diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..dbba498 Binary files /dev/null and b/.DS_Store differ diff --git a/.github/workflows/pages.yml b/.github/workflows/jekyll.yml similarity index 73% rename from .github/workflows/pages.yml rename to .github/workflows/jekyll.yml index 6564156..61f2d80 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/jekyll.yml @@ -7,6 +7,7 @@ name: Deploy Jekyll site to Pages on: + # Runs on pushes targeting the default branch push: branches: ["main"] @@ -19,10 +20,11 @@ permissions: pages: write id-token: write -# Allow one concurrent deployment +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" - cancel-in-progress: true + cancel-in-progress: false jobs: # Build job @@ -30,16 +32,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + # https://github.com/ruby/setup-ruby/releases/tag/v1.207.0 + uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 with: ruby-version: '3.1' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 0 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@v5 - name: Build with Jekyll # Outputs to the './_site' directory by default run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" @@ -47,7 +50,7 @@ jobs: JEKYLL_ENV: production - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v1 + uses: actions/upload-pages-artifact@v3 # Deployment job deploy: @@ -59,4 +62,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v2 + uses: actions/deploy-pages@v4 diff --git a/Gemfile b/Gemfile index d5810e3..e82b3ad 100644 --- a/Gemfile +++ b/Gemfile @@ -5,3 +5,8 @@ gem "jekyll", "~> 4.3.3" # installed by `gem jekyll` gem "just-the-docs", "0.8.1" # pinned to the current release # gem "just-the-docs" # always download the latest release + +gem "csv" +gem "base64" +gem "logger" +gem "bigdecimal" \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index 8a36229..f30c68b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -3,8 +3,11 @@ GEM specs: addressable (2.8.6) public_suffix (>= 2.0.2, < 6.0) + base64 (0.2.0) + bigdecimal (3.1.9) colorator (1.1.0) concurrent-ruby (1.2.2) + csv (3.3.3) em-websocket (0.5.3) eventmachine (>= 0.12.9) http_parser.rb (~> 0) @@ -12,6 +15,8 @@ GEM ffi (1.16.3) forwardable-extended (2.6.0) google-protobuf (3.25.1) + google-protobuf (3.25.1-arm64-darwin) + google-protobuf (3.25.1-x86_64-darwin) http_parser.rb (0.8.0) i18n (1.14.1) concurrent-ruby (~> 1.0) @@ -52,6 +57,7 @@ GEM listen (3.8.0) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) + logger (1.7.0) mercenary (0.4.0) pathutil (0.16.2) forwardable-extended (~> 2.6) @@ -63,8 +69,13 @@ GEM rexml (3.2.6) rouge (4.2.0) safe_yaml (1.0.5) + sass-embedded (1.69.5) + google-protobuf (~> 3.23) + rake (>= 13.0.0) sass-embedded (1.69.5-arm64-darwin) google-protobuf (~> 3.23) + sass-embedded (1.69.5-x64-mingw-ucrt) + google-protobuf (~> 3.23) sass-embedded (1.69.5-x86_64-darwin) google-protobuf (~> 3.23) sass-embedded (1.69.5-x86_64-linux-gnu) @@ -76,12 +87,20 @@ GEM PLATFORMS arm64-darwin-23 + arm64-darwin-24 + ruby + x64-mingw-ucrt + x86_64-darwin-22 x86_64-darwin-23 x86_64-linux DEPENDENCIES + base64 + bigdecimal + csv jekyll (~> 4.3.3) just-the-docs (= 0.8.1) + logger BUNDLED WITH - 2.3.26 + 2.6.7 diff --git a/README.md b/README.md index c881fb2..5990ca8 100644 --- a/README.md +++ b/README.md @@ -1 +1,124 @@ -# open-devsecops Website \ No newline at end of file + +[![contributors][contributors-shield]][contributors-url] +[![commits][commits-shield]][commits-url] + + +
+
+ + open DevSecOps triangle logo + +

Open DevSecOps v2

+
+ + +
+ Table of Contents +
    +
  1. + About The Project + +
    2. +
  2. + Getting Started + +
    3. +
  3. Contact
    4. +
+
+ + + +## About The Project + +Many students entering the software industry are unprepared for the newest expectations of entry-level roles, where understanding security and efficient operations are the bare-minimum at every phase of the software development lifecycle. The "Open-DevSecOps" project addresses this significant gap in education concerning DevSecOps and CI/CD principles. Our extensively researched online modules aim to offer a free educational service to enhance the understanding and application of these crucial skills. This project strives to provide essential up-to-date training, and shape the security industry's future for the better starting with every new-grad employee. + +### Final Website + +www.katieshi413.github.io/open-devsecops.github.io/ + +### Final Presentation + +https://docs.google.com/presentation/d/1ESrzQka0eZ1L1KLqiXgI0yj2_FuhhFSfokiGwJE8K3o/edit?usp=sharing + +### Built With + +* [![Jekyll][Jekyll]][Jekyll-url] +* [![Ruby][Ruby]][Ruby-url] +* [![Markdown][Markdown]][Markdown-url] + + +

(back to top)

+ + + +## Getting Started + + To get a local copy up and running follow these steps. + +### Prerequisites +- Ruby 3.4.1 +- [Bundler](https://bundler.io/) +- [Jekyll](https://jekyllrb.com/) + +### Installation + +1. Install Ruby and Bundler + + ```sh + # If you haven’t already, install Ruby (version 3.4.1), then install Bundler: + gem install bundler + ``` + +2. Navigate to the project directory + + ```sh + cd your-project-directory + ``` + +3. Install project dependencies + + ```sh + bundle install + ``` + +4. Serve the site locally + + ```sh + bundle exec jekyll serve + ``` +5. Open your browser and visit: + + ```sh + http://localhost:4000 + ``` + +

(back to top)

+ + +## Contact + +

Katie Shi - LinkedIn - katieshi413@gmail.com

+

Emily Choi - LinkedIn - eemilychoi@gmail.com

+

Jocelyn Margarones - LinkedIn - jsmargarones@gmail.com

+

Mor Vered - LinkedIn - mvered9@gmail.com

+

Mira Nair - LinkedIn - miranair004@gmail.com

+ +

(back to top)

