After watching it be developed, I’ve given in and bought Techworld With Nana’s DevSecOps Bootcamp.

Should take about half a year and it’s extensive and thorough. In my career, I’ve touched on most of this stuff though various contracts but I’d just like to firm up my knowledge and tie it all together.

It’s formatted thusly:

1 - Security Essentials

  • Importance of Security
  • Security Breaches Examples
  • Types of Security Attacks
  • OWASP Top Ten

2 - Introduction to DevSecOps

  • Issues with traditional approach to Security
  • Understand DevSecOps
  • Tools for Automated Security Tests
  • Concept vs Role
  • Roles & Responsibilities in DevSecOps

3 - Build Secure CI

  • Vulnerability Scanning:
    • Pre-Commit Hooks
    • SAST and SCA
    • Visualizing, False Positive Analysis
    • Remediation
  • Integrate Security Scans in a Continuous Integration Pipeline

Tools: GitLeaks, njsScan, Semgrep, Retire.js, DefectDojo, GitLab CI

4 - Build Secure Images

  • Docker Security Best Practices
  • Image Scanning in Release Pipeline
  • Image Scanning in Docker Registry

Tools: Trivy, Docker, AWS ECR, GitLab CI

5 - Cloud Security (AWS)

  • AWS Access Management (Users, Groups, Roles, Policies)
  • AWS Security IaC
  • AWS Logging and Monitoring

6 - Secure Deployment

  • Secure Application Deployment from Release Pipeline
  • AWS Systems Manager Agent (SSM)
  • AWS Roles for deployment
  • Deploying without static AWS Credentials

7 - Dynamic Application Security Testing (DAST)

  • Dynamic Application Security testing
  • Integrate DAST tool in Release Pipeline
  • Fixing Dynamic Scan Findings
  • Baseline vs Full Scans

Tools: Zap, DefectDojo

8 - Secure Infrastructure as Code

  • Define Secure Infrastructure with IaC
  • IaC in DevSecOps
  • Create Release Pipeline for IaC Project using GitOps Practices
  • Run Security Checks for IaC code in Release Pipeline

Tools: Terraform, AWS, TFSec

9 - AWS Logging and Monitoring

  • Auditing with AWS CloudTrail
  • Monitoring and Alerting with AWS CloudWatch
  • Billing Alerts for cloud cost spends

10 - K8s Security & Secure Deployment to AWS EKS

  • K8s Security Best Practices
  • K8s Access Management
    • RBAC
    • IAM Roles for AWS EKS, ECR
  • Secure IaC Pipeline for EKS Provisioning

11 - ArgoCD GitOps Pipeline for Microservices App

  • Deploy microservices application in EKS cluster via ArgoCD
  • Secure CI/CD release pipeline for microservices app
  • Kustomize

12 - Policy as Code

13 - Secrets Management

  • Why and Capabilities of Secrets Management Tools
  • HashiCorp Vault - How Vault works
  • How Secrets work in K8s - External Secrets Operator
  • Intro to AWS KMS and Secrets Manager
  • Create SecretsStore and store Secrets
  • Reference secret in microservice

14 - Service Mesh

  • How Service Mesh and Istio works
  • mTLS Deep Dive
  • Deploy Istio and Configure Secure Gateway
  • Configure Traffic Routing
  • Deep Dive of Authorization in Istio
  • Istio Policies vs K8s Network Policies
  • Configure Authorization Policies to restrict access

15 - Compliance as Code

  • CIS Benchmarks
  • Governance & Compliance
  • Compliance as Code

16 - DevSecOps in Organisations

  • Strategies for promoting a DevSecOps culture
  • Steps for adopting DevSecOps Principles in Organisation