DevSecOps Engineering (DSOE)

DevSecOps is a cultural-based movement that builds on the concepts outlined in the DevOps Foundation course. It aims to build lean-agile security practices into the CI/CD pipeline through cultural change, through automation and through experimentation and learning.

The goal is to remove silo’s, reduce friction and bring in security early into the software development lifecycle. The outcome is to bridge the gap IT, security and the business to bring deliver secure working code, fast and frequently to the end-users.

The course explains DevSecOps in the context of digital disruption: where younger enterprises, such as Netflix, are threatening traditional incumbents, such as TV, video downloads and cinema. It includes DevSecOps practices such as safety differently, the three ways and shifting left and includes opportunities for interactive discussions and short group exercises.

Learning outcomes

The learning objectives for DevSecOps are:

• Understand the DevSecOps concepts and how to apply them to your role.
• Gain an understanding of how you can do security differently in your organisation, in order to improve flow and reduce risk.
• Gain a deeper understanding of culture through incentive models, generativity and culture models from Erickson, Westrum and Laloux and how cultural change is key to DevSecOps.
• Understand the importance of resilience to deal with adversity.
• Understand and be able to implement security best practices including threat modelling, risk management, basic security hygiene, federation, log management, identity, access management, application security, operational security, governance, compliance, policy-as-code and shifting left.
• Be able to improve the resiliency of your organisation by using simulations to improve incident response, forensic data collection and utilise threat intelligence and information sharing.
• Techniques for how to ensure that security, governance, risk management and compliance capabilities are involved earlier in the software development process.
• Be able to apply experimentation and collect the necessary measures to prove a specific hypothesis, i.e. such as the effective of security controls.

Who should attend

The DevSecOps course is designed for:

• Candidates seeking an understanding of DevSecOps practices, such as developers, engineers, security practitioners, architects and project managers.
• Managers and leaders responsible for employees that are working on security, audit, governance or compliance capabilities within lean-agile initiatives.

Course contents

1. Course Introduction

• Course Goals
• Course Agenda
• Beginning the Journey

2. Why DevSecOps?

• Digital Disruption
• Top Cloud Computing Threats
• DevOps and DevSecOps Values
• Safety Differently
• Recap on The Three Ways
• Build your CI/CD pipeline
• Defining DevSecOps
• Shifting Left
• Automation
• Think Like a Lean Startup
• BDD, TDD, Agile Testing & Metrics

3. Cultural Change

• Incentive Model
• Resilience
• Organisational Culture
• Generativity
• The Advice Process
• Leading by Example
• Erickson, Westrum, and LaLoux Culture Models

4. Strategic Considerations

• Cooperation
• Threat Modelling
• Measurements and Metrics
• Context
• Risk Management

5. Security Considerations

• Checkbox Trap
• Basic Security Hygiene
• Cloud Computing
• Cloud Control Matrix
• Architecture
• Federation
• Log Management

6. Identity & Access Management

• Terms and Definitions
• Authentication and Authorisation
• Federated Identity
• Open ID, OAuth and SAML
• Systems or Record
• AWS IAM Best Practices
• Single Sign-On
• Active Directory Use Cases

7. Application Security

• DAST and SAST
• Software Composition Analysis
• Other Testing Techniques
• Red / Blue Teams
• OWASP Top 10
• Testing in the CI/CD Pipeline
• Integration to Issue Management
• Automation
• Threat Modelling

8. Operational Security

• Basic Security Hygiene
• Key Security Controls
• Moving to the Cloud
• Patching
• Data Protection
• Network Security
• Cloud Security
• Data Loss Prevention

9. Governance, Risk Management, Compliance & Audit

• What is GRC?
• Why care about GRC?
• Policy as Code
• Audit & Compliance
• 3 Myths of Separation of Duties

10. Logging, Monitoring & Response

• Log Management
• Incident Response
• Forensics
• Security Information and Event Management (SIEM)
• eDiscovery
• Threat Intelligence & Information Sharing
• Shifting Left

Course fees

Face-to-face classroom training

DevSecOps Engineering

$ 1850 + gst per person

Fees include:

• Course presentation
• Course workbook
• DevSecOps Engineering Exam – 90 Day Validity
• Full catering including sit-down lunch

Pre-Requisites

There are no manditory pre-requsites for this course however it’s highly recommended that participants sit the DevOps Foundation course prior to ensure participants are aligned with the baseline DevOps definitions and principles.

DevSecOps Engineering Certificate Exam

Once you’ve completed your training, you can gain a globally recognised certification with the DevSecOps Engineering Exam.  An exam voucher is provided after the training course. The exam is online and web-proctored, so you can take it any place, any time. Note: The exam voucher has a 90 Day Validity period.

DevOps Institute has engaged Kryterion Global Testing to host DevOps Institute certification examinations. For more information on sitting the online proctored exams please click here.  

The exam details are as follows:

• 90 minutes
• 40 multiple choice questions
• Pass mark of 65% (26 out of 40)
• Closed book
• Web-based (single-browser), closed book, no outside assistance, timed

Successfully passing the examination leads to the candidate’s designation as a certified DevSecOps Engineer (DSOE). The certification is governed and maintained by the DevOps Institute.