Course Overview
This hands-on course introduces participants to modern DevSecOps practices, focusing on building efficient and secure CI/CD pipelines to optimize application delivery. Designed for an audience eager to enhance their DevOps expertise, the training uses GitLab and AWS as the technical environment. With a mix of theory, demonstrations, and interactive labs, attendees will gain practical insights into creating scalable, reliable and secure workflows aligned with industry best practices.
Course Prerequisites
This course is designed for:
- Developers with limited DevOps experience who want to expand their understanding of CI/CD pipelines, monitoring, and security practices
- Ops engineers who want to expand and improve their DevOps and DevSecOps skills
We assume students are familiar with the following:
- Familiarity with basic software development practices (writing and debugging code, working with Git)
- Understanding of core application lifecycles (build, test, deploy)
- Comfortable navigating the command line (Linux or Windows)
- Basic knowledge of how applications are deployed (e.g., local testing, staging, production)
- Ability to read and understand basic YAML configuration files
- Exposure to containerized environments (e.g., basic Docker concepts)
- Familiarity with AWS
Outline
Participants will learn:
- DevSecOps processes, tools, and techniques, including CI/CD, testing, security, and the Three Ways
- Business and IT benefits
- Main components of a DevOps pipeline
- Building and maintaining DevSecOps pipelines using SCA, SAST, DAST, and Security as Code
- The relationship between DevSecOps, Agile, Lean, and ITSM
- Managing distributed applications and systems on AWS
- Core principles, values, and practices that enable DevSecOps
This dynamic and interactive course ensures participants walk away with tangible skills and the confidence to contribute to DevSecOps implementations in their organizations.
Technical environment
- GitLab instance (cloud or on-premise access provided)
- Dedicated AWS environment (access details provided before the course)
- Recommended: Laptop with SSH client and modern browser installed
Introduction to DevSecOps
- What is DevSecOps?
- Evolution from DevOps to DevSecOps
- Key goals and business & IT benefits
- The cultural shift: "Shift Left" mindset
- Core principles, values, and practices that enable DevSecOps
Core DevOps Concepts
- Continuous Integration (CI) & Continuous Delivery/Deployment (CD)
- Infrastructure as Code (IaC)
- Monitoring and Logging
- The Three Ways of DevOps
Hands-On Lab:
- Create and deploy a simple CI/CD pipeline in GitLab
- Automate a sample application build and test
Security in the Software Development Lifecycle
- Secure SDLC overview
- Common software vulnerabilities (OWASP Top 10)
- Threat modeling basics
- Secure coding practices
Hands-On Lab:
- Analyze a vulnerable web app to identify common security flaws (XSS, SQLi, hardcoded secrets)
- Use static analysis tools (e.g., SonarQube or Semgrep) to find vulnerabilities and refactor the code to fix issues
Integrating Security into CI/CD Pipelines
- Automating security checks (Security as Code)
- Introduction to:
- Static Application Security Testing (SAST)
- Software Composition Analysis (SCA)
- Dynamic Application Security Testing (DAST)
- Example pipeline with integrated security scans
- Best practices and common pitfalls
Hands-On Lab:
- Secure the pipeline using GitLab's built-in secret management and RBAC features
- Add security scans to the pipeline
Hands-On Lab:
- Explore GitLab's built-in monitoring and analytics (pipeline insights, job statistics, DORA metrics)
Tools and Technologies
- Overview of key tools: Git, Jenkins, GitLab CI, CircleCI, SonarQube, OWASP ZAP, Trivy, Checkov
- Secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager)
- Container security tools (e.g., Docker Bench, Aqua)
Hands-On Lab:
- Build and scan a Docker image using Docker Bench or Trivy
DevSecOps in Context - Agile, Lean, and ITSM
- DevSecOps and Agile: embedding security into Secure Agile sprints
- DevSecOps and Lean: automation, continuous testing, and feedback loops
- DevSecOps and IT Service Management (ITSM): incident response and problem management in DevSecOps pipelines
Infrastructure and Cloud Security
- Securing Infrastructure as Code
- Kubernetes and container security basics
- AWS Cloud security considerations
- Identity and Access Management (IAM)
Hands-On Lab:
- Enhance the pipeline to deploy the app to AWS
Governance, Compliance, and Risk
- Policies and frameworks (e.g., NIST, ISO 27001)
- Audit and compliance automation
- Risk management in a DevSecOps environment
Hands-On Lab:
- Use Open Policy Agent (OPA) or Conftest to define security/compliance rules
- Apply policies to container or IaC files in a CI/CD pipeline
- Trigger alerts or block deployments on violations
- Review reports for audit readiness