+ + +[contributors-shield]: https://img.shields.io/github/contributors/katieshi413/open-devsecops.github.io?style=for-the-badge&color=rgb(68%2C%20204%2C%2017) +[contributors-url]: https://github.com/katieshi413/open-devsecops.github.io/graphs/contributors +[commits-shield]: https://img.shields.io/github/commit-activity/t/katieshi413/open-devsecops.github.io?style=for-the-badge +[commits-url]: https://github.com/katieshi413/open-devsecops.github.io/commits/main/ +[Jekyll]: https://img.shields.io/static/v1?style=for-the-badge&message=Jekyll&color=CC0000&logo=Jekyll&logoColor=FFFFFF&label= +[Jekyll-url]: https://jekyllrb.com/ +[Ruby]: https://img.shields.io/badge/Ruby-CC342D?logo=Ruby&logoColor=white +[Ruby-url]: https://www.ruby-lang.org/en/ +[Markdown]: https://img.shields.io/badge/markdown-%23000000.svg?style=for-the-badge&logo=markdown&logoColor=white +[Markdown-url]: https://www.markdownguide.org/ diff --git a/_config.yml b/_config.yml index a66183b..0e8a76c 100644 --- a/_config.yml +++ b/_config.yml @@ -2,12 +2,18 @@ title: open-devsecops description: 'From Classroom to Industry: Bridging the DevSecOps Knowledge Gap with Open, Practical Learning.' theme: just-the-docs -logo: "/assets/images/opendevsecops-transparent.png" -favicon_ico: "/assets/images/opendevsecops-favicon.ico" +logo: "/assets/images/2.0logobig.png" +favicon_ico: "/assets/images/2.0logobig.png" -url: https://open-devsecops.github.io +# url: https://open-devsecops.github.io +url: "https://katieshi413.github.io" +baseurl: "/open-devsecops.github.io" search_enabled: false +include: + - assets/js/quiz.js + - assets/js/quiz-reset.js + aux_links: Github: https://github.com/open-devsecops Contribute: https://github.com/open-devsecops/open-devsecops.github.io @@ -24,4 +30,8 @@ callouts: color: blue lab: title: Access The Lab - color: purple \ No newline at end of file + color: purple + +sass: + sass_dir: _sass + style: compressed diff --git a/_data/quizzes/topic1/chapter1.yml b/_data/quizzes/topic1/chapter1.yml new file mode 100644 index 0000000..f58574a --- /dev/null +++ b/_data/quizzes/topic1/chapter1.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "What is the primary purpose of the Software Development Life Cycle (SDLC)?" + options: + - "To design user interfaces for software applications" + - "To manage and structure software development and maintenance through distinct phases" + - "To write code in a specific programming language" + - "To automate deployment using CI/CD tools" + correct_index: 1 + explanation: "The SDLC is a structured process that helps manage and guide software development and maintenance through specific phases." + + - prompt: "Which of the following is NOT one of the phases in the traditional SDLC?" + options: + - "Design" + - "Test" + - "Automate" + - "Deploy" + correct_index: 2 + explanation: "Automate is not a standard SDLC phase; the typical phases include Planning, Design, Implement, Test, Deploy, and Maintain." + + - prompt: "True or False: The Maintain phase in SDLC focuses on releasing software into production." + options: + - "True" + - "False" + correct_index: 1 + explanation: "The Deploy phase handles release into production, while the Maintain phase involves ongoing updates and support." + + - prompt: "What is a key benefit of following a structured SDLC process?" + options: + - "Faster typing speed for developers" + - "Reduces testing requirements" + - "Ensures secure and reliable software delivery" + - "Eliminates the need for project planning" + correct_index: 2 + explanation: "One of the main benefits of SDLC is enabling faster, more secure, and reliable delivery of software through structured processes." + + - prompt: "Which SDLC methodology is best suited for projects with fixed, well-defined requirements?" + options: + - "Waterfall" + - "Agile" + - "Scrum" + - "Iterative" + correct_index: 0 + explanation: "Waterfall is ideal for projects where requirements are fixed and unlikely to change." diff --git a/_data/quizzes/topic1/chapter2.yml b/_data/quizzes/topic1/chapter2.yml new file mode 100644 index 0000000..22a2017 --- /dev/null +++ b/_data/quizzes/topic1/chapter2.yml @@ -0,0 +1,41 @@ +questions: + - prompt: "What is one key issue that arises when development and operations teams work in isolation?" + options: + - "Decreased development speed" + - "Better coordination between teams" + - "Conflicting goals and communication gaps" + - "More secure deployment pipelines" + correct_index: 2 + explanation: "Isolated Dev and Ops teams often face communication gaps and misaligned objectives, leading to inefficiencies." + + - prompt: "True or False: Manual testing and deployment processes often result in slower release cycles and delayed feedback." + options: + - "True" + - "False" + correct_index: 0 + explanation: "Manual processes slow down software delivery, making it harder to respond quickly to feedback." + + - prompt: "Which of the following best explains the 'But it works on my machine' syndrome?" + options: + - "A feature passes QA but fails in production due to network issues" + - "Code behaves inconsistently across environments due to configuration mismatches" + - "A user reports a bug that developers can’t reproduce" + - "Developers forget to merge the correct branch" + correct_index: 1 + explanation: "Environment inconsistencies lead to unexpected behavior that doesn't match the developer’s local setup." + + - prompt: "Fill in the blank: Manual infrastructure scaling increases the risk of __________ due to human error and slow responsiveness." + options: + - "Bugs" + - "Data corruption" + - "Deployment automation" + - "System instability" + correct_index: 3 + explanation: "Manual processes are more prone to mistakes and can't respond quickly to load changes, causing instability." + + - prompt: "True or False: DevOps is only about automation tools and does not affect team culture or communication." + options: + - "True" + - "False" + correct_index: 1 + explanation: "DevOps promotes collaboration and culture change, not just tool adoption." \ No newline at end of file diff --git a/_data/quizzes/topic2/chapter1.yml b/_data/quizzes/topic2/chapter1.yml new file mode 100644 index 0000000..2740540 --- /dev/null +++ b/_data/quizzes/topic2/chapter1.yml @@ -0,0 +1,44 @@ +questions: + - prompt: "What is the primary purpose of version control in software development?" + options: + - "It prevents unauthorized users from editing a file." + - "It allows developers to track changes, collaborate, and revert to previous versions of files if necessary." + - "It automates the process of building software from source code." + - "It helps manage user authentication systems in a project." + correct_index: 1 + explanation: "Version control allows developers to track changes, collaborate, and revert to previous versions of files if necessary. This helps maintain a history of changes and prevents conflicts when working collaboratively." + + - prompt: "What is one of the key advantages of using version control in the scenario where Armine and Tigran are working on the same project?" + options: + - "Version control allows them to share the same file without needing to merge their changes." + - "It ensures that both of their changes are automatically merged, without requiring them to review the changes." + - "It enables them to track their changes independently and merge their updates later, preventing conflicts." + - "It prevents them from making any changes to each other's files." + correct_index: 2 + explanation: "Version control enables Armine and Tigran to track their changes independently and merge their updates later, preventing conflicts. This process is essential when multiple developers are working on the same codebase." + + - prompt: "True or False: Version control systems, like GitHub, prevent all types of conflicts between developers working on the same project by automatically merging all changes." + options: + - "True" + - "False" + correct_index: 1 + explanation: "False. Version control systems help manage changes and alert developers to conflicts, but they do not automatically merge all changes. Developers must manually resolve conflicts." + + - prompt: "Which of the following is NOT true about version control systems?" + options: + - "They allow developers to view the history of changes made to files and revert to any previous state." + - "They can automatically detect and resolve any conflicts between different versions of a file." + - "They facilitate collaboration by allowing multiple developers to work on different parts of a project without interfering with each other." + - "They store different versions of files, enabling developers to work on multiple features simultaneously." + correct_index: 1 + explanation: "Version control systems help detect conflicts, but they do not automatically resolve them. Developers must review and merge conflicting changes manually." + + - prompt: "Which of the following best describes how GitHub helps in the version control process?" + options: + - "GitHub is used exclusively for backing up files and does not include version control features." + - "GitHub only serves as a cloud-based storage system for completed software projects and does not support versioning." + - "GitHub is a platform for organizing and managing tasks related to software development but does not play a role in version control." + - "GitHub integrates with version control systems to store files and track changes, while also providing a user interface for collaboration and version history." + correct_index: 3 + explanation: "GitHub is a version control platform that integrates with Git to store files, track changes, and provide collaboration features like issue tracking, pull requests, and version history." + diff --git a/_data/quizzes/topic2/chapter2.yml b/_data/quizzes/topic2/chapter2.yml new file mode 100644 index 0000000..6f9122f --- /dev/null +++ b/_data/quizzes/topic2/chapter2.yml @@ -0,0 +1,41 @@ +questions: + - prompt: "True or False: In Git, all changes in your working directory are committed to the repository when you run git commit, even if they haven't been added to the staging area." + options: + - "True" + - "False" + correct_index: 1 + explanation: "False — Only changes that have been added to the staging area using git add will be included in a commit. Unstaged changes in the working directory are not committed." + + - prompt: "What happens when you run the command git checkout <branch-name>?" + options: + - "It creates a new branch called <branch-name> but doesn't switch to it." + - "It deleted the <branch-name> branch from the respository." + - "It uploads your changes to the remote repository." + - "It switches your local branch to <branch-name> and updates the working directory with that branch's files." + correct_index: 3 + explanation: "git checkout <branch-name> switches to the specified branch and updates the working directory with that branch's contents." + + - prompt: "In Git, the term _________ refers to a snapshot of your project at a specific point in time, which is stored in the repository after running git commit." + options: + - "Working Directory" + - "Staging Area" + - "Commit" + - "Branch" + correct_index: 2 + explanation: "A commit in Git represents a snapshot of your project at a specific point in time." + + - prompt: "Which of the following statements is FALSE regarding Git branches?" + options: + - "A branch in Git does not copy files but simply creates a new pointer to them." + - "You can use branches to experiment with new features without affecting the main codebase." + - "Once a branch is created, it automatically merges into the main branch after a set period." + - "A branch isolates development work, enabling concurrent tasks without conflicts." + correct_index: 2 + explanation: "A branch does NOT automatically merge into the main branch; you have to do it manually using git merge." + + - prompt: "True or False: If you delete a branch using git branch -d <branch-name>, the branch is permanently deleted from your local repository." + options: + - "True" + - "False" + correct_index: 0 + explanation: "True, git branch -d only deletes the LOCAL branch. To delete a branch from the REMOTE, you would use git push origin --delete <branch-name>." diff --git a/_data/quizzes/topic2/chapter3.yml b/_data/quizzes/topic2/chapter3.yml new file mode 100644 index 0000000..a9f4e3c --- /dev/null +++ b/_data/quizzes/topic2/chapter3.yml @@ -0,0 +1,48 @@ +questions: + - prompt: "What is the primary purpose of feature branching in Git?" + options: + - "To fix urgent bugs directly in production" + - "To keep changes isolated for each new feature" + - "To maintain separate branches for release candidates" + - "To rewrite commit history into a linear progression" + correct_index: 1 + explanation: "Feature branching is used to create separate branches for each new feature, keeping changes isolated from the main codebase." + + - prompt: "True or False: Hotfix branches are typically maintained separately for long periods, similar to release branches." + options: + - "True" + - "False" + correct_index: 1 + explanation: "False. Hotfix branches are short-lived branches created quickly to fix urgent bugs, unlike release branches that may be maintained longer." + + - prompt: "What is the role of Pull Requests (PRs) in Git workflows?" + options: + - To directly commit changes to the main branch + - To merge branches automatically without review + - To notify others of pushed changes and facilitate review + - To stash uncommitted changes before switching branches + correct_index: 2 + explanation: "Pull Requests allow developers to tell others about changes pushed to a branch, enabling code review and collaboration." + + - prompt: "In Git, the process of temporarily saving uncommitted changes so you can switch branches without losing your work is called ________." + options: + - "Stashing" + - "Squashing" + - "Fast-Forwarding" + - "Rebasing" + correct_index: 0 + explanation: "Stashing. Stashing allows you to save your changes to a stack so you can safely switch branches." + + - prompt: | + A critical bug was discovered in the production environment. The team needs to fix it immediately without affecting ongoing development work on the main and feature branches. + After the fix is complete, it should be merged into both the main and the release branches. What is the most appropriate approach? + options: + - "Create a feature branch and squash merge it into main" + - "Rebase the main branch on top of the fix" + - "Cherry-pick the fix into all branches" + - "Create a hotfix branch and use a three-way merge into both main and release" + correct_index: 3 + explanation: | + A three-way merge is used when two branches have diverged. In this case, both main and release may have different changes. By creating a hotfix branch and merging it into both using + a three-way merge, Git compares the common ancestor, the hotfix, and the target branch to create a new commit that safely integrates the fix without overwriting existing work. This + ensures stability and preserves history in both branches. \ No newline at end of file diff --git a/_data/quizzes/topic2/chapter4.yml b/_data/quizzes/topic2/chapter4.yml new file mode 100644 index 0000000..e390884 --- /dev/null +++ b/_data/quizzes/topic2/chapter4.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "Which of the following should NOT typically be included in a README file?" + options: + - "Project title" + - "Full API documentation" + - "Installation instructions" + - "Contributing guidelines" + correct_index: 1 + explanation: "Full API documentation is better suited for a wiki or dedicated documentation file. A README should stay concise and high-level." + + - prompt: "True or False: Code comments should explain what the code is doing line by line to ensure full clarity." + options: + - "True" + - "False" + correct_index: 1 + explanation: "Comments should focus on explaining why the code exists or the reasoning behind complex logic — not what the code does line by line." + + - prompt: "A project's __________ is the best place to store tutorials, extended documentation, and design notes." + options: + - "Installation guidelines" + - "Code comments" + - "READMEs" + - "Wiki" + correct_index: 3 + explanation: "Wikis are ideal for more detailed content like tutorials and design notes that don't fit in a README." + + - prompt: "When documenting your code, what should you aim to explain?" + options: + - "Why key decisions were made in the implementation" + - "How to install the program" + - "Each variable used in the program" + - "Syntax of the programming language used" + correct_index: 0 + explanation: "Good inline comments focus on why the code exists or how it solves a problem, not basic syntax or details already obvious from the code." + + - prompt: "You're wrapping up your work on a team project and may be leaving soon. You want to ensure others can continue where you left off. What combination of documentation should you focus on?" + options: + - "A short README and daily status updates via chat" + - "A detailed README and clear, explanatory code comments" + - "Extensive code comments and commit messages only" + - "Use a wiki with technical documentation" + correct_index: 1 + explanation: "A clear README helps new users understand the project, and explanatory code comments clarify decisions within the code. This combo ensures others can continue without needing to ask questions." \ No newline at end of file diff --git a/_data/quizzes/topic2/chapter5.yml b/_data/quizzes/topic2/chapter5.yml new file mode 100644 index 0000000..112b2dd --- /dev/null +++ b/_data/quizzes/topic2/chapter5.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "Which Git command lets you temporarily save your work and switch branches?" + options: + - "git cherry-pick" + - "git save" + - "git stash" + - "git reset" + correct_index: 2 + explanation: "git stash stores your changes temporarily so you can work on something else." + + - prompt: "Which Git hook would you use to run a linter before committing?" + options: + - "pre-commit" + - "post-merge" + - "pre-push" + - "commit-msg" + correct_index: 0 + explanation: "pre-commit runs before a commit is finalized and is commonly used for linting and checks." + + - prompt: "True or False: Forking a repository is the same as cloning it." + options: + - "True" + - "False" + correct_index: 1 + explanation: "Forking creates a copy under your own GitHub account, while cloning makes a local copy of a repo." + + - prompt: "What type of Git tag includes metadata like author and message?" + options: + - Lightweight tag + - Remote tag + - Annotated tag + - Branch tag + correct_index: 2 + explanation: "Annotated tags include metadata and are better suited for release tagging." + + - prompt: "What is the purpose of git bisect?" + options: + - Rewriting commit history + - Running linters before pushing code + - Creating tags for stable releases + - Finding the commit that introduced a bug + correct_index: 3 + explanation: "git bisect helps you find the commit that introduced a bug using binary search." diff --git a/_data/quizzes/topic3/chapter1.yml b/_data/quizzes/topic3/chapter1.yml new file mode 100644 index 0000000..ce74730 --- /dev/null +++ b/_data/quizzes/topic3/chapter1.yml @@ -0,0 +1,45 @@ +questions: + - prompt: "Which three fields does DevSecOps bring together?" + options: + - "Design, Security, Testing" + - "Development, Security, Operations" + - "Data, Security, Development" + - "DevOps, QA, Security" + correct_index: 1 + explanation: "DevSecOps combines Development, Security, and Operations into a unified approach." + + - prompt: "What is the main purpose of shift left testing?" + options: + - "Monitor user behavior in production" + - "Fix bugs after release" + - "Improve infrastructure automation" + - "Implement security testing early in development" + correct_index: 3 + explanation: | + Shift left testing is about catching security vulnerabilities early in the development process, allowing developers to identify and fix + vulnerabilities during design and coding phases, rather than discovering them late in testing or production (where fixes are costlier and riskier). + + - prompt: "True or False: Static Application Security Testing (SAST) occurs while the application is running." + options: + - "True" + - "False" + correct_index: 1 + explanation: "SAST happens before the application compiles. DAST happens during runtime." + + - prompt: "Fill in the blank: In the SDLC, a common issue is that security activities are deferred until the ________ phase." + options: + - "planning" + - "deployment" + - "testing" + - "maintenance" + correct_index: 2 + explanation: "Security is often left until the testing phase, which is too late to catch design-related issues. Addressing security earlier in the SDLC helps reduce the risk of vulnerabilities slipping through." + + - prompt: "Which type of security testing simulates real-world attacks while the app is running?" + options: + - Static testing + - Container scanning + - Dynamic testing + - Code linting + correct_index: 2 + explanation: "Dynamic testing checks for vulnerabilities by simulating attacks while the application runs." \ No newline at end of file diff --git a/_data/quizzes/topic3/chapter2.yml b/_data/quizzes/topic3/chapter2.yml new file mode 100644 index 0000000..a2c18db --- /dev/null +++ b/_data/quizzes/topic3/chapter2.yml @@ -0,0 +1,44 @@ +questions: + - prompt: "True or False: CI/CD stands for Continuous Improvement and Continuous Development." + options: + - "True" + - "False" + correct_index: 1 + explanation: "CI/CD stands for Continuous Integration and Continuous Delivery. It is a set of DevOps practices that help deliver frequent code changes reliably." + + - prompt: "What is the primary difference between Continuous Integration (CI) and Continuous Delivery (CD)?" + options: + - "CI focuses on automating deployment; CD focuses on testing code changes." + - "CI is used only by operations teams; CD is used only by developers." + - "CI ensures code changes are automatically tested; CD ensures those changes are automatically deployed." + - "CI happens after CD in the software development lifecycle." + correct_index: 2 + explanation: "Continuous Integration (CI) automates the testing of code changes while Continuous Delivery (CD) automates the deployment of those changes to production environments." + + - prompt: "Which of the following best describes the relationship between DevOps and CI/CD?" + options: + - "CI/CD is a broader methodology that includes DevOps as a component." + - "CI/CD refers to specific automation practices that are part of the broader DevOps methodology." + - "DevOps and CI/CD are completely unrelated practices." + - "DevOps only applies to development teams, while CI/CD is for operations teams." + correct_index: 1 + explanation: | + DevOps is a broad cultural and technical approach focused on collaboration and automation across the software lifecycle. + CI/CD refers to specific practices within DevOps that automate integration, testing, and deployment. + + - prompt: "Which of the following is NOT a method commonly associated with CI?" + options: + - "Automating the build and test process" + - "Supporting 'fail fast' principles with quick feedback" + - "Automating deployment to production" + - "Identifying integration issues early" + correct_index: 2 + explanation: "Automating deployment is a key part of Continuous Delivery (CD), not CI." + + - prompt: "Fill in the blank: The method that enables organizations to release software updates quickly and reliably while minimizing risks is ________." + options: + - DevOps + - Continuous Integration (CI) + - Continuous Delivery (CD) + correct_index: 2 + explanation: "Continuous Delivery (CD) automates the deployment process, allowing fast and reliable releases with minimized risks." \ No newline at end of file diff --git a/_data/quizzes/topic3/chapter3.yml b/_data/quizzes/topic3/chapter3.yml new file mode 100644 index 0000000..cfc21b6 --- /dev/null +++ b/_data/quizzes/topic3/chapter3.yml @@ -0,0 +1,49 @@ +questions: + - prompt: "True or False: Automated testing reduces the chances of human error by automating repetitive tasks." + options: + - "True" + - "False" + correct_index: 0 + explanation: "Automated testing increases accuracy by minimizing human error in repetitive testing." + + + - prompt: "Which type of automated test checks individual functions or components?" + options: + - "Unit tests" + - "Integration tests" + - "End-to-End tests" + - "Manual tests" + correct_index: 0 + explanation: "Unit tests focus on testing single components or functions in isolation." + + - prompt: "What is a common challenge of automated testing?" + options: + - "It eliminates the need for developers." + - "It requires significant initial setup and ongoing maintenance." + - "It makes manual testing obsolete overnight." + - "It requires no maintenance once setup." + correct_index: 1 + explanation: "Automated testing requires resources to set up and maintain tests as the system evolves." + + - prompt: "Which of the following is NOT a step in building a robust automated testing framework?" + options: + - Define clear objectives + - Hire more manual testers + - Choose the right tools + - Integrate into CI/CD + correct_index: 1 + explanation: "Building an automated framework focuses on objectives, tools, integration, and monitoring, not on hiring + more manual testers." + + + - prompt: "Fill in the blank: One key benefit of automated testing is faster ______, providing immediate insights on code changes." + options: + - feedback + - deployment + - documentation + - debugging + correct_index: 0 + explanation: "Automated tests provide quick feedback, accelerating development cycles." + + + diff --git a/_data/quizzes/topic3/chapter4.yml b/_data/quizzes/topic3/chapter4.yml new file mode 100644 index 0000000..ce360b2 --- /dev/null +++ b/_data/quizzes/topic3/chapter4.