Over the years, Application Security has evolved over various paradigms. It has opened up with numerous other approaches and paths in it’s own. People have moved on from just talking about DevSecOps to actually finding solutions to implement it. For me, the idea of Application Security with Automation has kept me thinking for quite sometime. Adhering to this interest, I have kept myself busy reading and learning about DevSecOps. Going into the course, I had some experience with docker, SCA tools, Jenkins, Sonarqube, and some more tools. I gained some theoretical knowledge of Security Implementation and DevSecOps from various people while working on the DevSecOps Newsletter. Hence, I decided to use this lockdown period to learn the practical implementations of DevSecOps which led me to complete the DevSecOps Professional course from Practical-DevSecOps.
Introduction to CDP:
The course is divided into 9 modules. Each chapter has 2 or more lab exercises to help you get a more hands-on implementation of the concepts. The duration of the course is 30 days, which can be availed for $799.
This course comes with a Course Manual, Videos, and Lab Guide. Along with this, you get access to the readily available lab and also an invite to the slack channel for discussing the course and asking queries. After 30 days of the course, you get to take 1 hands-on exam which is of 12 hours. More details can be found here.
The course teaches you a lot many concepts of the modern DevOps architecture starting from docker, CI/CD, and ansible. It talks a good deal about Gitlab CI/CD. It however, deals only with DSOMM 1 & 2. If you are already working around DSOMM 1 and 2, then I would recommend checking out their other courses. The Practical-DevSecops team does a really good job in maintaining the lab infrastructure and helping out the students via email and slack channel. With that being said, I must also mention that the trainer of this course not only has a good understanding of all this, but also delivers it neatly without any ambiguity.
The labs are very well designed for you to connect to each system using SSH and so, some prior experience in working with SSH and keys can come handy. For connecting to the labs you can use the provided VM in the course or you can use your preferred OS/VM. The only requirement is you should be able to connect to the labs via SSH.
Chapter 1: An Introduction to the Basics -
This chapter starts with the traditional SDLC and the Waterfall Model. It highlights their drawbacks after which it introduces agile and teaches a good deal about DevOps. Including the benefits of it along with its principles, it points out how the security team can fit into DevOps in a right way by building gates instead of becoming walls for them.
Chapter 2: Introduction to the Tools of the trade -
This chapter talks about various tools and how they can be used to integrate and automate security for tasks like SCA, SAST, DAST, Infrastructure Security, and more. It also gives a detailed overview of Docker and how important of a role it plays in integrating security into DevOps.
Chapter 3: Secure SDLC and CI/CD pipeline -
This chapter teaches about various Secure SDLC concepts such as Security Requirement, Threat Modelling, SAST, DAST, and more. It also discusses the DevSecOps Maturity model level 1 and 2 with their concepts and principles elaborately. After this, it deep dives into Continous Integration, Development, and Deployment along with version control systems and their working, by giving a brief overview of GitLab’s development workflow. It also teaches how jobs are configured in a Gitlab CI/CD pipeline.
Chapter 4: Software Component Analysis(SCA) in CI/CD pipeline -
This has been one of my favorite chapters because I have already worked on SCA for some time now using dependency-check. Here, I got to learn about other tools which can be used to do Software Composition Analysis, the current challenges in doing SCA and also the Practical DevSecOps Gospel for choosing the right tool. I also got to learn a thing or 2 more about dependency-check while working on the labs provided.
Chapter 5: SAST (Static Analysis) in CI/CD pipeline -
This chapter paves it’s way into the SAST tools, their components, and how to choose them. It also teaches how we can leverage some open source tools to integrate Code review and secrets scanning in our pipeline.
Chapters 6: Chapter 6: DAST (Dynamic Analysis) in CI/CD pipeline -
This has been another interesting chapter. In this I actually got to build a full DevOps pipeline so as to build a web application using docker, thus implementing DAST tooling around it. This chapter teaches you about various DAST tools and how they can be integrated into the pipeline.
Chapter 7: Infrastructure as Code and it’s Security -
Starting from this chapter almost all the concepts were completely new for me because I have not worked on these areas before. Chapter 7 talks about infra as code, it’s concepts, and the benefits of it. It also teaches many ansible concepts and how they can be used, when it comes to infrastructure security and hardening.
Chapter 8: Compliance as code -
In this chapter, the course introduces us to the concept of Compliance as code, it’s need, principles, and benefits. It also teaches about the InSpec framework and how it can be used and integrated into our pipeline to achieve compliance.
Chapter 9: Vulnerability Management with custom tools -
This chapter deals with vulnerability management which I feel is one of the most important things to do when it comes to DevSecOps, because visibility is one of the key concepts of it. In this chapter, the instructor briefs us about the workflow of a vulnerability cycle. For this chapter, they introduce us to an open-source tool and teach us about using a custom tool to get vulnerability management done.
Note: Almost all the chapters have external references to read up. These resources are useful from the lab and exam perspective.
To get the Certified DevSecOps Professional(CDP) certificate, one needs to take a 12 hours hands-on exam in which you will be building a full-blown DevSecOps pipeline using the concepts, tools, and techniques that you learned during the course.
- The exam has 5 challenges with sub-challenges for each. Read each sub challenge and see if you understand them correctly and then try to implement it
- Focus on details, analyze each output and understand the results and the errors (same goes while doing the lab as well)
- Although you get 24 hours after the exam to prepare the report, you won’t have access to the exam lab after your 12 hours of exam time. Keep taking backups, screenshots and output results to your host machine
- Try to include as many details that are required for you to solve the challenge with proper formatting
- Organize your results, screenshots and output files
Again, kudos to Imran and his team at Practical-DevSecOps for this amazing course and certification
You can view my certificate here and reach out to me on twitter, if you have any queries regarding this course or certification.