Provided by SANS
Qualification level
Study type
Distance learning
View Website
View Website

About the course

This course, Secure DevOps: A Practical Introduction (DEV534) explains the fundamentals of DevOps, and how DevOps teams can build and deliver secure software. It will explain the principles and practices and tools in DevOps and how they can be leveraged to improve the reliability, integrity and security of systems.

What Does the Course Cover?

This course will introduce students to DevOps principles, practices and tools and explain how Secure DevOps can be implemented, using lessons from successful DevOps security programs.

Students will build up a DevOps CI/CD toolchain, understand how code is automatically built, tested and deployed, using popular open source tools including git, Puppet, Jenkins and Docker.

In a series of labs they will inject security into a CI/CD toolchain, and learn about the tools, patterns and techniques to do this.

The course will make extensive use of open source materials and tooling for automated configuration management ("Infrastructure as Code"), Continuous Integration, Continuous Delivery and Continuous Deployment, containerization and micro-segmentation, and automated compliance ("Compliance as Code") and monitoring.


Course Syllabus

DEV534.1: Introduction to Secure DevOps


An introduction to DevOps practices, principles and tooling. How DevOps works, and how work is done in DevOps. The importance of culture, collaboration and automation in DevOps.

We will look at case studies of DevOps "Unicorns": the Internet tech leaders who have created the DNA for DevOps, and understand how and why they succeeded. We will also introduce the keys to their DevOps security programs.

Then we will explain Continuous Delivery - the automation engine in DevOps - and explain how to build up a Continuous Delivery or Continuous Deployment pipeline. We'll map out how security controls and gates can be folded into or wired into the CD pipeline, and how to automate security checks and tests in CD.

CPE/CMU Credits: 6


  • Introduction to DevOps
  • Case studies on DevOps Unicorns: Etsy, Netflix, Facebook, Amazon and Google
  • DevOps Principles
  • Working in DevOps
  • From Continuous Integration to Continuous Delivery
  • Building a CD Pipeline
  • Deployment Kata
  • Secure Continuous Delivery: Challenges and Issues
  • Introducing Security into CD
  • Static Analysis in CD. An overview of the SAST landscape, and challenges and approaches for running static analysis checking in CD. Building a self-service static analysis service for engineers.
  • Automated security testing and scanning in CI/CD. How to write automated security tests - unit tests, system tests and attacks. How to use tools like Gauntlt. Integrating Dynamic Analysis Security Testing (DAST) and fuzzing in CD.


DEV534.2: Moving to Production


Building on the ideas and frameworks developed in Day 1, we'll explain how vulnerability management and manual testing (including pen testing) fits into DevOps and CD.

Then we'll look at run-time security options, including RASP and other run-time defense technologies.

Because the automated CD pipeline is so critically important to DevOps, we'll look at how to secure the pipeline, including how to protect the secrets that all of these automated tools require.

Then we'll look at security and the run-time environment. We'll explain the keys to secure Infrastructure as Code, using modern automated configuration management tools like Puppet, Chef and Ansible. We will also look at containerization and security issues when using containers like Docker.

Finally we will explain how to build compliance into Continuous Delivery, using the security controls and gates that we've already built in.

CPE/CMU Credits: 6


  • Pen Testing and Manual Assessments - how do they fit in DevOps?
  • Vulnerability Management in CD
  • Securing your Software Supply Chain. Building a bill of materials for your systems. Standardizing on fewer, better suppliers.
  • Securing your CD Pipeline. Threat modeling and locking down your build and deployment environment.
  • Runtime Checks and Monitoring - monkeys and smart checks.
  • Run-time Defense: RASP , IAST and other run-time security solutions
  • Security in Monitoring. Using production metrics and insight to drive improvements in your security program.
  • Red Teaming, Bug Bounties and Blameless Postmortems
  • Secure Infrastructure as Code. Building security policies into infrastructure code
  • Security with Puppet lab
  • Managing Secrets. The problem of secrets in automated environment. Patterns - and anti-patterns - for managing secrets.
  • Container Security - introduction to containers, Docker, and Docker security risks and tools.
  • Compliance as Code. How to satisfy compliance requirements using Continuous Delivery and Continuous Deployment.
  • Going Forward: introducing security into DevOps - and DevOps into security. Quick Wins and long-term investments needed to succeed.


Who Should Attend

This course is intended for:

  • Developers, software architects, operations engineers and system admins working in a DevOps environment, or transitioning to a DevOps environment, who want to understand how and where to add security checks, testing and other controls.
  • Security analysts, security engineers, auditors and risk managers, security consultants and pen testers who want to understand how to adapt security practices to DevOps and Continuous Delivery.


What You Will Receive

  • Course Books
    • Day 1: Introduction to DevOps, Continuous Delivery and Secure DevOps
    • Day 2: Moving a system to Production using Secure Continuous Delivery
  • Lab Workbook
  • Lab environment
  • Extensive links to resources on DevOps, Continuous Delivery/Deployment, case studies, tools and practices


You Will Be Able To

  • Understand the core principles and patterns behind DevOps. How work is done in DevOps, and what the keys to success in DevOps are
  • Map out and implement a Continuous Delivery/Deployment pipeline
    • How to do a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations.
    • How Continuous Integration, Continuous Delivery and Continuous Deployment work - the workflows, patterns and tools.
    • Identify the security risks and issues in DevOps and Continuous Delivery.
  • Map out where security controls and checks can be added in Continuous Delivery and Continuous Deployment
    • Conduct effective risk assessments and threat modeling in a rapidly changing environment.
    • Design and write automated security tests and checks in CI/CD. Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery.
    • Implement self-service security services for developers.
    • Inventory your software dependencies and secure them.
    • Threat model and secure your build and deployment environment.
  • Integrate security into production operations
    • Automate security policies.
    • Leverage container technologies (such as Docker) for security.
    • Automate compliance and run-time defense.
    • Create continuous feedback loops from production to engineering.
  • Create a plan for introducing - or improving - security in a DevOps environment. How to use DevOps to secure DevOps.


Hands-on Training

  • Understanding how a Continuous Delivery/Deployment pipeline works
  • The DevOps Deployment Kata
  • How to implement static analysis testing into CD
  • How to write automated security tests in CD
  • Security in system monitoring
  • Infrastructure as Code - securing a Puppet manifest
  • Container Security - finding vulnerabilities in Docker configurations
  • Automated auditing



Contact the course provider: