SANS OnDemand - 45+ Courses Available Today - View a Demo for an Hour of Free Content

Security West 2018

San Diego, CA | Fri, May 11 - Fri, May 18, 2018
This event is over,
but there are more training opportunities.

Due to high demand for Security training at SANS Security West 2018, the following courses will take place at the Marriott Marquis San Diego Marina: SEC503, SEC505, SEC542, MGT414, MGT512, and MGT517. The hotel neighbors the Manchester Grand Hyatt and is accessible from both Harbor Drive and the Bayfront. Courseware Distribution and Event Check-In for these six courses will take place at the Marriott Marquis San Diego on: Thursday, May 10 from 5:00 p.m. to 7:00 p.m. and Friday, May 11 from 7:00 a.m. to 9:00 a.m. Badge and Courseware Distribution for these classes will only be available at the Marriott Marquis San Diego Marina. We are hosting the "Welcome to SANS Talk" on the morning of Friday, May 11 at each venue but all additional SANS@Night presentations will take place at the Manchester Grand Hyatt. Please check the schedule tab for the bonus sessions. We thank you in advance for your understanding.

DEV534: Secure DevOps: A Practical Introduction

Thu, May 17 - Fri, May 18, 2018

This course, Secure DevOps: A Practical Introduction (DEV534) explains the fundamentals of DevOps, and how DevOps teams can build and deliver secure software. It will explain the principles and practices and tools in DevOps and how they can be leveraged to improve the reliability, integrity and security of systems.

What Does the Course Cover?

This course will introduce students to DevOps principles, practices and tools and explain how Secure DevOps can be implemented, using lessons from successful DevOps security programs.

Students will build up a DevOps CI/CD toolchain, understand how code is automatically built, tested and deployed, using popular open source tools including git, Puppet, Jenkins and Docker.

In a series of labs they will inject security into a CI/CD toolchain, and learn about the tools, patterns and techniques to do this.

The course will make extensive use of open source materials and tooling for automated configuration management ("Infrastructure as Code"), Continuous Integration, Continuous Delivery and Continuous Deployment, containerization and micro-segmentation, and automated compliance ("Compliance as Code") and monitoring.


You Will Learn:

  • Foundations and principles of DevOps, Continuous Delivery and Continuous Deployment
  • The security risks and challenges that DevOps introduces
  • The keys to successful DevOps security programs
  • How to build security into Continuous Delivery and Continuous Deployment. The tools, patterns and techniques of security automation in DevOps
  • How to secure your build and deployment environment and tool chain
  • How to leverage Infrastructure as Code for secure configuration management and provisioning
  • How manual security practices (risk assessments, audits and pen tests) can be adapted to continuously changing environments, and the important role that they still play
  • Security risks and challenges that containers introduce - and how to secure container technology
  • How to automate compliance in DevOps, using the DevOps Audit Defense Toolkit


Course Content Overlap Notice:

Please note that course material for DEV540 and DEV534 overlaps. Days 1 and 2 of DEV540 contains material that is covered in DEV534. We recommend DEV540 for those interested in DevOps and cloud application security with Amazon Web Services (AWS). DEV534 only covers Secure DevOps topics.

Course Syllabus

Gregory Leonard
Thu May 17th, 2018
9:00 AM - 5:00 PM


An introduction to DevOps practices, principles and tooling. How DevOps works, and how work is done in DevOps. The importance of culture, collaboration and automation in DevOps.

We will look at case studies of DevOps "Unicorns": the Internet tech leaders who have created the DNA for DevOps, and understand how and why they succeeded. We will also introduce the keys to their DevOps security programs.

Then we will explain Continuous Delivery - the automation engine in DevOps - and explain how to build up a Continuous Delivery or Continuous Deployment pipeline. We'll map out how security controls and gates can be folded into or wired into the CD pipeline, and how to automate security checks and tests in CD.

CPE/CMU Credits: 6

  • Introduction to DevOps
  • Case studies on DevOps Unicorns: Etsy, Netflix, Facebook, Amazon and Google
  • DevOps Principles
  • Working in DevOps
  • From Continuous Integration to Continuous Delivery
  • Building a CD Pipeline
  • Deployment Kata
  • Secure Continuous Delivery: Challenges and Issues
  • Introducing Security into CD
  • Static Analysis in CD. An overview of the SAST landscape, and challenges and approaches for running static analysis checking in CD. Building a self-service static analysis service for engineers.
  • Automated security testing and scanning in CI/CD. How to write automated security tests - unit tests, system tests and attacks. How to use tools like Gauntlt. Integrating Dynamic Analysis Security Testing (DAST) and fuzzing in CD.

Gregory Leonard
Fri May 18th, 2018
9:00 AM - 5:00 PM


Building on the ideas and frameworks developed in Day 1, we'll explain how vulnerability management and manual testing (including pen testing) fits into DevOps and CD.

Then we'll look at run-time security options, including RASP and other run-time defense technologies.

Because the automated CD pipeline is so critically important to DevOps, we'll look at how to secure the pipeline, including how to protect the secrets that all of these automated tools require.

Then we'll look at security and the run-time environment. We'll explain the keys to secure Infrastructure as Code, using modern automated configuration management tools like Puppet, Chef and Ansible. We will also look at containerization and security issues when using containers like Docker.

Finally we will explain how to build compliance into Continuous Delivery, using the security controls and gates that we've already built in.

