Introduction
The NTU DevSecOps Professional & Tools course is focused on addressing cybersecurity risks at the software development level.
This course leverages NTU’s core research competencies in cybersecurity and combines it with the industry expertise of Scantist. It provides a comprehensive understanding of the DevSecOps (DevOps Security) process from a strategic as well as executive standpoint - covering the why, how and what of DevSecOps. The course also provides hands-on experience by exposing participants to over half-dozen state-of-the-art tools that are essential to architecting DevSecOps pipelines.
Learners would walk away with the ability to lead DevSecOps initiatives within their organisations. This would allow them to automate and help improve the security posture and cyber hygiene across the software development process. At the end of this course, participants who passed the course assessment will be rewarded with a coupon to attempt the industry recognised DevSecOps Foundation (DSOF) exam.
Upon successful completion of the course, learners will be awarded an "NTU Certificate of Completion".
Course Schedule
Day 1
9am - 10am: (Virtual session) Briefing
10am - 5pm: (e-Learning) Offline reading
9am - 5pm: (Virtual session) Lecture and Hands-on Lab
- Understand DevSecOps history, processes and models
- Understand Risk management techniques and threat modeling for software development
- Establish target DevSecOps outcomes and manage organizational stakeholders
- Architecting a DevSecOps pipeline according to best practices
- Implementing a baseline DevOps pipeline from scratch
- Securing DevOps pipeline using security and monitoring tools to achieve DevSecOps outcome
- Ensuring DevSecOps continuity, reliability and compliance
Application Security and Compliance
- Vulnerability management and triaging
- Common Vulnerabilities and Exposures (CVE)
- Risk based vulnerability management process
- Triage: Deep Dive and Best Practices
- Vulnerability risk assessment using CVSS
- Vulnerability Remediation Strategies
- Cybersecurity Security Considerations
- Application Security
- Operational Security
- Importance and management of SBOMs
- Governance, Risk, Compliance (GRC) and Audit
- Logging, Monitoring, and Response
DevOps Institute Certification (DevSecOps Foundation)
- Realizing DevSecOps Outcomes
- Origins of DevOps
- Evolution of DevSecOps
- DevSecOps in the real world
- Defining the Cyberthreat Landscape
- What is a cyber threat and the threat landscape?
- What do we protect, from whom and why?
- Fundamentals of security
- Building a Responsive DevSecOps Model
- Demonstrate Model
- Technical, business and human outcomes
- Measuring outcomes and planning for success
- Integrating DevSecOps Stakeholders
- The DevSecOps Stakeholders
- Participating in the DevSecOps model
- Establishing DevSecOps Best Practices
- Start where you are
- Integrating people, process and technology and governance
- DevSecOps operating model
- Communication practices and boundaries
- Focusing on outcomes
- Best Practices to get Started
- The Three Ways
- Identifying target states
- Value stream-centric thinking
- DevOps Pipelines and Continuous Compliance
- The goal of a DevOps pipeline
- Why continuous compliance is important
- Archetypes and reference architectures
- Coordinating DevOps Pipeline construction
- DevSecOps tool categories, types and examples
- Learning Using Outcomes
- Security Training Options
- Training as Policy
- Experiential Learning
- Cross-Skilling
- The DevSecOps Collective Body of Knowledge
- Preparing for the DevSecOps Foundation certification exam
DevSecOps Toolchains
- Software Composition Analysis Tools (SCA) - Scantist
- Static Application Security Testing (SAST) - Sonarqube
- Dynamic Application Security Testing (DAST) - OWASP ZAP
- Version Control Systems (VCS) - Git
- Continuous Integration (CI) - Jenkins
- Security Orchestration (SOAR) - DefectDojo
- Issue Management and Tracking (ITS) – JIRA
Hands-on Lab
- Software Composition Analysis Tools (SCA)
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
This course is suitable for:
- Anyone working in or transitioning to a DevOps environment
- Anyone who wants to understand where to add security checks, testing, and other controls to cloud and DevOps Continuous Delivery pipelines
- Compliance Team
- DevOps Engineers
- Software Engineers Testers
Minimum Entry Requirement
- Participants should have baseline knowledge and understanding of common DevOps definitions and principles
- Basic IT knowledge and fundamentals of cybersecurity
This course is mapped to:
Skill Title : Applications Support and Enhancement-4
Skill Code: ICT-OUS-4001-1.1
Standard Course Fee: S$4,360.00
SSG Funding Support |
Course fee |
Course fee payable after SSG funding, if eligible under various schemes |
|
BEFORE funding & GST |
AFTER funding & 9% GST |
||
Singapore Citizens (SCs) and Permanent Residents (PRs) (Up to 70% funding) |
S$4,000.00 |
S$1308.00 |
|
Enhanced Training Support for SMEs (ETSS) |
S$508.00 |
||
SCs aged ≥ 40 years old |
- Standard course fee is inclusive of GST.
