DevSecOps Training Course and Workshop in Bangalore, Mysore, Chennai, Hyderabad, Pune, Mumbai, Delhi, Noida, Gurgaon, Kolkata

DevSecOps is more than just a new label – it's a proven set of skills, tools, and practices for proactively building security into applications and IT services. From the start, security has been a key priority for technology professionals who practice the grassroots principles of DevOps. However, even on teams which strive to adhere to DevOps practices, security concerns still take a back seat far too often. The more recent DevSecOps phenomenon does not represent a new idea (secure all the things!), but it does represent a renewed focus on the importance of security in the development lifecycle and its implications for all of downstream IT.

This DevSecOps training course is a practical, in-depth educational solution for those who want to understand, apply, and improve their skills on "shifting left" in IT security. This course focuses on the principles, processes, and technical skills necessary to make security and risk profiling a front-end priority: embracing a "quality first" mindset. Teams will leave class understanding that they have a responsibility for how applications and IT services perform when they are complete and in production, even if they are involved primarily in design, development or testing applications. For IT teams primarily on the operations end of the spectrum, this class will teach them how to shift left and collaborate on the upstream work that ultimately impacts the IT security environment, the organization's risk management, and their own daily jobs.

By attending DevSecOps workshop, delegates will learn to:

Assess, specify, and automate much of the work associated with application security
Bridge the typical functional silos in IT that prevent proactive security practices
Translate common risks into technical use cases and software requirements
Apply "security first" engineering and testing practices throughout the entire application pipeline
Use static analysis, broader unit test coverage, and code quality reviews specifically for security
Translate the OWASP risks into practical, actionable software development best practices
How to deploy for security
Tie secure development practices and automated engineering to GRC and audit requirements
Try new approaches to change management for increased speed, automation and security
Use DevOps-style metrics to measure and monitor security practices and performance

Application Developer
Software Engineers
Software Tester
Technical Leadership
Security Administrators

DevOps, Security, and DevSecOps: Definitions

DevOps
Security
Risk
Culture
Agility
Testing
Continuous "X" (Integration, Delivery, etc.)

Where do we start with security?

Risk review
Policy
Roles
Compliance, regulatory and GRC
The 50% hack rule
The Pipeline Model

Security as a DevOps practice

Traditional vs. "DevOps" security
Tools vs. processes
Security, not compliance
Prioritizing testing for risk
Reducing source code footprint
Static analysis for secure code
Feature toggles for security
DevSecOps and technical debt management

DevSecOps and "requirements"

Designing for security
Assessing risk appetite
Modeling threats
Product architecture
Use cases, anitpatterns and abuse cases
Dataflows with trust boundaries

Secure development patterns

Secure code overview
OWASP review
Tools for automating OWASP
Developer guidelines & checklists
Compiler Security Settings (per)
Tools to use
Coding Standards (per language)
Common pitfalls (per language)
Secure/Safe functions/methods
Integer type selection
Synchronization Primitives

Security Testing in the Pipeline

Testing before commit
Scanning for secrets
Hook examples
Application security testing
Testing dependencies
How to treat manual testing
Performance Testing
Testing in parallel
Staging
Mutation testing and tools for performing it
User role testing

Identity and Access Management (IAM)

IAM overview
Identity profiles
Using IAM for automation
IAM practices in the cloud
IAM as an application building block
IAM antipatterns
Guided discussion: IAM in a Microservices use case

Deployment patterns for security

Canary candidates
Dark launches
Streamlining libraries and dependencies
Keeping packages up to date
Keeping deploys repeatable and reliable
OpenSCAP for scanning baselines before and after deployments
Scanning web server configuration
Database exploitation through applications
Infrastructure scanning
Scanning web applications

DevSecOps and Operations

Where does ops security begin and end?
Infrastructure as secure code
Incident response planning and emergency drills
Release Archives
OS Protections:
Monitoring, logging and intelligent alerts
Log management
Penetration Testing

Policy, Governance, and Audit

GRC review
Coding for compliance
DevOps and the "segregation of duties"
Tooling example: Chef InSpec
Change management and policy
Change management and DevSecOps
Three types of "change"
When and why to use CAB boards
Peer review vs. change management
Automating change management
ITIL in 2020

Measurement and metrics

The core toolkit of metrics
The best way to institute alerts
Managing alerts
Proactive vs. reactive metrics
Measurement antipatterns

More advice on the cultural factors

Security fails and breakdowns
Incentive, fear and reward
Getting outside IT
How to shift left
Building security in
Cost and the business case for proactive security
Overcoming conventions of the past
Bridging siloes – why and how

Encarta Labs Advantage

One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
All courses are delivered by Industry Veterans
Get jumpstarted from newbie to production ready in a matter of few days

Trained more than 50,000 Corporate executives across the Globe
All our trainings are conducted in workshop mode with more focus on hands-on sessions

DevSecOps

COURSE AGENDA