Certificated DevSecOps Professional course review
I am a security engineer by trade, and I say that because many people like to differentiate by the naming conventions pen tester, security design engineer, security ops, secure software developer etc… I just like all things about security whether break or build it.
With a limited knowledge in DevOps, I have recently taken the practical DevSecOps professional training course. Prior this course I have attended many conferences on DevSecOps, online training or courses delivered by very large company (e.g. Microsoft Azure SecDevOps training course). In almost all talks and training that I have attended practical hands-on was either non-existent or limited.
You will often hear shift to the left and one step to the right, SecDevOps, DevSecOps and almost all talks refer to how security should be embedded into every stage of the DevOps pipeline. But what does it really mean?
DevSecOps is when you marry DevOps with Security. A Marriage without harmonizing the relationship and building the foundation is essentially a receipt for disaster. In the world of DevSecOps there is equally the concept of Shitting to the left, you give developers a bunch of tool to run the scanner and let them to review, well you will soon be either getting the silent treatment or their bosses will complain about this tools. Just like Marriage at first sight TV series, you will often hear this couples talking about communication issues. In DevSecOps I will guarantee you when developers have enough of your false positives, they will either never review the scan result and the organisation will suffer the cost of tool that are barely used to their maximum capacity. In practical DevSecOps you learn to set the expectation right and understand the different maturity level that an organisation should be aiming
More than just the basic knowledge, I have also gained valuable practical experience to implement security at every stage. These practical exercises included security assessment at the build, test, delivery, deployment stage involving Secret scanning, SCA, SAST, DAST, Compliance as Code, system hardening using Ansible, vulnerability management to eventually give a single pane of glass to the organisation.
Practical DevSecOps single handily was the best training that I have done so far (considering that I have had few prior this course), the course content was very well structured, easy to understand and get you ready to go out and do real world tasks. The delivery of this course focused know what you need to do and do it with maturity (these are called the DevSecOps gospel). I will highly recommend this course for anyone wanting to discover and learn how to integrate security in their DevOps or even gain the knowledge to enter this field.
Kudo to the Practical DevSecOps team for putting this training course together.