- NTU/NIE alumni may utilise their $1,600 Alumni Course Credits. Click here for more information.
Dr Ding Sun
Dr Ding Sun is the Engineering Head of Scantist. He leads the core engineering team to develop AppSec related products and solutions, including SCA, SAST, DAST and company’s data platform for OSS Intelligence. He oversees the architecture design and involves intensively in the improvement of our DevSecOps process. He currently is a mentor of PowerX Cyber Security Program of SGInnovate.
Ding Sun holds a Ph.D. in software engineering. He works multiple years in cyber security and software industry. He is passionate about translating and implementing science into practice. He bridges the academia research team and development team, accelerates the transformation from research outcomes into technical products.
In this course, Ding Sun would like to share the latest industry trends, best practise and tools for DevSecOps.
Mr Rodrigo Bermudez Schettino
Rodrigo is a Principal Software Engineer at Scantist, where he oversees DevSecOps, process automation and performance optimization. He holds a Master's degree in Computer Science with specialization in AI at the Technical University of Berlin in Germany and graduated from EPFL in Switzerland.
Rodrigo worked at CERN (European Organization for Nuclear Research; birthplace of the World Wide Web) in the Linux and Configuration Support section and served as a mentor at CERN's Webfest 2021 hackathon before joining Scantist.
Rodrigo is passionate about open source and is an avid contributor on GitHub.
Mr Rohan Sood
Rohan is the Head of Operations and founding team member of Scantist and is the founding member of this NTU spin-off. Scantist believes that cyber-security should be an enabler, and not a threat, in the efforts to build a smart society.
Rohan oversees product development and business operations. Rohan is also a fervent champion for the DevSecOps movement and is passionate about web development and the capabilities of big data. Rohan being a fanatic web-developer and Cybersecurity enthusiast, is also part of better.sg https://better.sg . better.sg is a non profit organisation where they build and supercharge innovative digital tools to address societal issues. At the society, Rohan and his committee members help organisations do more social good using technology.
Rohan also represented Singapore's Cyber-Security start-up ecosystem at the Department of Homeland Security's annual showcase in Washington DC thanks to the PMO's National Research Foundation Singapore.
Dr Liu Yang
Dr Liu Yang is currently a full professor, director of the cybersecurity lab, Program Director of HP-NTU Corporate Lab and Deputy Director of the National Satellite of Excellence of Singapore. In 2019, he received the University Leadership Forum Chair professorship at NTU.
Dr. Liu specializes in software verification, security and software engineering. His research has bridged the gap between the theory and practical usage of formal methods and program analysis to evaluate the design and implementation of software for high assurance and security. By now, he has more than 300 publications in top tier conferences and journals. He has received a number of prestigious awards including MSRA Fellowship, TRF Fellowship, Nanyang Assistant Professor, Tan Chin Tuan Fellowship, Nanyang Research Award (Young Investigator) 2018, NRF Investigatorship 2020 and 10 best paper awards and one most influence system award in top software engineering conferences like ASE, FSE and ICSE.