In the year 2020, we can see trending on #DevSecOps arise around DevOps Organization and also to early Adopter. A lot of organization starting to take the initiative to adopt DevSecOps or #ShiftLeft approach for their current CI/CD Pipeline. I like to take highlight from SonarQube DevSecOps 2020 report below;
- Happier developers are 2.3x more likely to be using automated security tools.
- 47% of developers don't have time to spend on security, even though they know it's essential.
- 28% of mature DevOps practices confirmed in open source-related breach in the last 12 months.
- Executives are 2x more likely to view security as a competitive differentiator.
If you see highlight #1 and #2, AppSec or InfoSec or DevOps Engineer is a happy person if they use the automated security tools. Another point, almost all the time they don't have enough time to include security element in CI/CD pipeline even though they know security is an essential for the organization or even for themselves as a security expert. These two(2) factors bring the fundamental question, whether they know how to implement the DevSecOps CI/CD pipeline in their organization?
Therefore, the good practical or training on DevSecOps section is vital for DevOps/AppSec/InfoSec personnel if they want to implement the correct approach into their current CI/CD pipeline. Recently I've enrolled with Practical DevSecOps Training, and it's training from a Hysn Technologies Inc Company that provides DevSecOps training to all people. You don't need a high requirement for enrolling to this training, the following section I explain what Certified DevSecOps Professional (CDP) ;
In this course, you 're going to learn how to handle security at scale use DevSecOps techniques. You are going to learn about the fundamentals of DevOps, DevSecOps, and you going to advanced concepts such as Tread Modelling as Code, Software Component Analysis, RASP / IAST, Container Protection, Secret Management, etc. By the end of the course, the student should be able to implement the real DevSecOps approach in the CI/CD pipeline and doing security task at scale. They don't need to do manual scanning process when all DevSecOps tools can help them to scale and be part of DevOps team composition.
Course Objective & Course Content
The CDP course brings you through a collection of stage and maturity stages to develop the company into a DevSecOps culture. The following topics will be discussed as part of the course:
- Introduction to DevOps and DevSecOps
- Introduction to the Tools of the trade
- Secure SDLC and CI/CD pipeline
- Software Component Analysis (SCA)
- Static Analysis(SAST) in CI/CD pipeline.
- Dynamic Analysis(DAST) in CI/CD pipeline.
- Infrastructure as Code and its security features.
- Compliance as Code
- Vulnerability Management with
- Build a culture of sharing and cooperation amongst stakeholders on Application and System Security.
- Begin or mature the application security program using DevSecOps practices
- Upgrade Security Team 's efforts to every the surface of the security threat.
- Multi Integrate Security as part of DevOps and CI / CD Continue or mature the application security system use DevOps Modern SDLC activities.
- Hardening your Systems using Infrastructure as a Code and ensuring enforcement using Compliance as a Code Tools and methods.
- Connect Integrate and compare vulnerabilities to scale false-positive detection using automated tools.
Who Should Attend?
- Security Professionals
- Penetration Testers
- IT managers
- Red Teamers
- DevOps Engineers
CDP Exam Details
How I study and prepare for the CDP Exam?
I enrolled in the CDP course last June 2020, due to pandemic #covid19 the original planned to be on-site training in the hotel has changed to online training. Therefore instead 3-days face-to-face training become 4-days online training. Below what I did before I get my CDP certification;
You don't need to be expert in DevOps tools or know-how to create CI/CD pipeline, the most important you need to focus all the time because the trainer always gives extra information on the course that not included in the course slide. Hence you to write down sometime when the "extra information" provided by the trainer. After attending the course, I think the following topic should be covered at least at the high-level to ensure you able to follow all the course topics:
- The initial Docker command and you can find here. You should be able to catch-up what labs try to archive by knowing all the docker's commands.
- CDP course used GitLab as their primary Continuous Integration (CI) tool, hence if possible if you can read through the GitLab CI/CD documentation, this just an extra, if you have enough time or the trainer, will explain to you during the course.
- You need to understand how ssh works and possible passwordless ssh in Ubuntu OS. If you know about ssh and passwordless method, this will help you in Infrastructure as Code and Hardening topic in the course and the exam.
- If you attend Online Training(only during a pandemic), make sure you have a good internet connection. Base my previous experience attended the CDP Online Training, we have several cases that due to lack of internet connection. Some student not able to follow the course at ease, and probably another student also will be affected if not all participants in the class.
The vital part of this CDP course and it's exam since we are going to do all the exam challenge in the lab's style not a multiple-choice question on the Exam day. Therefore you should pay extra time to do all the labs included during the CDP course and pay attention to all the scripts. All the CDP challenges will take back what have you learn during the course's labs. You should finish all your course's labs to be prepared for the actual exam. You have only 30-days lab access for free. You can extend the lab access (30 days/60 days/90 days) by using this link.