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "Fill in the blank: The ______ environment is the live environment used by end users." + options: + - "Production" + - "Staging" + - "Development" + - "Testing" + correct_index: 0 + explanation: "Production is the live environment with real user data and traffic." + + - prompt: "What deployment strategy involves switching traffic between two identical environments to achieve zero downtime?" + options: + - "Canary Deployment" + - "Blue-Green Deployment" + - "Rolling Deployment" + - "Feature Toggles" + correct_index: 1 + explanation: "Blue-Green deployment alternates between two identical environments for easy rollback and minimal downtime." + + - prompt: "True or False: Canary Deployment releases new changes gradually to a small subset of users to gather real user feedback." + options: + - "True" + - "False" + correct_index: 0 + explanation: "Canary Deployment minimizes risk by rolling out changes to a limited audience first." + + - prompt: "Which deployment strategy updates application instances in phases without taking down the entire application?" + options: + - "Immutable Deployment" + - "Blue-Green Deployment" + - "A/B Testing Deployment" + - "Rolling Deployment" + correct_index: 3 + explanation: "Rolling deployment updates in phases, maintaining high availability." + + - prompt: "Fill in the blank: A/B Testing Deployment compares two versions based on ______ to optimize user experience." + options: + - "code quality" + - "deployment speed" + - "specific metrics" + - "database schema" + correct_index: 2 + explanation: "A/B Testing uses traffic segmentation and metrics to validate hypotheses about user behavior." \ No newline at end of file diff --git a/_data/quizzes/topic3/chapter5.yml b/_data/quizzes/topic3/chapter5.yml new file mode 100644 index 0000000..ee2cae2 --- /dev/null +++ b/_data/quizzes/topic3/chapter5.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "What is the main purpose of a webhook in a CI/CD workflow?" + options: + - "To host your application on a server" + - "To notify an external service that an event has occurred in your repository" + - "To merge code automatically into the main branch" + - "To track version history of your project" + correct_index: 1 + explanation: "A webhook sends a notification to an external service (like a CI/CD tool) when a specified event happens in your repo." + + - prompt: "Which content type is commonly used to send data in a webhook request?" + options: + - "XML" + - "YAML" + - "JSON" + - "HTML" + correct_index: 2 + explanation: "JSON is the most commonly used format for webhook payloads due to its wide support and readability." + + - prompt: "Which of the following is a common event that can trigger a webhook in GitHub?" + options: + - "Creating a README file" + - "Cloning a repository" + - "Creating a release" + - "Viewing a pull request" + correct_index: 2 + explanation: "Webhooks can be triggered by events like releases, pushes, and pull request changes." + + - prompt: "True or False: Once a webhook is set up, CI/CD tools automatically trigger based on the rules you define, such as pushes or pull requests." + options: + - "True" + - "False" + correct_index: 0 + explanation: "True. Webhooks notify CI/CD tools automatically based on configured triggers, reducing manual intervention." + + - prompt: "After you push code to GitHub, what is the next step in the webhook workflow?" + options: + - "You manually trigger the test suite" + - "GitHub runs the tests itself" + - "The pull request is automatically merged" + - "GitHub sends a webhook to the CI/CD tool" + correct_index: 3 + explanation: "GitHub sends a webhook to notify the CI/CD system, which then takes the appropriate action." \ No newline at end of file diff --git a/_data/quizzes/topic3/chapter6.yml b/_data/quizzes/topic3/chapter6.yml new file mode 100644 index 0000000..a5f4876 --- /dev/null +++ b/_data/quizzes/topic3/chapter6.yml @@ -0,0 +1,45 @@ +questions: + - prompt: "What is a container in cloud computing?" + options: + - A virtual machine with its own operating system + - A standardized unit of software packaging code and dependencies to run reliably across environments + - A cloud storage bucket for applications + - A physical server hosting multiple applications + correct_index: 1 + explanation: "Containers package code and all dependencies without the overhead of a full OS, unlike virtual machines." + + - prompt: "Which of the following is NOT a benefit of containerization?" + options: + - Portability across environments + - Isolation of applications + - Requires full OS boot per container + - Scalability within a shared OS + correct_index: 2 + explanation: "Containers do not require booting a full OS for each instance, which makes them lightweight." + + - prompt: "An artifact in containerization typically refers to a ______." + options: + - Container image + - Virtual machine + - Source code repository + - Running container + correct_index: 0 + explanation: "An artifact is the container image, a read-only snapshot used to create containers." + + - prompt: "Which use case is NOT typically associated with containerization?" + options: + - Cloud migration of legacy apps + - Manual updating of IoT devices without containers + - Microservices architecture deployment + - Dynamic scaling of applications + correct_index: 1 + explanation: "Manual updates without containers are complex; containerization simplifies deployment and updates." + + - prompt: "Which of the following best describes fault tolerance in containerization?" + options: + - Fault tolerance is not possible in containers + - One faulty container does not affect others running on the same host + - Containers share faults between them + - All containers stop when one container fails + correct_index: 1 + explanation: "Containers are isolated, so faults in one do not impact others, improving application resilience." \ No newline at end of file diff --git a/_data/quizzes/topic4/chapter1.yml b/_data/quizzes/topic4/chapter1.yml new file mode 100644 index 0000000..cae382c --- /dev/null +++ b/_data/quizzes/topic4/chapter1.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "What does the CIA Triad represent in cybersecurity?" + options: + - "Compliance, Identity, Access" + - "Confidentiality, Integrity, Availability" + - "Cybersecurity, Infrastructure, Authentication" + - "Confidentiality, Information, Authentication" + correct_index: 1 + explanation: "The CIA Triad stands for Confidentiality, Integrity, and Availability, all key principles in cybersecurity." + + - prompt: "What is a vulnerability in the context of cybersecurity?" + options: + - "A malicious code used in an attack" + - "A person attempting to hack a system" + - "A flaw or weakness in a system that can be exploited" + - "The risk of unauthorized access to data" + correct_index: 2 + explanation: "A vulnerability is a flaw or weakness in software, hardware, or systems that can be exploited." + + - prompt: "True or False: A 'risk' is determined by the probability and severity of a cybersecurity incident." + options: + - "True" + - "False" + correct_index: 0 + explanation: "Risk = Probability of Occurrence x Severity. It's a measure of potential impact." + + - prompt: "Which of the following is an example of an exploit being used?" + options: + - "A patch being applied to software" + - "A hacker finds a password in a config file and uses it to access a server" + - "A backup system running hourly" + - "Antivirus software updating signatures" + correct_index: 1 + explanation: "Using a found password to gain unauthorized access is an example of exploiting a vulnerability." + + - prompt: "Fill in the blank: The ________ is the malicious code or action used in a cyberattack." + options: + - "Payload" + - "Threat actor" + - "Vulnerability" + - "Exploit" + correct_index: 0 + explanation: "The payload is the part of the attack that causes harm, like malicious code." \ No newline at end of file diff --git a/_data/quizzes/topic4/chapter2.yml b/_data/quizzes/topic4/chapter2.yml new file mode 100644 index 0000000..7fc474a --- /dev/null +++ b/_data/quizzes/topic4/chapter2.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "What is the main risk when users can access data or systems they shouldn’t be allowed to?" + options: + - "Improper Access Control" + - "Misconfiguration" + - "Cross-Site Scripting (XSS)" + - "Cryptographic Risks" + correct_index: 0 + explanation: "Improper Access Control occurs when users can access unauthorized systems or data." + + - prompt: "Which mitigation strategy is most effective against injection attacks?" + options: + - "Role Based Access Controls" + - "Require MFA" + - "Encrypt database backups" + - "Sanitize user input" + correct_index: 3 + explanation: "Sanitizing user input helps prevent injection attacks by ensuring that only valid data is processed." + + - prompt: "What kind of attack involves injecting malicious SQL queries into a system?" + options: + - "Cross-Site Scripting (XSS)" + - "SQL Injection" + - "Improper Authentication" + - "Logging Failure" + correct_index: 1 + explanation: "SQL Injection involves inserting malicious SQL queries to manipulate or access a database." + + - prompt: "True or False: Output encoding helps prevent SQL injections by restricting unauthorized queries." + options: + - "True" + - "False" + correct_index: 1 + explanation: "False. Output encoding helps prevent XSS attacks. SQL Injection should be mitigated using parameterized queries." + + - prompt: "Fill in the blank: __________ is a technique to limit what actions users can perform based on their role in an organization." + options: + - "Access logs" + - "Parameterized queries" + - "Role Based Access Control" + - "Prepared statements" + correct_index: 2 + explanation: "Role Based Access Control ensures that users only access information and systems needed for their role." diff --git a/_data/quizzes/topic4/chapter3.yml b/_data/quizzes/topic4/chapter3.yml new file mode 100644 index 0000000..f587a77 --- /dev/null +++ b/_data/quizzes/topic4/chapter3.yml @@ -0,0 +1,44 @@ +questions: + - prompt: "What is the main purpose of integrating security checks in each stage of the CI/CD pipeline?" + options: + - "To slow down development" + - "To ensure only DevOps engineers manage security" + - "To automate deployments without review" + - "To embed security early and ensure vulnerabilities are caught throughout development" + correct_index: 3 + explanation: "The key goal is to proactively embed security checks early in the development process and throughout the lifecycle." + + - prompt: "Fill in the blank: The _________ phase includes threat modeling to identify potential vulnerabilities before coding begins." + options: + - "Testing" + - "Planning" + - "Release" + - "Build" + correct_index: 1 + explanation: "The Planning phase includes threat modeling to predict and mitigate future security risks." + + - prompt: "Which of the following best describes DAST?" + options: + - "Analyzes code before it is compiled" + - "Checks application behavior while running" + - "Ensures business logic is documented" + - "Analyzes test scripts in the CI environment" + correct_index: 1 + explanation: "DAST tests the running application to identify vulnerabilities during runtime." + + - prompt: "True or False: The CI/CD pipeline should only have security checks during the testing stage." + options: + - "True" + - "False" + correct_index: 1 + explanation: "Security checks should be embedded into every stage of the pipeline, not just testing." + + - prompt: "Which of the following is NOT a benefit of combining SAST and DAST?" + options: + - "Improves detection coverage of security vulnerabilities" + - "Provides both code-level and runtime insights" + - "Replaces the need for security experts" + - "Strengthens application security across the SDLC" + correct_index: 2 + explanation: "While SAST and DAST improve coverage, they do not eliminate the need for security professionals." + \ No newline at end of file diff --git a/_data/quizzes/topic5/chapter1.yml b/_data/quizzes/topic5/chapter1.yml new file mode 100644 index 0000000..9a5c43d --- /dev/null +++ b/_data/quizzes/topic5/chapter1.