam is done, you have 24 hours to send us the exam report.
The student needs to achieve at least 70 points (70%) to achieve the CDE certification.
FAQs
Are there any pre-requisites for this course?
- Course participants must have the Certified DevSecOps Professional (CDP) certification.
- Course participants should have a basic understanding of Application Security Practices like SAST, DAST, etc.,
How do I take the exam?
TaUB Solutions will request the examinations together with your registration. The exam should be taken at the end of the course. Results are available within 5 working days.