Final Exam: Introduction to DevSecOps

WHAT YOU WILL LEARN

• 

  Discuss the evolution and history of computer systems
  

  provide an overview of information security and how it impacts users and organizations
  

  discuss the basic tenants of information security: confidentiality, integrity, and availability
  

  discuss physical security principles such as access, control, surveillance, and security testing
  

  recognize different types of information security including application, cloud, and infrastructure security
  

  outline common information security risks including advanced persistent threats, insider threats, and ransomware
  

  provide an introduction of devops and describe how it can be leveraged by development and it teams
  

  list key benefits of devops including speed, reliability, and collaboration
  

  outline common devops practices including continuous integration, continuous delivery, and automation
  

  list common challenges of adopting devops
  

  provide an overview of the devops lifecycle
  

  differentiate between the waterfall model and the agile model for software development
  

  provide an overview of the continuous integration phase of the devops lifecycle
  

  provide an overview of the continuous testing phase of the devops lifecycle
  

  provide an overview of the continuous deployment phase of the devops lifecycle
  

  discuss the continuous operations phase of the devops lifecycle
  

  discuss the continuous monitoring phase of the devops lifecycle
  

  discuss factors that define devsecops as a methodology or framework
  

  provide an overview of the three ways framework
  

  provide an overview of the calms framework
  

  discuss reasons to integrate security into the application development lifecycle
  

  recognize key differences between agile and devsecops
  

  discuss considerations when migrating from devops lifecycle to devsecops lifecycle
  

  provide an overview of continuous integration / continuous delivery (ci/cd)
  

  describe the fundamental elements of ci/cd
  

  discuss security vulnerabilities associated with the threat modeling phase of the devsecops pipeline
  

  list common devsecops security recommendations such as implementing secure coding guidelines, building security into applications, and validating input data
  

  describe security vulnerabilities associated to the scanning phase of the devsecops pipeline
  

  differentiate between on-premise and cloud solutions and discuss how devsecops can influence each
  

  provide an overview of on-premise software
• 

  discuss measures to ensure security in devops
  

  provide an overview of test-driven security and why it has become a pillar of the devsecops model
  

  provide an overview on how to build a positive devsecops culture
  

  describe how devsecops teams can effectively monitor and respond to security incidents
  

  provide an overview of aws services used for ci/cd including aws codebuild, aws codecommit, and aws codedeploy
  

  outline tools used for continuous testing in aws
  

  outline approaches used to support digital transformation in aws using devsecops
  

  list components required for a successful devsecops implementation in aws including code analysis, change management, compliance, threat modeling, and security training
  

  outline common benefits of practicing devsecops in aws
  

  discuss how to build and deploy containers with azure pipelines
  

  provide an overview of the azure security center and discuss how it can provide unified security management across workloads
  

  recognize how to manage keys and secrets in azure using azure key vault
  

  describe how to manage identities and access with azure ad
  

  describe how azure devops can help plan tasks, collaborate, and build and deploy applications
  

  discuss the secure-by-design foundation and how it can be used to improve risk management
  

  recognize how the gcp security operations suite can be used to detect, investigate, and respond to threats
  

  outline the five layers of gcp security including cloud infrastructure, products and services, security blueprint, blueprints for security posture, workload, and applications, and solution packages
  

  discuss how gcp uses a hierarchy to organize resources allowing for greater job-specific access
  

  describe how gcp enables organizations to implement a zero-trust approach
  

  provide an overview of common security challenges presented by containers such as attack surface size
  

  list common goals of shifting toward devsecops including secure by design and secure by default
  

  discuss reasons why teams are adopting containers
  

  differentiate between kubernetes and docker container orchestration systems
  

  differentiate between virtualization and containerization and explain key benefits provided by both
  

  provide an overview of static analysis security testing (sast), or static analysis
  

  describe dynamic analysis security testing (dast), or dynamic analysis
  

  list common sast and dast devsecops tools including bandit, sonarqube, lgtm, owasp zap, and arachni
  

  describe how vulnerability management is used to identify, evaluate, treat and report on security vulnerabilities
  

  provide an overview of secrets management tools such as vault, torus, keywhiz, envkey, confidant, and aws secrets manager
  

  provide an overview of vulnerability assessment tools such as openvas and docker bench