Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

Cyber Defense Initiative® 2016

Washington, DC | Sat, Dec 10 - Sat, Dec 17, 2016
This event is over,
but there are more training opportunities.

DEV534: Secure DevOps: A Practical Introduction Waitlist

Sat, December 10 - Sun, December 11, 2016

This course, Secure DevOps: A Practical Introduction (DEV534) explains the fundamentals of DevOps, and how DevOps teams can build and deliver secure software. It will explain the principles and practices and tools in DevOps and how they can be leveraged to improve the reliability, integrity and security of systems.

What Does the Course Cover?

This course will introduce students to DevOps principles, practices and tools and explain how Secure DevOps can be implemented, using lessons from successful DevOps security programs.

Students will build up a DevOps CI/CD toolchain, understand how code is automatically built, tested and deployed, using popular open source tools including git, Puppet, Jenkins and Docker.

In a series of labs they will inject security into a CI/CD toolchain, and learn about the tools, patterns and techniques to do this.

The course will make extensive use of open source materials and tooling for automated configuration management ("Infrastructure as Code"), Continuous Integration, Continuous Delivery and Continuous Deployment, containerization and micro-segmentation, and automated compliance ("Compliance as Code") and monitoring.


You Will Learn:

  • Foundations and principles of DevOps, Continuous Delivery and Continuous Deployment
  • The security risks and challenges that DevOps introduces
  • The keys to successful DevOps security programs
  • How to build security into Continuous Delivery and Continuous Deployment. The tools, patterns and techniques of security automation in DevOps
  • How to secure your build and deployment environment and tool chain
  • How to leverage Infrastructure as Code for secure configuration management and provisioning
  • How manual security practices (risk assessments, audits and pen tests) can be adapted to continuously changing environments, and the important role that they still play
  • Security risks and challenges that containers introduce - and how to secure container technology
  • How to automate compliance in DevOps, using the DevOps Audit Defense Toolkit


Course Syllabus

Ben Allen ,
Frank Kim
Sat Dec 10th, 2016
9:00 AM - 5:00 PM


An introduction to DevOps practices, principles and tooling. How DevOps works, and how work is done in DevOps. The importance of culture, collaboration and automation in DevOps.

We will look at case studies of DevOps "Unicorns": the Internet tech leaders who have created the DNA for DevOps, and understand how and why they succeeded. We will also introduce the keys to their DevOps security programs.

Then we will explain Continuous Delivery - the automation engine in DevOps - and explain how to build up a Continuous Delivery or Continuous Deployment pipeline. We'll map out how security controls and gates can be folded into or wired into the CD pipeline, and how to automate security checks and tests in CD.

CPE/CMU Credits: 6

  • Introduction to DevOps
  • Case studies on DevOps Unicorns: Etsy, Netflix, Facebook, Amazon and Google
  • DevOps Principles
  • Working in DevOps
  • From Continuous Integration to Continuous Delivery
  • Building a CD Pipeline
  • Deployment Kata
  • Secure Continuous Delivery: Challenges and Issues
  • Introducing Security into CD
  • Static Analysis in CD. An overview of the SAST landscape, and challenges and approaches for running static analysis checking in CD. Building a self-service static analysis service for engineers.
  • Automated security testing and scanning in CI/CD. How to write automated security tests - unit tests, system tests and attacks. How to use tools like Gauntlt. Integrating Dynamic Analysis Security Testing (DAST) and fuzzing in CD.

Ben Allen ,
Frank Kim
Sun Dec 11th, 2016
9:00 AM - 5:00 PM


Building on the ideas and frameworks developed in Day 1, we'll explain how vulnerability management and manual testing (including pen testing) fits into DevOps and CD.

Then we'll look at run-time security options, including RASP and other run-time defense technologies.

Because the automated CD pipeline is so critically important to DevOps, we'll look at how to secure the pipeline, including how to protect the secrets that all of these automated tools require.

Then we'll look at security and the run-time environment. We'll explain the keys to secure Infrastructure as Code, using modern automated configuration management tools like Puppet, Chef and Ansible. We will also look at containerization and security issues when using containers like Docker.

Finally we will explain how to build compliance into Continuous Delivery, using the security controls and gates that we've already built in.

CPE/CMU Credits: 6

  • Pen Testing and Manual Assessments - how do they fit in DevOps?
  • Vulnerability Management in CD
  • Securing your Software Supply Chain. Building a bill of materials for your systems. Standardizing on fewer, better suppliers.
  • Securing your CD Pipeline. Threat modeling and locking down your build and deployment environment.
  • Runtime Checks and Monitoring - monkeys and smart checks.
  • Run-time Defense: RASP , IAST and other run-time security solutions
  • Security in Monitoring. Using production metrics and insight to drive improvements in your security program.
  • Red Teaming, Bug Bounties and Blameless Postmortems
  • Secure Infrastructure as Code. Building security policies into infrastructure code
  • Security with Puppet lab
  • Managing Secrets. The problem of secrets in automated environment. Patterns - and anti-patterns - for managing secrets.
  • Container Security - introduction to containers, Docker, and Docker security risks and tools.
  • Compliance as Code. How to satisfy compliance requirements using Continuous Delivery and Continuous Deployment.
  • Going Forward: introducing security into DevOps - and DevOps into security. Quick Wins and long-term investments needed to succeed.