CPE/CMU Credits: 6

  • Pen Testing and Manual Assessments - how do they fit in DevOps?
  • Vulnerability Management in CD
  • Securing your Software Supply Chain. Building a bill of materials for your systems. Standardizing on fewer, better suppliers.
  • Securing your CD Pipeline. Threat modeling and locking down your build and deployment environment.
  • Runtime Checks and Monitoring - monkeys and smart checks.
  • Run-time Defense: RASP , IAST and other run-time security solutions
  • Security in Monitoring. Using production metrics and insight to drive improvements in your security program.
  • Red Teaming, Bug Bounties and Blameless Postmortems
  • Secure Infrastructure as Code. Building security policies into infrastructure code
  • Security with Puppet lab
  • Managing Secrets. The problem of secrets in automated environment. Patterns - and anti-patterns - for managing secrets.
  • Container Security - introduction to containers, Docker, and Docker security risks and tools.
  • Compliance as Code. How to satisfy compliance requirements using Continuous Delivery and Continuous Deployment.
  • Going Forward: introducing security into DevOps - and DevOps into security. Quick Wins and long-term investments needed to succeed.

Additional Information



A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to class beginning. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 10, VMware Fusion 7.0, or VMware Station Player 7.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.

VMware Workstation Player is a free download that does not need a commercial license. Most students find VMware Workstation Player adequate for the course.

Mandatory Laptop Requirements

Mandatory Host Hardware Requirements

  • CPU: 2.5+ GHz multi-core processor or higher
  • Memory: 16GB of RAM minimum
  • Hard Disk: Solid State Drive (SSD) is REQUIRED with 50GB of free disk space minimum
  • Working USB 2.0 or higher port
  • The student should have the capability to have Local Administrator Access within their host operating system

Mandatory Host Operating System Requirements

You must bring a laptop with one of the following operating systems. These operating systems have been verified to be compatible with course VMware image:

  • Windows (7, 8, or 10)
  • Mac OS X (Mountain Lion, Yosemite, El Capitan)

Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to class:

  • VMware Workstation 10+, VMware Workstation Player 7+, or VMware Fusion 7+
  • Zip File Utility with support for large files (7Zip for Windows, The Unarchiver for Mac). The built-in operating system zip utility has NOT been sufficient.


  • Bring the proper system hardware and operating system configuration
  • Install VMware (Workstation, Workstation Player, or Fusion) and confirm that you can launch a VM.
  • Make sure you have a working USB drive. The course VM will be copied onto your laptop from a USB key provided by SANS.

If you have additional questions about the laptop specifications, please contact

This course is intended for:

  • Developers, software architects, operations engineers and system admins working in a DevOps environment, or transitioning to a DevOps environment, who want to understand how and where to add security checks, testing and other controls.
  • Security analysts, security engineers, auditors and risk managers, security consultants and pen testers who want to understand how to adapt security practices to DevOps and Continuous Delivery.

Students should have the following:

  • Basic understanding of application security, common attacks and vulnerabilities (e.g., the OWASP Top 10)
  • Some familiarity with Agile development and Agile project/product management practices
  • Basic familiarity with Linux command shells
  • Course Books
    • Day 1: Introduction to DevOps, Continuous Delivery and Secure DevOps
    • Day 2: Moving a system to Production using Secure Continuous Delivery
  • Lab Workbook
  • Lab environment
  • Extensive links to resources on DevOps, Continuous Delivery/Deployment, case studies, tools and practices
  • Understand the core principles and patterns behind DevOps. How work is done in DevOps, and what the keys to success in DevOps are
  • Map out and implement a Continuous Delivery/Deployment pipeline
    • How to do a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations.
    • How Continuous Integration, Continuous Delivery and Continuous Deployment work - the workflows, patterns and tools.
    • Identify the security risks and issues in DevOps and Continuous Delivery.
  • Map out where security controls and checks can be added in Continuous Delivery and Continuous Deployment
    • Conduct effective risk assessments and threat modeling in a rapidly changing environment.
    • Design and write automated security tests and checks in CI/CD. Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery.
    • Implement self-service security services for developers.
    • Inventory your software dependencies and secure them.
    • Threat model and secure your build and deployment environment.
  • Integrate security into production operations
    • Automate security policies.
    • Leverage container technologies (such as Docker) for security.
    • Automate compliance and run-time defense.
    • Create continuous feedback loops from production to engineering.
  • Create a plan for introducing - or improving - security in a DevOps environment. How to use DevOps to secure DevOps.
  • Understanding how a Continuous Delivery/Deployment pipeline works
  • The DevOps Deployment Kata
  • How to implement static analysis testing into CD
  • How to write automated security tests in CD
  • Security in system monitoring
  • Infrastructure as Code - securing a Puppet manifest
  • Container Security - finding vulnerabilities in Docker configurations
  • Automated auditing

"A fast-paced and illustrative two-days on the current state of security for DevOps. Well worth the time invested to take the class." - Michael Machado, Ring Central

"I have read a lot, and watched a lot of webinars, about DEV Sec Ops. But none of those told me how to implement security in the DEV Ops pipeline. This course provided me with a ton of concrete steps I can take to integrate the security into our company." - Matthew Theobald, Schneider Electric

"Given the substantial breadth of security topics covered, I was impressed by the incredible technical depth throughout this course, and the well-researched links to resources to facilitate further learning and practical implementation." - Brett Vasconcellos

"The material/contents of this class is excellent. It help me learn all the tools that are relevant to work." - Hoan Le, Ring Central

Author Statements

DevOps is already radically changing the way that organizations design, build, deploy and operate online systems. DevOps leaders like Amazon, Etsy and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning and continuously improving and continuously growing - and leaving their competitors far behind. Now DevOps is making its way from Internet "Unicorns" and cloud providers into enterprises.

Traditional approaches to security can't come close to keeping up with this rate of accelerated change and with engineering and operations teams who have broken down "the walls of confusion" between their organizations and are increasingly leveraging new kinds of automation: Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers and cloud service platforms.

Security must be reinvented in a DevOps world.

- Ben Allen and Jim Bird