When and How To Schedule The CDP Exam?
"It's important that you schedule your exam as you never be fully prepared" – This as advised by the Practical-DevSecOps team, thus you should have the same mindset. If you don't want to waste all your free access to the CDP labs for Exam preparation, hence I advise you to schedule as soon as you completed the course, you can plan and schedule your CDP Exam via this URL. Here some tips on how to schedule your CDP exam, since your CDP Exam going to take 12 hours for labs and execution part and 24 hours to the offline CDP Exam's Report. Last time, I have chosen to start at midnight(0000) Friday, and my CDP Exam finished at 1200 Saturday. Later that I have another 24 hours offline to finish up my Exam report, thus I still have my weekend to recover from not enough sleep earlier. I think this plan is right for you since you don't want to throw all your weekend only for CDP exam and not enough rest after the exam. I made below options that you can choose base on your availability;
You can follow the above recommendations. Otherwise, you just plan before you set the schedule for your CDP exam.
BEFORE CDP Exam
I advise you to go through all the course video that you get by the end of the course and watch all the video and follow precisely what in the course's lab. I take one(1) month to finished combined watched the video and did all the course's lab. In additional in course's video they also provided you with other information URLs link, I recommend you to check them out to have a better understanding of the topic you watching.
HOW To Start Your Exam (Exam Day):
- Mentally and Physically
- Since the CDP Exam takes 12 hours our time, I think you have to be fully mentally prepared, you don't have a right mind, and I guess you will make a silly mistake like copy-paste mistake that will cause your CDP Exam's points.
- I recommend you take a nap or get enough sleep before you make your CDP Exam. Thus your body can take the 12 hours exam and you can get short rest/nap before your focus on write your CDP Exam report.
- Exam Challenges
- Before you start answering/do the CDP Exam's challenges, you need to read all the questions 1st to give your rough idea of how you are going to answer all the questionnaire. Base on your 1st reading, you might have some idea how to start and which question is related to each other.
- Please careful with specific word question used, because sometime during course's lab some tool you put in Build or Test Stages and the real exam they might change the word like "Deploy Stage". Same goes to CI/CD pipeline job. Usually, the trainer said we don't fail the build, but in the exam, they probably ask you to fail the build for some other reason.
- Screenshot and Scan Report, please be reminded, these both very important when you want to make your CDP report, please follow below format on how to create a useful report. If you don't have enough screenshot or scan report, the Practical-DevSecOps team might not evaluate your description thoroughly and they might find it difficult to see your solution in the CDP report.
CDP Exam Answer and Report
- Exam Report Format
- Step by step instructions.
- Files used (like .gitlab-ci.yml, roles, playbook.yml, etc.).
- Output/Results (in a machine-readable format like JSON, XML).
- Exam Report Folder Structure
I used the below format when I sent my CDP report to the Practical-DevSecOps team, you may follow my structure, I get good feedback on how I sorted and organized my CDP's report for better evaluate and understanding my CDP Exam report;
- CDP Exam Report (PDF) – The primary document report for all the solution/answer. Please follow all the report instruction you get during Exam day.
- CDP Exam Report(Markdown) – this is optional file because in PDF if you don't want to show/put all your script or output of your CI/CD, hence Markdown format will be helpful for Evaluator to see your scanning outcomes.
- Screenshot – this either your Local(DevSecOps-Box) or GitLab's CI/CD pipeline jobs need to screenshot as a prove your solution workable and meet the requirements of the challenge. The folder format could be like below;
With screenshot structure like above, easy to navigate which screenshot you provided in the CDP report.
4. Scan Report – each of CDP's challenges has scan report. Hence you should put them into correct challenges question; I have a folder structure like below;
With this structure, the evaluator know where to find and match with your Scan Report included in your CDP report. Make sure you mentioned your folder structure if you want to refer your Scan Report in your CDP Exam Report, this way easy for Evaluator to find the report you are referring to in the report.
URLs Useful to read
I've made some posts you may take a look, and it's also a part of CDP course and exam;
What is Software Component Analysis (SCA) or Open-Source Analysis Security Test (OAST) ?
What is Static Analysis Security Test (SAST)?
What is Dynamic Analysis Security Test (DAST)?
What is Interactive Analysis Security Test (IAST) ?
What is Infrastructure as a Code (IaC) Role in DevSecOps?
What is Vulnerability Management?
Good luck on your Certified DevSecOps Professional (CDP) exam — and trust me — the more you do the labs and revise what you have learn during the CDP course, the more you prepare for your CDP exam. Because everything you learn from the course, it will be tested in your CDP exam, therefore if you not doing read part, then how can you answer or prepare for the exam, right?. Here my CDP Certificate from #PracticalDevSecOps , I hope I can at least help you to prepare for your CDP Certification Exam. Let’s #ContinuousLearning and #StayHuman.