icon-carat-right menu search cmu-wordmark

DevSecOps Process and Implementation

DevOps is a set of software development principles that emphasize collaboration, communication, and automation among all stakeholders, including IT operations, testers, developers, customers, and security personnel at the inception of a project. A variety of tools help stakeholders collaborate and communicate. Automation is a greater challenge. When our system architecture and cybersecurity controls limit what can be automated, we can't move at DevOps speed. Teams must address this challenge at the beginning of a project and throughout the DevOps pipeline.

This tutorial is designed for managers, developers, security, and operational teams and covers DevOps principles and processes for designing and building a secure development pipeline for project planning, gathering and meeting cybersecurity requirements, secure development, security testing, and deployment from start to finish. You will learn about reference architectures and use cases for architectural design principles on continuous integration (CI), continuous delivery/deployment (CD), and continuous authorization (CA) tools and practices, including technical demonstrations and practical scenarios.

Audience

Anyone working in software development, including technical managers, technical leads, developers, QA engineers, release/deployment engineers and operational support staff who

  • want to bring DevOps to their organization
  • want to improve their existing DevOps strategy to include security
  • are looking for solutions to manage evolving software development needs
  • are challenged by slow deployment cycles
  • see a disconnect between business needs , development and operational teams
  • are looking for strategies to convince their business of the benefits of DevOps

Objectives

Participants will come away with a solid understanding of the realities of DevSecOps, from tools and techniques to culture and specific organizational business and operational needs. By focusing on common pitfalls and missteps, instructors will help attendees navigate the challenging tasks of adapting DevOps theories, practices, and tools to meet their particular business needs, security requirements and to provide measurable value to their organizations.

Topics

  • What is DevOps?
    • DevOps Foundations: Business, Culture, Communication, Architecture
  • Organizational Needs and linking Business into DevOps
  • Communication and Collaboration
    • Security culture
    • Effective communication amongst all stakeholders
    • Micro learning culture on security
  • Infrastructure as Code
    • Environments
    • Environment hardening
    • Compliance check with IaC
    • First step to RMF/ATO
  • Continuous Integration & Testing
    • Automated Security Testing
    • Application specific penetrating testing
    • Various Gateways on security testing and verification
  • Continuous Delivery/Deployment
    • Concept of Delivery and Deployment
    • Deployment scenarios
    • Containerization and Orchestration
    • Container Security
    • Authenticity of build and dependencies
    • Secure Deployment pipeline
  • Process Monitoring and Measurement
    • Monitoring
    • What are the security metrics
    • Where to collect and how to monitor them
  • Secure DevOps
    • DevOps Pipeline Security
    • Application Security
    • Security activities and automation
    • Continuous Authorization
  • Hands-on Exercise
    • Setting up DevOps pipeline
    • Project Configuration
    • Build Configuration
    • Security checks and Deployment

Materials

Students will receive the complete set of slides and recommendations for related papers and reference materials.

Prerequisites

There are no prerequisites for this course. It is recommended that participants have some experiences in the software development planning, delivering and deploying process.

Required Equipment

Hands-on exercise - students should have a laptop with following requirements:

Inquire About This Course

 

IMPORTANT NOTICE:

Carnegie Mellon University/Software Engineering Institute offices will be closed for winter break, December 21, 2024-January 1, 2025. SEI course registrations received during this period will be confirmed and enrollment completed upon our return on January 2, 2025.

Course Questions?

Email: course-info@sei.cmu.edu
Phone: 412-268-7388

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.