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "True or False: Cloud computing requires teams to purchase and manage their own physical servers." + options: + - "True" + - "False" + correct_index: 1 + explanation: "Cloud computing provides on-demand access to resources, removing the need for physical hardware management." + + - prompt: "Which of the following best describes the NIST definition of cloud computing?" + options: + - "A model for facilitating periodic, physical access to enterprise-owned computing hardware." + - "A framework for enabling offline, manual deployment of preconfigured hardware and network resources." + - "A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources." + - "A method for securing user authentication through identity verification across distributed networks." + correct_index: 2 + explanation: "According to NIST, cloud computing is about network access to shared, configurable computing resources." + + - prompt: "Which cloud service model provides full applications over the internet, abstracting away infrastructure and platforms?" + options: + - "IaaS" + - "Hybrid" + - "PaaS" + - "SaaS" + correct_index: 3 + explanation: "SaaS delivers complete applications, requiring no concern for the underlying systems." + + - prompt: "Which of the following is a key feature of Platform as a Service (PaaS)?" + options: + - "You manage the hardware and operating system yourself." + - "You build apps while the provider handles the OS and infrastructure." + - "You install your own operating system and runtime." + - "You use software via the internet without hosting it." + correct_index: 1 + explanation: "For PaaS, the provider handles the OS, runtime, and infrastructure while you build apps." + + - prompt: "Fill in the blank: _________ is a method for controlling who can access what, and what actions they can take." + options: + - "IAM (Identity & Access Management)" + - "Encryption" + - "Logging & Monitoring" + - "Scalability" + correct_index: 0 + explanation: "IAM (Identity & Access Management) is responsible for managing access permissions and user roles in the cloud." \ No newline at end of file diff --git a/_data/quizzes/topic5/chapter2.yml b/_data/quizzes/topic5/chapter2.yml new file mode 100644 index 0000000..89de789 --- /dev/null +++ b/_data/quizzes/topic5/chapter2.yml @@ -0,0 +1,41 @@ +questions: + - prompt: "True or False: Cloud-native DevSecOps emphasizes integrating security after the application has been deployed." + options: + - "True" + - "False" + correct_index: 1 + explanation: False. Cloud-native DevSecOps integrates security throughout the development process, not afterward. + + - prompt: "Which of the following is not a benefit of cloud-native DevSecOps?" + options: + - "Faster feedback loops" + - "Manual server patching" + - "Automated security checks" + - "Easier compliance management" + correct_index: 1 + explanation: "Cloud-native DevSecOps discourages manual server patching in favor of immutable infrastructure." + + - prompt: "Fill in the blank: ________ allows infrastructure to be defined and managed using code." + options: + - "Immutable Infrastructure" + - "Continuous Deployment (CD)" + - "Infrastructure as Code (IaC)" + - "Serverless Architecture" + correct_index: 2 + explanation: "IaC refers to defining infrastructure setup and management using code." + + - prompt: "True or False: Microservices and serverless architectures reduce the number of endpoints, making applications easier to secure." + options: + - "True" + - "False" + correct_index: 1 + explanation: "These architectures increase the number of endpoints, making API security more important." + + - prompt: "What does the Shared Responsibility Model emphasize in cloud security?" + options: + - "Users are responsible for everything" + - "Cloud providers handle all security" + - "Only compliance officers manage security" + - "Responsibilities are split between cloud users and providers" + correct_index: 3 + explanation: Security is a shared responsibility between the cloud provider and the customer. \ No newline at end of file diff --git a/_data/quizzes/topic5/chapter3.yml b/_data/quizzes/topic5/chapter3.yml new file mode 100644 index 0000000..67f49c7 --- /dev/null +++ b/_data/quizzes/topic5/chapter3.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "Why are tools essential for DevSecOps in the cloud?" + options: + - "They eliminate the need for developers" + - "They simplify only post-deployment monitoring" + - "They enable scalable, automated security across the SDLC" + - "They are required only for compliance audits" + correct_index: 2 + explanation: "Tools automate testing, policy enforcement, and monitoring, making DevSecOps scalable and effective." + + - prompt: "Which tool would you use for managing secrets in a multi-cloud environment?" + options: + - "Trivy" + - "OWASP ZAP" + - "GitHub Actions" + - "HashiCorp Vault" + correct_index: 3 + explanation: "HashiCorp Vault is designed for secure secrets management across multi-cloud setups." + + - prompt: "True or False: Hardcoding secrets in your source code is a recommended best practice." + options: + - "True" + - "False" + correct_index: 1 + explanation: "Hardcoding secrets is a major security risk. Secrets should be injected securely at runtime." + + - prompt: "What is the purpose of tools like OPA or Gatekeeper?" + options: + - "Secrets management" + - "Code compilation" + - "Policy enforcement in Kubernetes" + - "Logging configuration" + correct_index: 2 + explanation: "OPA and Gatekeeper are used to define and enforce security policies in Kubernetes environments." + + - prompt: "Which of the following tools provides runtime threat detection for containers?" + options: + - "Falco" + - "SonarQube" + - "Kube-bench" + - "Dependabot" + correct_index: 0 + explanation: "Falco provides runtime threat detection specifically for containers." \ No newline at end of file diff --git a/_data/quizzes/topic6/chapter1.yml b/_data/quizzes/topic6/chapter1.yml new file mode 100644 index 0000000..75ed5a7 --- /dev/null +++ b/_data/quizzes/topic6/chapter1.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "What is one major DevSecOps benefit for financial institutions?" + options: + - "Slower software releases for compliance checks" + - "Manual auditing of infrastructure" + - "Avoiding use of cloud environments" + - "Automated compliance reporting and early misconfiguration detection" + correct_index: 3 + explanation: "DevSecOps enables automated compliance reporting and early detection of misconfigured services in finance." + + - prompt: "How does DevSecOps benefit Tech & SaaS companies like GitHub and Netflix?" + options: + - "It reduces their need to monitor deployments" + - "It automates inline security scans during pull requests" + - "It allows skipping code reviews" + - "It replaces CI/CD pipelines with manual deployment" + correct_index: 1 + explanation: "DevSecOps allows automated security scanning on pull requests, supporting fast and secure deployments." + + - prompt: "True or False: DevSecOps helps healthtech apps encrypt data and monitor access patterns." + options: + - "True" + - "False" + correct_index: 0 + explanation: "True. DevSecOps practices in healthcare include automatic encryption and anomaly detection to secure patient data." + + - prompt: "What challenge does DevSecOps address in the retail industry?" + options: + - "Overstaffing during peak seasons" + - "Manual software patching" + - "Preventing data breaches during high-traffic events" + - "Avoiding cloud usage" + correct_index: 2 + explanation: "Retailers use DevSecOps to proactively scan for risks and prevent breaches, especially during peak traffic." + + - prompt: "What is a major DevSecOps benefit in pharmaceutical and R&D industries?" + options: + - "Securing data pipelines and enforcing role-based secrets management" + - "Rapid drug manufacturing" + - "Bypassing compliance to speed up innovation" + - "Avoiding use of encrypted storage" + correct_index: 0 + explanation: "DevSecOps helps secure sensitive IP and research data through secrets management and encryption." \ No newline at end of file diff --git a/_data/quizzes/topic6/chapter2.yml b/_data/quizzes/topic6/chapter2.yml new file mode 100644 index 0000000..3dc9a3e --- /dev/null +++ b/_data/quizzes/topic6/chapter2.yml @@ -0,0 +1,43 @@ +questions: + - prompt: "What is the primary responsibility of a DevSecOps Engineer?" + options: + - "Manage customer support and incident tickets" + - "Handle only traditional IT operations" + - "Embed security into CI/CD workflows and help write secure code" + - "Develop mobile applications for enterprise use" + correct_index: 2 + explanation: "DevSecOps Engineers focus on embedding security throughout the SDLC, especially in CI/CD pipelines." + + - prompt: "Which skill is most relevant for a Security Automation Engineer?" + options: + - "Designing user interfaces" + - "Writing marketing content" + - "Automating access control and integrating with SIEM systems" + - "Building sales dashboards" + correct_index: 2 + explanation: "Security Automation Engineers automate tasks like access control and integrate security tools with SIEMs." + + - prompt: "True or False: Application Security Engineers are primarily focused on securing infrastructure, not code." + options: + - "True" + - "False" + correct_index: 1 + explanation: "AppSec Engineers focus on the security of application code, performing code reviews and vulnerability scans." + + - prompt: "Which of the following is NOT typically a responsibility of an Application Security Engineer?" + options: + - "Conducting threat modeling" + - "Performing SAST and DAST" + - "Educating developers on secure coding" + - "Managing cloud IAM policies" + correct_index: 3 + explanation: "Managing IAM policies is a responsibility of Cloud Security Engineers, not AppSec Engineers." + + - prompt: "What tool might a Cloud Security Engineer use to monitor for misconfigurations?" + options: + - "GitHub Copilot" + - "AWS GuardDuty" + - "Google Docs" + - "Wireshark" + correct_index: 1 + explanation: "AWS GuardDuty is used to detect threats and misconfigurations in AWS cloud environments." \ No newline at end of file diff --git a/_includes/head_custom.html b/_includes/head_custom.html index 3a75c49..543ff78 100644 --- a/_includes/head_custom.html +++ b/_includes/head_custom.html @@ -1,5 +1,6 @@ + \ No newline at end of file diff --git a/_includes/nav_buttons.html b/_includes/nav_buttons.html new file mode 100644 index 0000000..dfa8932 --- /dev/null +++ b/_includes/nav_buttons.html @@ -0,0 +1,20 @@ +{% assign nav = site.data.navigation %} +{% assign current = nil %} +{% assign index = 0 %} + +{% for item in nav %} + {% if page.url == item.url %} + {% assign current = item %} + {% assign index = forloop.index0 %} + {% endif %} +{% endfor %} + +
+ {% if nav[index-1] %} + ← {{ nav[index-1].title }} + {% endif %} + + {% if nav[index+1] %} + {{ nav[index+1].title }} → + {% endif %} +
diff --git a/_includes/nav_footer_custom.html b/_includes/nav_footer_custom.html index c215dc8..b4019d3 100644 --- a/_includes/nav_footer_custom.html +++ b/_includes/nav_footer_custom.html @@ -1,3 +1,113 @@ \ No newline at end of file + +
+ + + + +
+ +
+
+ + + + + +
+
+ This site uses a custom theme based on + Just the Docs. +
+ + + + + + + + + diff --git a/_includes/quiz.html b/_includes/quiz.html new file mode 100644 index 0000000..2364d45 --- /dev/null +++ b/_includes/quiz.html @@ -0,0 +1,37 @@ +

