DevSecOps

Overview

DevOps is the fastest growing trend in technology and has changed the way businesses and organizations operate. The growth of DevOps has in turn enhanced the need for DevOps security which can protect organizations against threat. Security in DevOps is called DevSecOps and it is successful only when it becomes part of the DevOps culture and is embraced by everyone on the team. This session covers DevOps concepts, DevOps tools like Jenkins, SonarQube, nexus, OWSAP. On this course student will learn DevSecOp pipeline using Jenkins and Gitlab.

 

Objectives

• After the completion of course participants will have a deep understanding and working hands on experience to plan design and implement DevSecOps flow.
• Understand the core concepts of DevOps   
• Create and manage repositories on GitHub 
• Install and configure Jenkins Master node 
• Install and Configure Jenkins Slave Node 
• Create a Pipeline job to automate git clone, maven package, 
• Add spring boot java webapp server to pipeline 
• Integrate SonarQube and sonar static code analysis in pipeline job 
• Owsap – web app security scanning  
• Integrate Nexus and Archive artifacts in pipeline job 
• Understand docker and Kubernetes 
• Install docker, create your own docker image, Docker hub and docker volume 
• Integrate Jenkins with docker in CI/CD pipeline

 

Audience

• The Program is targeted for DevOps engineers /build & release engineers /Software development and test engineers/Security engineers and technology leaders who aspire to include Security in the overall DevOps flow and transform to DevSecOps.
• Anyone involved or interested in learning about DevSecOps strategies and automation
• Anyone involved in Continuous Delivery toolchain architectures
• Compliance Team
• Business Managers
• Delivery Staff
• DevOps Engineers
• IT Managers
• IT Security Professionals, Practitioners, and Managers
• Maintenance and support staff
• Managed Service Providers
• Project and Product Managers
• Quality Assurance Teams
• Release Managers
• Scrum Masters
• Site Reliability Engineers
• Software Engineers
• Testers

 

Pre- requisites 

• Participants should have baseline knowledge and understanding of common DevOps definitions and principles.

• An understanding of software development

• Familiarity with the Linux command line

 

Duration: 5 days – 35 hrs

 

Course Content

Module 1: DevOps Big Picture (Theory)

• What and why of DevOps

• DevOps Tools – Overview and Use case
• Source Control Management (SCM Tools)
• Continuous Integration
• Static ode Analysis Tool
• Storage Artifacts
• Continuous Deployment
• Containerization
• Configuration Management

 

Module 2: DevOps in Action (Hands on Lab by students)

• SCM Live demo
• GitHub – Create an account and fork your application code
• Git clone the GitHub code, use maven to compile and package java source code
• Deploy .jar file manually
• Continuous Integration Tool – (Hands on Lab by students)
• Jenkins – Deploy Jenkins on Ubuntu 14.04 server ( each student will deploy his Jenkins server)
• Continuous Integration setup – Jenkins and GitHub
• Code Packaging automation – (Hands on Lab by students)
• Automation Maven test, Compile and Package (.jar) using Jenkins
• Static Code Analysis – (Hands on Lab by student) o Understand SonarQube ( deployed by trainer)
• Understand SonarQube
• Deploy and configure SonarQube
• Students to Integrate Jenkins (CI) server with SonarQube (lab by students)
• SonarQube – static code analysis and set quality gates
• Storage Artifact – ( Hands on Lab by students) 
• Understand Nexus
• Deploy and configure nexus
• Nexus storage artifact integration
• Store your end software products in Nexus                   
• Continuous Deployment – (Hands on Lab by students)
• Add slave nodes to Jenkins
• Automate deployment of your .jar file to server
• Building Pipeline scripts and stages in SDLC
• Add Cucumber test- automation in pipeline

 