Additional Information


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Player on your system prior to class beginning. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 10, VMware Fusion 7.0, or VMware Player 7.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.

VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

Mandatory Laptop Requirements

Mandatory Host Hardware Requirements

  • CPU: 2.5+ GHz multi-core processor or higher
  • Memory: 16GB of RAM minimum
  • Hard Disk: 25GB of free disk space minimum
  • Working USB 2.0 or higher port
  • The student should have the capability to have Local Administrator Access within their host operating system

Mandatory Host Operating System Requirements

You must bring a laptop with one of the following operating systems. These operating systems have been verified to be compatible with course VMware image:

  • Windows (7, 8, or 10)
  • Mac OS X (Mountain Lion, Yosemite, El Capitan)

Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to class:

  • VMware Workstation 10+, VMware Player 7+, or VMware Fusion 7+
  • Zip File Utility with support for large files (7Zip for Windows, The Unarchiver for Mac). The built-in operating system zip utility has NOT been sufficient.


  • Bring the proper system hardware and operating system configuration
  • Install VMware (Workstation, Player, or Fusion) and confirm that you can launch a VM.
  • Make sure you have a working USB drive. The course VM will be copied onto your laptop from a USB key provided by SANS.

If you have additional questions about the laptop specifications, please contact

This course is intended for:

  • Developers, software architects, operations engineers and system admins working in a DevOps environment, or transitioning to a DevOps environment, who want to understand how and where to add security checks, testing and other controls.
  • Security analysts, security engineers, auditors and risk managers, security consultants and pen testers who want to understand how to adapt security practices to DevOps and Continuous Delivery.

Students should have the following:

  • Basic understanding of application security, common attacks and vulnerabilities (e.g., the OWASP Top 10)
  • Some familiarity with Agile development and Agile project/product management practices
  • Basic familiarity with Linux command shells
  • Course Books
    • Day 1: Introduction to DevOps, Continuous Delivery and Secure DevOps
    • Day 2: Moving a system to Production using Secure Continuous Delivery
  • Lab Workbook
  • Lab environment
  • Extensive links to resources on DevOps, Continuous Delivery/Deployment, case studies, tools and practices
  • Understand the core principles and patterns behind DevOps. How work is done in DevOps, and what the keys to success in DevOps are
  • Map out and implement a Continuous Delivery/Deployment pipeline
    • How to do a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations.
    • How Continuous Integration, Continuous Delivery and Continuous Deployment work - the workflows, patterns and tools.
    • Identify the security risks and issues in DevOps and Continuous Delivery.
  • Map out where security controls and checks can be added in Continuous Delivery and Continuous Deployment
    • Conduct effective risk assessments and threat modeling in a rapidly changing environment.
    • Design and write automated security tests and checks in CI/CD. Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery.
    • Implement self-service security services for developers.
    • Inventory your software dependencies and secure them.
    • Threat model and secure your build and deployment environment.
  • Integrate security into production operations
    • Automate security policies.
    • Leverage container technologies (such as Docker) for security.
    • Automate compliance and run-time defense.
    • Create continuous feedback loops from production to engineering.
  • Create a plan for introducing - or improving - security in a DevOps environment. How to use DevOps to secure DevOps.
  • Understanding how a Continuous Delivery/Deployment pipeline works
  • The DevOps Deployment Kata
  • How to implement static analysis testing into CD
  • How to write automated security tests in CD
  • Security in system monitoring
  • Infrastructure as Code - securing a Puppet manifest
  • Container Security - finding vulnerabilities in Docker configurations
  • Automated auditing

"A fast-paced and illustrative two-days on the current state of security for DevOps. Well worth the time invested to take the class." - Michael Machado, Ring Central

"I have read a lot, and watched a lot of webinars, about DEV Sec Ops. But none of those told me how to implement security in the DEV Ops pipeline. This course provided me with a ton of concrete steps I can take to integrate the security into our company." - Matthew Theobald, Schneider Electric

"Given the substantial breadth of security topics covered, I was impressed by the incredible technical depth throughout this course, and the well-researched links to resources to facilitate further learning and practical implementation." - Brett Vasconcellos

"The material/contents of this class is excellent. It help me learn all the tools that are relevant to work." - Hoan Le, Ring Central

Author Statement

DevOps is already radically changing the way that organizations design, build, deploy and operate online systems. DevOps leaders like Amazon, Etsy and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning and continuously improving and continuously growing - and leaving their competitors far behind. Now DevOps is making its way from Internet "Unicorns" and cloud providers into enterprises.

Traditional approaches to security can't come close to keeping up with this rate of accelerated change and with engineering and operations teams who have broken down "the walls of confusion" between their organizations and are increasingly leveraging new kinds of automation: Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers and cloud service platforms.

Security must be reinvented in a DevOps world.