Implementation and work in DevSecOps - course 88,000 rub. from Otus, training 5 months, Date October 30, 2023.

Today we are constantly faced with hacker attacks, email fraud and data leaks. Online work has become a business requirement and a new reality. Developing and maintaining code and protecting infrastructure with security in mind is becoming a paramount requirement for IT specialists. It is these specialists who are the highest paid and in demand among large employers: Microsoft, Google, Amazon Web Services, Mail. Ru Group, Yandex, Sberbank and others.

Who is this course for?
Developing infrastructure and application stacks in the continuous flow of Agile DevOps changes requires continuous work with information security tools. The traditional perimeter-focused security model no longer works. In DevOps, responsibility for security falls on all participants in the Dev[Sec]Ops process.

The course is intended for specialists in the following profiles:
- Developers
- DevOps engineers and administrators
- Testers
- Architects
- Information security specialists
- Specialists who want to learn how to develop and maintain applications and infrastructure with a high degree of protection from external and internal attacks in an automated DevSecOps process.

Purpose of the Course
Successful implementation of DevSecOps is possible only with an integrated approach to Tools, Business Processes and People (Participant Roles). The course provides knowledge on all three elements and was originally developed to support the CI/CD toolchain and worker transformation project DevOps process to a full DevSecOps practice using the latest automated security tools.

The course will cover the security features of the following types of applications:
- Traditional monolithic 2/3-Tier applications
- Kubernetes applications - in your own DC, Public Cloud (EKS, AKS, GKE)
- Mobile iOS and Android applications
- Applications with REST API back-end

The integration and use of the most popular open source and commercial information security tools will be considered.
The course emphasizes Scrum/Kanban practices, but the approaches and tools can also be used in the traditional Waterfall project management model.

Knowledge and skills you will acquire
- Transition from the “perimeter protection” security model to the “protection of all layers” model
- Dictionary, terms and objects used in information security tools - CWE, CVE, Exploit, etc.
- Basic standards, methods, sources of information - OWASP, NIST, PCI DSS, CIS, etc.

They will also learn how to integrate into CI/CD and use information security tools from the following categories:
- Analysis of possible attacks (Threat Modeling)
- Static analysis of source code for security (SAST)
- Dynamic application security analysis (IAST/DAST)
- Analysis of the use of third-party and open source software (SCA)
- Testing the configuration for compliance with security standards (CIS, NIST, etc.)
- Configuration Hardening, Patching
- Application of Secrets and Certificates Management
- Applying protection for REST-API inside micro-service applications and on the back-end
- Application of Web-Application Firewall (WAF)
- Next generation firewalls (NGFW)
- Manual and automated penetration testing (Penetration Testing)
- Security monitoring and response to events in information security (SIEM)
- Forensic Analysis

In addition, team leaders will receive recommendations on practices for successfully implementing DevSecOps:
- How to prepare and successfully conduct a mini-tender and PoC for the selection of tools
- How to change the roles, structure and areas of responsibility of development, support, information security teams
- How to adapt business processes of product management, development, maintenance, information security

Philip Ignatenko

2

course

Over 12 years of work in IT, I managed to work as a developer, tester, devops and devsecops engineer in companies such as NSPK (developer of the MIR card), Kaspersky Lab, Sibur and Rostelecom. At the moment I...

Daniil Nosenko

1

well

Has been auditing commercial networks since 2017. Participated in the development of a security model for the interstate bank of Ukraine "AT Oschadbank" The main feature of testing is pentest using the "black box" method. Working with python and bush since 2016...