DevSecOps Training

1.1: DevOps and Security Challenges

• Principles and Patterns behind the DevOps
• Identifying how DevOps works and keys to success

1.2: DevOps Toolchain

• GitFlow
• GitHub Actions
• Building CI/CD pipelines through CodePipeline, Azure DevOps, and Jenkins
• GitLab CI/CD
• Jenkins
• Securing the DevOps workflows
• Threat model and secure your deploy and build environment

1.3: Secure DevOps tools and Workflows

• Conducting efficient risk evaluations and threat modeling in the rapidly changing environment.
• Designing and Writing the automated security checks and tests in the CI/CD.
• Strengths and Weaknesses of automated testing approach in Continuous Delivery.
• Inventory and patch our software dependencies
• Wire the security scanning into the CodePipeline, Jenkins, and Azure DevOps workflows

1.4: Pre-commit Security Controls

• Git Hook Security
• Rapid Risk Assessment
• Branch Protections
• Code Editor Extensions
• Peer Reviews
• Code Owners

1.5: Commit Security Controls

• Component Analysis
• Static Analysis Security Testing

1.6: Secrets Management

• Handling Secrets in the CI/CD
• AWS SSM Parameter store
• Azure Key Vault
• HashiCorp Vault
• AWS Secrets Manager

2.1: Cloud Infrastructure as Code

• Cloud Infrastructure as Code
• AWS Cloud Information
• Deploying the Terraform
• Cloud Infrastructure as the cloud security analysis

2.2: Configuration Management as Code

• Automating the Configuration Management in the CI/CD
• Building the Gold Images with the Packer and Vagrant
• Using Ansible to configure the Virtual Machines
• Buiding the Gold Images  
• Certifying the Gold Images with the InSpec

2.3: Container Security

• BuildKit and Dockerfile Security
• Base Image Hardening with the Conftest and Hadolint
• Container Registry Security
•  Container Image Security
• Scanning the Container Images with the Docker Scan and Trivy
• Container Scanning with the Azure ACR and AWS ECR

2.4: Acceptance Stage Security

• Vulnerability Management in the DevSecOps
• Dynamic Application Security Testing

3.1: Cloud Deployment and Orchestration

• AWS CodePipeline
• Azure Pipelines
• Cloud Container Orchestration
• Azure Kubernetes Service
• Elastic Container Services

3.2: Security in the Cloud CI/CD

• AWS CodeBuild Security Integrations
• Software Composition Analysis
• Azure DevOps Security Extensions

3.3: Cloud Workload Security

• Cloud Storage Access Control
• Privilege Esçalation & Workload Identity
• TLS Hardening and Misconfiguration

3.4: Continuous Security Monitoring

• Monitoring and Feedback Loops from the production to the engineering
• Cloud Metrics and Logging
• Log Analytics and Azure Monitor
• AWS CludWatch Log Insights
• Kusto Query Language
•  AWS CloudWatch Dashboards
• Automated Stack Alerts
• OS Query

3.5: Data Protection Services

• Azure Service Integration
• Azure Key Vaults
• AWS Service Integration
• AWS KMS

4.1: Blue or Green Deployment Options

• Cloud Services for the Blue or Green Deployments
• Azure Kubernetes Services
• Azure Application Gateway
• AWS ALB Weighted Target Groups
• AWS Elastic Container Service Swapping
• AWS EC2 DNS Routing

4.2: Microservice Security

• Microservice Security Controls
• Microservice Architecture Attack Surface
• Service Mesh Security Controls
• Identity Federation & Open ID Connect
• JSON Web Token(JWT) Security & Best Practices
• Azure API Management
• Azure API Management Request Throttling
• Azure API Management Custom Security Policies
• AWS API Gateway Custom Authorizers
• AWS API Gateway
• AWS API Gateway Data Tracing & Request Throttling

4.3: Secure Content Delivery

• Azure CDN(Content Delivery Network)
• Azure CDN Token Policies & Authentication
• AWS CloudFront Origin Access Identities
• AWS CloudFront
• AWS CloudFront Signing
• CDN Cross-Origin Resource Sharing Policies

4.4: Serverless Security

• Introduction to Serverless Computing
• Serverless Functions Security Implications
• Azure Functions
• Deploying the Functions in the CI/CD pipelines
• AWS Lamda

5.1: Continuous Compliance

• Continuous Compliance in DevSecOps
• DevOps versus PCI & ITIL
• DevOps Audit Defense Toolkit
• Automate security and compliance policy sharing
• Cloud Security Guardrails with the Inspec, Azure Policy, and AWS Service Control Policies
• Microsoft Defender for the Cloud Workload Protection
• Cloud Native Cloud Security Posture Management Services
• AWS Security Hub
• AWS Prowler

5.2: Automated Remediation

• Amazon EventBridge
• Azure Event Grid
• Microsoft-Defender for the Cloud Automation
• Automated Blocking of Bad Scanners and Bots
• Automated Playbooks
• AWS Security Hub Automated Remediation & Response
• Enforce the cloud configuration policies with 

5.3: Runtime Security Protection

• AWS and Azure WAF
• Cloud Web Application Firewalls
• RASP/IAST
• AWS Security Automations Project
• Writing the WAF as the Code Custom Rules