Secure SDLC and CI/CD pipeline

• What is Secure SDLC
• Secure SDLC Activities and Security Gates
• Security Requirements (Requirements)
• Threat Modelling (Design)
• Static Analysis and Secure by Default (Implementation)
• Dynamic Analysis (Testing)
• OS Hardening, Web/Application Hardening (Deploy)
• Security Monitoring/Compliance (Maintain)
• DevSecOps Maturity Model (DSOMM)
• Maturity levels and tasks involved
• 4-axes in DSOMM
• How to go from Maturity Level 1 to Maturity Level 4
• Best practices for Maturity Level 1
• Considerations for Maturity Level 2
• Challenges in Maturity Level 3
• Dream of achieving Maturity Level 2
• Usings tools of the trade to do the above activities in CI/CD.
• Embedding Security as part of CI/CD pipeline.
• DevSecOps and challenges with Pen testing and Vulnerability Assessment
• Hands-on: Create a CI/CD pipeline suitable for modern application
• Hands-on: Manage the findings in a fully automated pipeline
• Add OWSAP web Application vulnerability check in pipeline

 

Understanding Docker

• Module Introduction
• What is Virtualization
• What are Containers
• Containerization and virtualization differences
• Case study: 100 developer environment
• Difference between win and Linux containers
• Docker ecosystem and components

 

Installing Docker

• Module Introduction
• Install Docker on centos 7

 

Containers On Centos 7 Docker host

• Module Introduction
• Deploy ,Login, exit container
• List, Start, Stop, restart containers
• Where containers are stored
• Working with container hostnames
• Working on multiple containers
• Container stats and inspect
• Container networking
• Deleting containers

 

Docker Images

• Module Introduction
• Introduction to Docker Images
• Docker hub – create your account
• Explore and pull images from docker hub
• Docker commit Build and Push Your own image
• Launch container using your own image
• Build Your own image using docker File

 

Jenkins with docker pipeline

• Create a pipeline which will dockerise the application and deploy application on a docker container

 

Ansible Big Picture (Theory)

• What and why of Ansible
• Ansible use cases and terminologies
• Controller server
• Nodes
• Playbook
• Ansible tower

 

Ansible management server deployment (Hands on Lab by students)

• Ansible– Deploy a centos7 server
• Ssh to centos7 server
• Install and configure Ansible
• Create password less authentication keys
• Define nodes to be managed by ansible control server

 

Ansible Node server deployment ( Hands on Lab by students)

• Deploy a RHEL server + 1 ubuntu 16.04 server
• Ssh to centos7 server
• Create password less authentication keys

 

Ansible HTTPD Playbook for RHEL node( Hands on Lab by students)

• Create a httpd playbook directory
• Write .yml file
• Write httpd package install code for RHEL server
• Write httpd service restart code
• Write template resource type to push index.html and log.png to node
• Write user and group creation code
• Apply the playbook on centos node and validate if website is up

 

Ansible Apache2 Playbook for ubuntu node (Hands on Lab by students)

• Create an apache2 playbook directory
• Write .yml file
• Write apache2 package install code for ubuntu server
• Write apache2 service restart code
• Write template resource type to push index.html and log.png to node
• Write user and group creation code
• Apply the playbook on ubuntu node and validate if website is up

 

Ansible Windows 2016 server node deployment (Hands on Lab by students)

• Deploy a windows 2016 server
• Configure it as windows node under ansible management

 

Playbook for windows 2016 node (Hands on Lab by students)

• Create a its playbook directory
• Write resource code to automate iis role on windows server
• Apply the playbook on Windows node and validate if website is up

 

Kubernetes (Hands on lab by students)

• Kubernetes architecture overview
• Deploy Kubernetes master
• Deploy Kubernetes minion node 1

 

Jenkins with Kubernetes Integration (Hands on lab by students)

• Create a new pipeline script which deploys application on Kubernetes
• Configure a docker slave node with Jenkins
• Fork source code
• Run job which uses docker, SonarQube, nexus by Jenkins CI/CD pipeline

 

Jenkins with ansible integration (Hands on lab by students)

• Create Jenkins Job to compile package a java webapp file
• Define ansible nodes
• Integrate ansible in Jenkins pipeline to deploy web app to Ubuntu servers
• Questions and Answers