🧠 Knowledge Check

+

Answer the questions below to test your knowledge!

+ + + + +
+ {% for q in include.data.questions %} +
+

Q{{ forloop.index }}: {{ q.prompt }}

+ + {% for option in q.options %} + + {% endfor %} + + +
+ {% endfor %} + + + + + +
+ + + diff --git a/_layouts/custom.html b/_layouts/custom.html index 63d4e2d..c338f65 100644 --- a/_layouts/custom.html +++ b/_layouts/custom.html @@ -33,5 +33,18 @@ {% if site.mermaid %} {% include components/mermaid.html %} {% endif %} + + + + + + + + \ No newline at end of file diff --git a/_sass/custom/custom.scss b/_sass/custom/custom.scss index 1cfb8b6..bb7dfb1 100644 --- a/_sass/custom/custom.scss +++ b/_sass/custom/custom.scss @@ -6,6 +6,9 @@ $code-dot-size: 0.6rem; $code-dot-gap: 0.5rem; $dot-margin: 0; +@import "quiz"; +@import "light"; + @mixin light-syntax { --language-border-color: #ececec; --highlight-bg-color: #f6f8fa; @@ -19,7 +22,6 @@ $dot-margin: 0; --clipboard-checked-color: #43c743; } - .highlighter-rouge { @include light-syntax; color: var(--highlighter-rouge-color); @@ -249,7 +251,6 @@ div.highlighter-rouge > button, div.listingblock > div.content > button, figure. padding-top: 64px; flex: 1; min-width: 300px; - background-color: #fbfbfb; border-left: 1px solid #eeebee; h2 { @@ -403,8 +404,8 @@ div.highlighter-rouge > button, div.listingblock > div.content > button, figure. } .site-logo { - width: 30px; - height: 30px; + width: 60px; + height: 55px; } .site-nav-header { @@ -416,4 +417,17 @@ div.highlighter-rouge > button, div.listingblock > div.content > button, figure. font-weight: bold; font-size: 16px; } -} \ No newline at end of file +} + +// FONT SIZE ADJUSTER +.slider-container { + display: flex; + padding-top: 3rem; + justify-content: center; + align-items: center; +} + +.display-text { + text-align: center; + padding-top: 2rem; +} diff --git a/_sass/custom/dark.scss b/_sass/custom/dark.scss new file mode 100644 index 0000000..3ca510a --- /dev/null +++ b/_sass/custom/dark.scss @@ -0,0 +1,20 @@ +/* Dark Mode Colors */ +$color-scheme: dark; +$body-background-color: $grey-dk-300; +$body-heading-color: $grey-lt-000; +$body-text-color: $grey-lt-300; +$link-color: $blue-000; +$nav-child-link-color: $grey-dk-000; +$sidebar-color: $grey-dk-300; +$base-button-color: $grey-dk-250; +$btn-primary-color: $blue-200; +$code-background-color: #31343f; /* OneDarkJekyll default for syntax-one-dark-vivid */ +$code-linenumber-color: #dee2f7; /* OneDarkJekyll .nf for syntax-one-dark-vivid */ +$feedback-color: darken($sidebar-color, 3%); +$table-background-color: $grey-dk-250; +$search-background-color: $grey-dk-250; +$search-result-preview-color: $grey-dk-000; +$border-color: $grey-dk-200; + +/* Syntax highlighting for code */ +@import "./vendor/OneDarkJekyll/syntax"; /* This is the one-dark-vivid atom syntax theme */ diff --git a/_sass/custom/layout.scss b/_sass/custom/layout.scss new file mode 100644 index 0000000..66fb821 --- /dev/null +++ b/_sass/custom/layout.scss @@ -0,0 +1,225 @@ +// The basic two column layout + +.side-bar { + z-index: 0; + display: flex; + flex-wrap: wrap; + background-color: $sidebar-color; + + @include mq(md) { + flex-flow: column nowrap; + position: fixed; + width: $nav-width-md; + height: 100%; + border-right: $border $border-color; + align-items: flex-end; + } + + @include mq(lg) { + width: calc((100% - #{$nav-width + $content-width}) / 2 + #{$nav-width}); + min-width: $nav-width; + } + + & + .main { + @include mq(md) { + margin-left: $nav-width-md; + } + + @include mq(lg) { + // stylelint-disable function-name-case + // disable for Max(), we want to use the CSS max() function + margin-left: Max( + #{$nav-width}, + calc((100% - #{$nav-width + $content-width}) / 2 + #{$nav-width}) + ); + // stylelint-enable function-name-case + } + + .main-header { + display: none; + background-color: $sidebar-color; + + @include mq(md) { + display: flex; + background-color: $body-background-color; + } + + &.nav-open { + display: block; + + @include mq(md) { + display: flex; + } + } + } + } + } + + .main { + margin: auto; + + @include mq(md) { + position: relative; + max-width: $content-width; + } + } + + .main-content-wrap { + padding-top: $gutter-spacing-sm; + padding-bottom: $gutter-spacing-sm; + + @include container; + + @include mq(md) { + padding-top: $gutter-spacing; + padding-bottom: $gutter-spacing; + } + } + + .main-header { + z-index: 0; + border-bottom: $border $border-color; + + @include mq(md) { + display: flex; + justify-content: space-between; + height: $header-height; + } + } + + .site-nav, + .site-header, + .site-footer { + width: 100%; + + @include mq(lg) { + width: $nav-width; + } + } + + .site-nav { + display: none; + + &.nav-open { + display: block; + } + + @include mq(md) { + display: block; + padding-top: $sp-8; + padding-bottom: $gutter-spacing-sm; + overflow-y: auto; + flex: 1 1 auto; + } + } + + .site-header { + display: flex; + min-height: $header-height; + align-items: center; + + @include mq(md) { + height: $header-height; + max-height: $header-height; + border-bottom: $border $border-color; + } + } + + .site-title { + flex-grow: 1; + display: flex; + height: 100%; + align-items: center; + padding-top: $sp-3; + padding-bottom: $sp-3; + color: $body-heading-color; + + @include container; + + @include fs-6; + + @include mq(md) { + padding-top: $sp-2; + padding-bottom: $sp-2; + } + } + + @if variable-exists(logo) { + .site-logo { + width: 100%; + height: 100%; + background-image: url($logo); + background-repeat: no-repeat; + background-position: left center; + background-size: contain; + } + } + + .site-button { + display: flex; + height: 100%; + padding: $gutter-spacing-sm; + align-items: center; + } + + @include mq(md) { + .site-header .site-button { + display: none; + } + } + + .site-title:hover { + background-image: linear-gradient( + -90deg, + rgba($feedback-color, 1) 0%, + rgba($feedback-color, 0.8) 80%, + rgba($feedback-color, 0) 100% + ); + } + + .site-button:hover { + background-image: linear-gradient( + -90deg, + rgba($feedback-color, 1) 0%, + rgba($feedback-color, 0.8) 100% + ); + } + + // stylelint-disable selector-max-type + + body { + position: relative; + padding-bottom: $sp-10; + overflow-y: scroll; + + @include mq(md) { + position: static; + padding-bottom: 0; + } + } + + // stylelint-enable selector-max-type + + .site-footer { + position: absolute; + bottom: 0; + left: 0; + padding-top: $sp-4; + padding-bottom: $sp-4; + color: $grey-dk-000; + + @include container; + + @include fs-2; + + @include mq(md) { + position: static; + justify-self: end; + } + } + + .icon { + width: $sp-5; + height: $sp-5; + color: $link-color; + } \ No newline at end of file diff --git a/_sass/custom/light.scss b/_sass/custom/light.scss new file mode 100644 index 0000000..a5f60c4 --- /dev/null +++ b/_sass/custom/light.scss @@ -0,0 +1,16 @@ +$color-scheme: light !default; +$body-background-color: $white !default; +$body-heading-color: $grey-dk-300 !default; +$body-text-color: $grey-dk-100 !default; +$link-color: $purple-000 !default; +$nav-child-link-color: $grey-dk-100 !default; +$sidebar-color: $grey-lt-000 !default; +$base-button-color: #f7f7f7 !default; +$btn-primary-color: $purple-100 !default; +$code-background-color: $grey-lt-000 !default; +$feedback-color: darken($sidebar-color, 3%) !default; +$table-background-color: $white !default; +$search-background-color: $white !default; +$search-result-preview-color: $grey-dk-000 !default; + +@import "./vendor/OneLightJekyll/syntax"; \ No newline at end of file diff --git a/_sass/custom/quiz.scss b/_sass/custom/quiz.scss new file mode 100644 index 0000000..c3ad1eb --- /dev/null +++ b/_sass/custom/quiz.scss @@ -0,0 +1,104 @@ +.quiz-form { + margin-top: 2rem; + padding: 1rem; + border: 2px solid #ccc; + border-radius: 10px; + + .quiz-question { + margin-bottom: 1.5rem; + p { + font-weight: 600; + margin-bottom: 0.5rem; + } + + label { + display: block; + margin: 1rem; + cursor: pointer; + + input[type="radio"] { + margin-right: 0.5rem; + } + } + + .quiz-feedback { + padding: 0.5rem; + margin-top: 0.5rem; + border-radius: 0.5rem; + font-weight: bold; + + &.correct { + background-color: #d4edda; + color: #155724; + border: 1px solid #c3e6cb; + } + + &.incorrect { + background-color: #f8d7da; + color: #721c24; + border: 1px solid #f5c6cb; + } + + p#feedback-title { + margin-top: 0.5rem; + } + } + } + + button { + margin-top: 0.5rem; + padding: 0.6rem 1.2rem; + background-color: #007acc; + color: white; + border: none; + border-radius: 6px; + cursor: pointer; + + &:hover { + background-color: #005fa3; + } + + &:disabled { + background-color: #cccccc; + color: #666666; + cursor: not-allowed; + opacity: 0.7; + } + } +} + +.modal { + position: fixed; + z-index: 1000; + left: 0; + top: 0; + width: 100%; + height: 100%; + background-color: rgba(0, 0, 0, 0.5); + display: flex; + justify-content: center; + align-items: center; +} + +.modal-content { + background: white; + padding: 20px 30px; + border-radius: 8px; + width: 300px; + max-width: 90%; + text-align: center; + position: relative; +} + +.close { + position: absolute; + right: 10px; + top: 5px; + font-size: 24px; + cursor: pointer; + color: #555; +} + +.close:hover { + color: black; +} \ No newline at end of file diff --git a/assets/images/2.0logo.png b/assets/images/2.0logo.png new file mode 100644 index 0000000..e8f965f Binary files /dev/null and b/assets/images/2.0logo.png differ diff --git a/assets/images/2.0logobig.png b/assets/images/2.0logobig.png new file mode 100644 index 0000000..3086f83 Binary files /dev/null and b/assets/images/2.0logobig.png differ diff --git a/assets/images/dark-font-size.png b/assets/images/dark-font-size.png new file mode 100644 index 0000000..95aaec9 Binary files /dev/null and b/assets/images/dark-font-size.png differ diff --git a/assets/images/favicon-32x32.png b/assets/images/favicon-32x32.png new file mode 100644 index 0000000..03ca373 Binary files /dev/null and b/assets/images/favicon-32x32.png differ diff --git a/assets/images/favicon.png b/assets/images/favicon.png new file mode 100644 index 0000000..172da5b Binary files /dev/null and b/assets/images/favicon.png differ diff --git a/assets/images/font-size.svg b/assets/images/font-size.svg new file mode 100644 index 0000000..3176482 --- /dev/null +++ b/assets/images/font-size.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/assets/images/light-font-size.png b/assets/images/light-font-size.png new file mode 100644 index 0000000..95aaec9 Binary files /dev/null and b/assets/images/light-font-size.png differ diff --git a/assets/images/light-font-size.svg b/assets/images/light-font-size.svg new file mode 100644 index 0000000..3176482 --- /dev/null +++ b/assets/images/light-font-size.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/assets/js/just-the-docs.js b/assets/js/just-the-docs.js new file mode 100644 index 0000000..2c8e94d --- /dev/null +++ b/assets/js/just-the-docs.js @@ -0,0 +1,618 @@ +--- +layout: null +--- +(function (jtd, undefined) { + +// Event handling + +jtd.addEvent = function(el, type, handler) { + if (el.attachEvent) el.attachEvent('on'+type, handler); else el.addEventListener(type, handler); +} +jtd.removeEvent = function(el, type, handler) { + if (el.detachEvent) el.detachEvent('on'+type, handler); else el.removeEventListener(type, handler); +} +jtd.onReady = function(ready) { + // in case the document is already rendered + if (document.readyState!='loading') ready(); + // modern browsers + else if (document.addEventListener) document.addEventListener('DOMContentLoaded', ready); + // IE <= 8 + else document.attachEvent('onreadystatechange', function(){ + if (document.readyState=='complete') ready(); + }); +} + +// Show/hide mobile menu + +function initNav() { + jtd.addEvent(document, 'click', function(e){ + var target = e.target; + while (target && !(target.classList && target.classList.contains('nav-list-expander'))) { + target = target.parentNode; + } + if (target) { + e.preventDefault(); + target.ariaPressed = target.parentNode.classList.toggle('active'); + } + }); + + const siteNav = document.getElementById('site-nav'); + const mainHeader = document.getElementById('main-header'); + const menuButton = document.getElementById('menu-button'); + + disableHeadStyleSheets(); + + jtd.addEvent(menuButton, 'click', function(e){ + e.preventDefault(); + + if (menuButton.classList.toggle('nav-open')) { + siteNav.classList.add('nav-open'); + mainHeader.classList.add('nav-open'); + menuButton.ariaPressed = true; + } else { + siteNav.classList.remove('nav-open'); + mainHeader.classList.remove('nav-open'); + menuButton.ariaPressed = false; + } + }); + + {%- if site.search_enabled != false and site.search.button %} + const searchInput = document.getElementById('search-input'); + const searchButton = document.getElementById('search-button'); + + jtd.addEvent(searchButton, 'click', function(e){ + e.preventDefault(); + + mainHeader.classList.add('nav-open'); + searchInput.focus(); + }); + {%- endif %} +} + +// The element is assumed to include the following stylesheets: +// - a to /assets/css/just-the-docs-head-nav.css, +// with id 'jtd-head-nav-stylesheet' +// - a +--> + + + + + + + + + + + + + + + + + + + + + + + + + +
