Course Details

DevSecOps: Security in CI/CD Pipelines Training Course

INTRODUCTION

This essential training course provides comprehensive knowledge and practical skills for mastering DevSecOps: Security in CI/CD Pipelines. In the fast-paced world of modern software development, integrating security seamlessly into Continuous Integration/Continuous Delivery (CI/CD) pipelines is no longer optional; it's a critical requirement for building secure applications at speed. This program equips participants with a systematic understanding of how to "shift left" security, embedding automated security testing, vulnerability management, and compliance checks at every stage of the development lifecycle. Participants will gain deep insights into identifying security flaws early, automating security gates, managing secrets effectively, and fostering a collaborative security culture, all crucial for accelerating delivery without compromising on application integrity or organizational risk.

Security in CI/CD Pipelines Training Course is designed for DevOps engineers, software developers, security analysts, and quality assurance professionals who are involved in building and deploying applications in agile and automated environments. It bridges the gap between development, operations, and security, empowering participants to actively participate in building secure-by-design applications, reduce security debt, and contribute to a more resilient software supply chain from code commit to production deployment.

DURATION

10 days

TARGET AUDIENCE

This course is specifically designed for professionals involved in software development, operations, and security, seeking to integrate security into their CI/CD pipelines, including:

• DevOps Engineers.
• Software Developers (all levels).
• Application Security Engineers.
• Quality Assurance (QA) and Testers.
• Release Managers and Build Engineers.

OBJECTIVES

Upon completion of this course, participants will be able to:

• Understand the principles of DevSecOps and "shifting left" security.
• Integrate automated security testing tools into CI/CD pipelines.
• Implement secure practices for code, secrets, and infrastructure as code (IaC).
• Establish security gates and feedback loops within the CI/CD process.
• Foster a culture of shared security responsibility across development teams.

MODULES

Module 1: Introduction to DevSecOps and Shifting Left Security

• Define DevSecOps and its evolution from DevOps.
• Understand the concept of "shifting left" security and its benefits.
• Discuss the challenges of traditional security models in agile and CI/CD environments.
• Explore the cultural and organizational changes required for successful DevSecOps adoption.
• Examine the ROI of integrating security early in the SDLC.

Module 2: Secure Code Development and Static Application Security Testing (SAST)

• Understand the importance of secure coding practices (e.g., input validation, error handling, OWASP Top 10).
• Discuss the role of Static Application Security Testing (SAST) in CI/CD pipelines.
• Explore how SAST tools analyze source code for vulnerabilities.
• Examine the integration of SAST into developer IDEs and pre-commit hooks.
• Learn about interpreting SAST findings and prioritizing remediation.

Module 3: Software Composition Analysis (SCA) and Open Source Security

• Understand the risks associated with open-source components and third-party libraries.
• Discuss the purpose and capabilities of Software Composition Analysis (SCA) tools.
• Explore how SCA tools identify vulnerable components and licensing issues.
• Examine the integration of SCA into CI/CD builds.
• Learn about managing open-source dependencies and maintaining software bill of materials (SBOM).

Module 4: Dynamic Application Security Testing (DAST) in CI/CD

• Understand the purpose and methodology of Dynamic Application Security Testing (DAST).
• Discuss how DAST tools interact with running applications to find vulnerabilities.
• Explore the integration of DAST into automated testing environments and post-deployment stages.
• Examine common DAST findings (e.g., injection, XSS, authentication flaws).
• Learn about orchestrating DAST scans as part of the CI/CD pipeline.

Module 5: Container and Cloud Native Security in Pipelines

• Understand the security challenges unique to containers (e.g., Docker, Kubernetes).
• Discuss container image scanning for vulnerabilities and misconfigurations.
• Explore securing container registries and runtime environments.
• Examine the role of Kubernetes security policies and network segmentation.
• Learn about integrating security into serverless function deployments.

Module 6: Infrastructure as Code (IaC) Security

• Understand the concept of Infrastructure as Code (IaC) (e.g., Terraform, CloudFormation, Ansible).
• Discuss the security risks associated with insecure IaC configurations.
• Explore IaC security scanning tools to identify misconfigurations pre-deployment.
• Examine integrating IaC security checks into version control and CI/CD pipelines.
• Learn about applying security baselines and policies to IaC.

Module 7: Secrets Management and Secure Configuration

• Understand the critical importance of secure secrets management in CI/CD.
• Discuss various secrets management solutions (e.g., Vault, AWS Secrets Manager, Azure Key Vault).
• Explore integrating secrets retrieval into deployment processes securely.
• Examine methods for securely configuring applications and environments.
• Learn about preventing hardcoded credentials and sensitive information in codebases.

Module 8: Security Gates, Automation, and Feedback Loops

• Understand how to define and implement security gates within the CI/CD pipeline.
• Discuss criteria for breaking the build based on security findings.
• Explore leveraging automation for security testing and remediation.
• Examine establishing fast and actionable feedback loops for developers.
• Learn about continuous monitoring, security metrics, and fostering a collaborative security culture in DevSecOps.

CERTIFICATION

• Upon successful completion of this training, participants will be issued with Macskills Training and Development Institute Certificate

TRAINING VENUE

• Training will be held at Macskills Training Centre. We also tailor make the training upon request at different locations across the world.

AIRPORT PICK UP AND ACCOMMODATION

• Airport pick up and accommodation is arranged upon request

TERMS OF PAYMENT

• Payment should be made to Macskills Development Institute bank account before the start of the training and receipts sent to info@macskillsdevelopment.com