Security in DevOps Syllabus
1. Introduction to DevSecOps
• What is DevSecOps?
• Importance of security in DevOps.
• Shift-left security: Integrating security early in the SDLC.
• Key principles of DevSecOps.
• Differences between DevOps and DevSecOps.
2. Threat Landscape and Risk Management
• Common security threats in CI/CD pipelines.
• Vulnerability management and risk assessment.
• Security policies and governance.
• Secure coding practices.
• Compliance frameworks (e.g., GDPR, HIPAA, SOC 2).
3. Secure Development Practices
• Secure Software Development Life Cycle (SSDLC).
• Static Application Security Testing (SAST).
• Tools: SonarQube, Checkmarx.
• Dynamic Application Security Testing (DAST).
• Tools: OWASP ZAP, Burp Suite.
• Dependency scanning and Software Composition Analysis (SCA).
• Tools: OWASP Dependency-Check, Snyk.
4. Security in Continuous Integration (CI)
• Secure build processes.
• Securing version control systems (Git).
• Implementing code signing.
• Secrets management in CI/CD pipelines.
• Tools: HashiCorp Vault, AWS Secrets Manager.
5. Security in Continuous Delivery/Deployment (CD)
• Securing deployment environments.
• Zero-trust network architecture.
• Container security:
• Image scanning (e.g., Trivy, Clair).
• Runtime security for containers (e.g., Falco, Aqua Security).
• Infrastructure-as-Code (IaC) security:
• Tools: Terraform Sentinel, Check ov.
6. Cloud Security
• Secure cloud architecture.
• Identity and Access Management (IAM).
• Cloud Security Posture Management (CSPM).
• Tools: AWS Security Hub, Azure Security Center, GCP Security Command Center.
7. Monitoring and Incident Response
• Monitoring for security threats.
• Security Information and Event Management (SIEM):
• Tools: Splunk, ELK Stack, AWS CloudTrail.
• Incident response and handling.
• Log analysis and forensic tools.
8. DevOps Security Tools and Automation
• Automated security testing in CI/CD pipelines.
• Tools for automating security:
• Jenkins with security plugins.
• GitLab CI/CD security integrations.
• Implementing automated patch management.
9. Identity and Access Management (IAM)
• Role-based access control (RBAC) and least privilege.
• Multi-factor authentication (MFA).
• Secrets and token management.
• Single Sign-On (SSO) integration.
10. Network Security in DevOps
• Securing network traffic and APIs.
• Implementing firewalls and intrusion detection systems.
• TLS/SSL encryption.
• Service mesh security (e.g., Istio).
11. Compliance and Auditing
• Ensuring compliance with regulatory standards.
• Auditing CI/CD pipelines and systems.
• Reporting and documentation.