CategoryDevOpsCICD
PurposeFacilitate collaboration and efficiency across the development lifecycle.Automate testing to ensure code compatibility.Automate deployment for seamless software releases.
Methods +
    +
  • Implement automation to streamline collaboration between development and operations teams.
    • +
  • Use infrastructure as code (IaC) to provision and manage infrastructure.
    • +
  • Integrate continuous feedback loops to gather insights from stakeholders and improve processes iteratively.
    • +
+ 		+
    +
  • Automate the build and testing process for every code change.
    • +
  • Identify integration issues early in the development lifecycle.
    • +
  • Support the principle of "fail fast" by providing rapid feedback to developers.
    • +
+ 		+
    +
  • Encompass both Continuous Integration and Continuous Deployment.
    • +
  • Automate the deployment process to production environments.
    • +
  • Enable organizations to release software updates quickly and reliably while minimizing risks.
    • +
+
Key Benefits +
    +
  • Promotes a culture of shared responsibility and accountability.
    • +
  • Emphasizes the importance of automating repetitive tasks to reduce manual errors and increase efficiency.
    • +
  • Focuses on delivering value to customers through rapid and iterative development cycles.
    • +
+ 		+
    +
  • Increases code quality by identifying issues early in the development process.
    • +
  • Speeds up the development cycle by automating build and testing processes.
    • +
  • Enables rapid feedback to developers for quick iterations.
    • +
+ 		+
    +
  • Accelerates time to market by automating deployment processes.
    • +
  • Minimizes risks associated with manual deployments.
    • +
  • Enhances overall software reliability and stability.
    • +
+
+ +--- + +{% include quiz.html + id="topic3-chapter2" + data=site.data.quizzes.topic3.chapter2 +%} + +--- + +### References +
+ Expand + 1. Ashtari, Hossein et al. “Key Differences between CI/CD and DevOps.” Spiceworks, www.spiceworks.com/tech/devops/articles/cicd-vs-devops/. Accessed 20 Feb. 2024.
+ 2. Ferringer, Megan. “Here’s the Difference between CI/CD and Devops-and How They Work Together to Drive Innovation.” Navisite, 2 Mar. 2023, www.navisite.com/blog/insights/ci-cd-vs-devops/.
+ 3. “What the Hell Are CI/CD and DevOps? A Cheatsheet for the Rest of Us.” Mind the Product, www.mindtheproduct.com/what-the-hell-are-ci-cd-and-devops-a-cheatsheet-for-the-rest-of-us/. Accessed 20 Feb. 2024.
+ 4. “The IDEAL & Practical CI / CD Pipeline - Concepts Overview.” YouTube, 17 Feb. 2022, www.youtube.com/watch?v=OPwU3UWCxhw.
+ 5. Morg, Brad. “How to Design a Modern CI/CD Pipeline.” YouTube, 17 Oct. 2023, www.youtube.com/watch?v=KnSBNd3b0qI.
+ 6. Morg, Brad. “How to Design a Deployment Pipeline (GitOps).” YouTube, 30 Oct. 2023, www.youtube.com/watch?v=pJ9f7w4AxtU.
+
+ +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-5-automation/index.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-3-automated-testing/index.md similarity index 92% rename from docs/course/topic-2-DevOps/chapter-5-automation/index.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-3-automated-testing/index.md index 0979ccd..99286e0 100644 --- a/docs/course/topic-2-DevOps/chapter-5-automation/index.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-3-automated-testing/index.md @@ -1,13 +1,15 @@ --- -title: Chapter 5 - Automated Tests +title: Chapter 3 - Automated Tests layout: custom -parent: Topic 2 - DevOps +parent: Topic 3 - DevSecOps Fundamentals has_children: false has_toc: false -nav_order: 5 +nav_order: 3 +topic: topic3 +chapter: chapter3 --- -# Automated Testing in CI/CD +# Chapter 3 - Automated Testing in CI/CD ## Importance of Automation in Testing 🧐 Imagine you are developing rapidly evolving software. As your product becomes more complex, ensuring that new features work correctly without breaking existing functionalities becomes challenging. @@ -87,6 +89,14 @@ Creating a robust automated testing framework involves several critical steps: Automated testing is a cornerstone of modern software development. By integrating effective automated tests into the CI/CD pipeline, teams can ensure that their software is not only functional but also meets quality standards before it reaches the end-user. Embracing these practices not only enhances product reliability but also empowers teams to innovate rapidly with confidence. +--- + +{% include quiz.html + id="topic3-chapter3" + data=site.data.quizzes.topic3.chapter3 +%} + +--- ### References
@@ -96,7 +106,7 @@ Automated testing is a cornerstone of modern software development. By integratin 3. “Automated Testing: The Cornerstone of CI/CD.” Written by Ferdinando Santacroce. Semaphore, 16 Mar. 2022, https://semaphoreci.com/blog/automated-testing-cicd.
- - - - +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-6-deployment/index.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/index.md similarity index 94% rename from docs/course/topic-2-DevOps/chapter-6-deployment/index.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/index.md index ce4878a..1d3dedf 100644 --- a/docs/course/topic-2-DevOps/chapter-6-deployment/index.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/index.md @@ -1,13 +1,15 @@ --- -title: Chapter 6 - Deployment +title: Chapter 4 - Deployment layout: custom -parent: Topic 2 - DevOps +parent: Topic 3 - DevSecOps Fundamentals has_toc: false has_children: true -nav_order: 6 +nav_order: 4 +topic: topic3 +chapter: chapter4 --- -# Introduction to Deployment +# Chapter 4 - Introduction to Deployment Transitioning from the exploration of DevOps and CI/CD, we now turn our attention to the critical phase of deployment. Deployment is where coding efforts from developers merge, and attempt to integrate into the existing software. With so many people making changes to the same product, there are bound to be inconsistencies and issues when pushing code. That is where deployment best practices within CI/CD come in. > **Problem Space** @@ -104,7 +106,14 @@ Deployment strategies are crucial for managing the transition of code from devel **Use Case**: Suitable for cloud-native applications where infrastructure can be easily replicated and managed as code. +--- + +{% include quiz.html + id="topic3-chapter4" + data=site.data.quizzes.topic3.chapter4 +%} +--- @@ -118,3 +127,8 @@ Deployment strategies are crucial for managing the transition of code from devel 5. Tremel, Etienne. “Six Strategies for Application Deployment.” The New Stack, 25 Mar. 2021, https://thenewstack.io/deployment-strategies/.
6. Using Blue-Green Deployment to Reduce Downtime | Cloud Foundry Docs, https://docs.cloudfoundry.org/devguide/deploy-apps/blue-green.html. Accessed 12 Apr. 2024.
+ +
+ ⬅️ Previous Chapter + Labs Overview ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-6-deployment/lab/deployment-lab-1.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/deployment-lab-1.md similarity index 96% rename from docs/course/topic-2-DevOps/chapter-6-deployment/lab/deployment-lab-1.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/deployment-lab-1.md index 5eda465..27ffb88 100644 --- a/docs/course/topic-2-DevOps/chapter-6-deployment/lab/deployment-lab-1.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/deployment-lab-1.md @@ -1,8 +1,8 @@ --- title: Lab 1. Configuring a Simple CI/CD Pipeline layout: custom -grand_parent: Topic 2 - DevOps -parent: Chapter 6 - Deployment +grand_parent: Topic 3 - DevSecOps Fundamentals +parent: Chapter 4 - Deployment nav_order: 2 --- **Estimated Time to Complete:** 60 minutes @@ -215,4 +215,9 @@ http://{public_ip}:{host_port} Replace `{public_ip}` with the public IP address, and `{host_port}` with the specific port number you've chosen during the deployment stage in the Jenkinsfile. {: .warning} -Don't forget to deactivate your VPN connection after you have completed the lab exercise! \ No newline at end of file +Don't forget to deactivate your VPN connection after you have completed the lab exercise! + +
+ ⬅️ Labs Overview + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-6-deployment/lab/imgs/jenkins-login.png b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/imgs/jenkins-login.png similarity index 100% rename from docs/course/topic-2-DevOps/chapter-6-deployment/lab/imgs/jenkins-login.png rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/imgs/jenkins-login.png diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/wireguard.png b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/imgs/wireguard.png similarity index 100% rename from docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/wireguard.png rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/imgs/wireguard.png diff --git a/docs/course/topic-2-DevOps/chapter-6-deployment/lab/overview.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/overview.md similarity index 85% rename from docs/course/topic-2-DevOps/chapter-6-deployment/lab/overview.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/overview.md index d2fb8e6..1dc1476 100644 --- a/docs/course/topic-2-DevOps/chapter-6-deployment/lab/overview.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-4-deployment/lab/overview.md @@ -1,8 +1,8 @@ --- title: Labs Overview layout: custom -grand_parent: Topic 2 - DevOps -parent: Chapter 6 - Deployment +grand_parent: Topic 3 - DevSecOps Fundamentals +parent: Chapter 4 - Deployment nav_order: 1 --- @@ -33,3 +33,8 @@ Before you begin this lab, ensure you have the following tools installed and rea Below are the skills and knowledge expected to successfully complete the lab exercises: - Basic Understanding of CI/CD Concepts - Basic Docker Fundamentals: Building, Pushing, Pulling, and Running an image. + +
+ ⬅️ Previous Chapter + Lab 1 ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-4-webhooks/index.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-5-webhooks/index.md similarity index 83% rename from docs/course/topic-2-DevOps/chapter-4-webhooks/index.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-5-webhooks/index.md index 877ec53..9f13670 100644 --- a/docs/course/topic-2-DevOps/chapter-4-webhooks/index.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-5-webhooks/index.md @@ -1,13 +1,15 @@ --- -title: Chapter 4 - Webhooks +title: Chapter 5 - Webhooks layout: custom -parent: Topic 2 - DevOps +parent: Topic 3 - DevSecOps Fundamentals has_toc: false -nav_order: 4 +nav_order: 5 +topic: topic3 +chapter: chapter5 --- -## Utilizing Web Hooks for Continuous Integration -### What is a Web Hook? +# Chapter 5 - Utilizing Web Hooks for Continuous Integration +## What is a Web Hook? When deploying code, you want to make sure it is automatically running through several relevant tests without you triggering them every single time. A webhook is like a notification for your CI/CD tests, that you have done something with your code. To set up a webhook, you first need to define rules that it follows: 1. **Choose Trigger Events:** During the webhook setup process in GitHub, you specify which events will trigger the webhook. This could be a variety of actions, such as: @@ -27,6 +29,13 @@ Then, once you want to make a change, the following happens: 2. **GitHub sends a webhook** - Because of the rule you set up, GitHub notifies your CI/CD tool that something happened (like a code push). 3. **CI/CD tool starts tests** - The CI/CD tool, now informed by the webhook, starts running the tests or actions you've configured it to perform upon receiving such a notification. +--- + +{% include quiz.html + id="topic3-chapter5" + data=site.data.quizzes.topic3.chapter5 +%} + ### References
Expand @@ -35,3 +44,8 @@ Then, once you want to make a change, the following happens: 3. “What Is a Webhook? Webhooks for Beginners.” YouTube, YouTube, 30 Nov. 2021, https://www.youtube.com/watch?v=mrkQ5iLb4DM.
4. “What Is a Webhook?” Red Hat - We Make Open Source Technologies for the Enterprise, https://www.redhat.com/en/topics/automation/what-is-a-webhook. Accessed 11 Apr. 2024.
+ +
+ ⬅️ Lab 1 + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/index.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/index.md similarity index 94% rename from docs/course/topic-2-DevOps/chapter-3-containerization/index.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/index.md index ffcd8ee..e4a5e17 100644 --- a/docs/course/topic-2-DevOps/chapter-3-containerization/index.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/index.md @@ -1,13 +1,15 @@ --- -title: Chapter 3 - Containerization +title: Chapter 6 - Containerization layout: custom -parent: Topic 2 - DevOps +parent: Topic 3 - DevSecOps Fundamentals has_children: true has_toc: false -nav_order: 3 +nav_order: 6 +topic: topic3 +chapter: chapter6 --- -## Definition of Containerization +# Chapter 6 - Definition of Containerization **Containerization in cloud computing is a method of packaging, distributing, and running applications using containers. A *container* is a:** - Standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably in different computing environments @@ -75,7 +77,13 @@ So, while an "artifact" is a product of the software development process, "Artif {: .lab} [Lab 2 - Accessing Corporate Network and AWS ECR](./lab/containerization-lab-2.html){: .btn .btn-purple .btn-fill } +--- +{% include quiz.html + id="topic3-chapter6" + data=site.data.quizzes.topic3.chapter6 +%} +--- @@ -91,4 +99,7 @@ So, while an "artifact" is a product of the software development process, "Artif **5.** "Azure Container Registry between Artifactory: Exploring the Differences", *LevInfo*, [https://ievinfo.com/azure-container-registry-between-artifactory-differenc/](https://ievinfo.com/azure-container-registry-between-artifactory-differenc/). Accessed 20 Feb. 2024. - +
+ ⬅️ Previous Chapter + Labs Overview ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/containerization-lab-1.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/containerization-lab-1.md similarity index 96% rename from docs/course/topic-2-DevOps/chapter-3-containerization/lab/containerization-lab-1.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/containerization-lab-1.md index 1662012..f7ee32b 100644 --- a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/containerization-lab-1.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/containerization-lab-1.md @@ -1,8 +1,8 @@ --- layout: custom title: Lab 1. Containerizing a React Application -grand_parent: Topic 2 - DevOps -parent: Chapter 3 - Containerization +grand_parent: Topic 3 - DevSecOps Fundamentals +parent: Chapter 6 - Containerization nav_order: 2 --- # Lab 1 - Containerizing a React Application @@ -217,4 +217,9 @@ This command prints system information about the Linux kernel, which should be d You can explore further by listing the files in the current directory `ls` or checking the environment variables `env`. -When you're done, simply type `exit` or press `Ctrl + C` to leave the container shell. \ No newline at end of file +When you're done, simply type `exit` or press `Ctrl + C` to leave the container shell. + +
+ ⬅️ Labs Overview + Lab 2 ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/containerization-lab-2.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/containerization-lab-2.md similarity index 94% rename from docs/course/topic-2-DevOps/chapter-3-containerization/lab/containerization-lab-2.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/containerization-lab-2.md index cf059df..c2e591d 100644 --- a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/containerization-lab-2.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/containerization-lab-2.md @@ -1,8 +1,8 @@ --- layout: custom title: Lab 2. Accessing Corporate Network and AWS ECR -grand_parent: Topic 2 - DevOps -parent: Chapter 3 - Containerization +grand_parent: Topic 3 - DevSecOps Fundamentals +parent: Chapter 6 - Containerization nav_order: 3 --- # Lab 2 - Accessing Corporate Network and AWS ECR @@ -119,4 +119,9 @@ docker images After pulling the image, run it locally to see the application your classmate developed! {: .warning} -Don't forget to deactivate your VPN connection after you have completed the lab exercise! \ No newline at end of file +Don't forget to deactivate your VPN connection after you have completed the lab exercise! + +
+ ⬅️ Lab 1 + Topic 4 ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/clone.png b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/clone.png similarity index 100% rename from docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/clone.png rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/clone.png diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/dashboard.png b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/dashboard.png similarity index 100% rename from docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/dashboard.png rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/dashboard.png diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/fork.png b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/fork.png similarity index 100% rename from docs/course/topic-2-DevOps/chapter-3-containerization/lab/imgs/fork.png rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/fork.png diff --git a/docs/course/topic-2-DevOps/chapter-6-deployment/lab/imgs/wireguard.png b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/wireguard.png similarity index 100% rename from docs/course/topic-2-DevOps/chapter-6-deployment/lab/imgs/wireguard.png rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/imgs/wireguard.png diff --git a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/overview.md b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/overview.md similarity index 88% rename from docs/course/topic-2-DevOps/chapter-3-containerization/lab/overview.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/overview.md index 8598680..27f532a 100644 --- a/docs/course/topic-2-DevOps/chapter-3-containerization/lab/overview.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/chapter-6-containerization/lab/overview.md @@ -1,8 +1,8 @@ --- title: Labs Overview layout: custom -grand_parent: Topic 2 - DevOps -parent: Chapter 3 - Containerization +grand_parent: Topic 3 - DevSecOps Fundamentals +parent: Chapter 6 - Containerization nav_order: 1 --- @@ -35,3 +35,8 @@ Below are the skills and knowledge expected to successfully complete the lab exe - Basic command-line operations: You are comfortable navigating and executing commands in a terminal. - Basic Git operations: cloning, forking, committing, pushing. - Basic React knowledge: You understand how to run a React application locally + +
+ ⬅️ Previous Chapter + Lab 1 ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-2-DevOps/index.md b/docs/course/Topic-3-DevSecOp-Fundamentals/index.md similarity index 51% rename from docs/course/topic-2-DevOps/index.md rename to docs/course/Topic-3-DevSecOp-Fundamentals/index.md index f740141..d8f93a1 100644 --- a/docs/course/topic-2-DevOps/index.md +++ b/docs/course/Topic-3-DevSecOp-Fundamentals/index.md @@ -1,19 +1,23 @@ --- -title: Topic 2 - DevOps +title: Topic 3 - DevSecOps Fundamentals layout: custom has_children: true has_toc: false -nav_order: 4 +nav_order: 5 --- -# Topic 2 - Development & Operations (DevOps) +# Topic 3 - DevSecOps Fundamentals | Chapter | Learning Objectives | Lab Description | |---------|---------------------|-----------------| -| Chapter 1: Intro to DevOps | - Define DevOps and explore its challenges and benefits
- Discuss roles in Development and Operations and the DevOps lifecycle | | -| Chapter 2: Intro to CI/CD | - Explain CI/CD within the DevOps framework
- Discuss CI/CD lifecycle, benefits, and methods | | -| Chapter 3: Containerization | - Define containerization and its advantages in cloud computing
- Explore Kubernetes and microservices architectures
- Learn about container application consistency | **Lab 1: Containerizing a React Application**
- Create and run a Docker image of a React application
- Interact with a running Docker container
**Lab 2: Accessing Corporate Network and AWS ECR**
- Establish a VPN and use AWS IAM credentials to authenticate and push Docker images to AWS ECR | -| Chapter 4: Webhooks | - Discuss the role and setup of webhooks in CI/CD automation
- Explore webhook triggers and their applications | | -| Chapter 5: Automated Tests | - Outline the role of automated testing in CI/CD
- Discuss strategies and integration into the pipeline | | -| Chapter 6: Deployment | - Define deployment environments and strategies
- Explore deployment challenges in large-scale environments | **Lab: Configuring a Simple Jenkins Pipeline**
- Automate a Dockerized application deployment using Jenkins
- Create and configure a Jenkins pipeline with webhooks | +| Chapter 1: DevSecOps | - Define DevSecOps
- Understand Why Implement
- Understand Shift Left/Right Testing
- Learn about Related Tools and Technologies | | +| Chapter 2: CI/CID Fundamentals | - Explain CI/CD within the DevOps framework
- Discuss CI/CD lifecycle, benefits, and methods | | +| Chapter 3: Automated Tests | - Outline the role of automated testing in CI/CD
- Discuss strategies and integration into the pipeline | | +| Chapter 4: Deployment | - Define deployment environments and strategies
- Explore deployment challenges in large-scale environments | **Lab: Configuring a Simple Jenkins Pipeline**
- Automate a Dockerized application deployment using Jenkins
- Create and configure a Jenkins pipeline with webhooks | +| Chapter 5: Webhooks | - Discuss the role and setup of webhooks in CI/CD automation
- Explore webhook triggers and their applications | | +| Chapter 6: Containerization | - Define containerization and its advantages in cloud computing
- Explore Kubernetes and microservices architectures
- Learn about container application consistency | **Lab 1: Containerizing a React Application**
- Create and run a Docker image of a React application
- Interact with a running Docker container
**Lab 2: Accessing Corporate Network and AWS ECR**
- Establish a VPN and use AWS IAM credentials to authenticate and push Docker images to AWS ECR | +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-4-Security/chapter-1-intro-to-cybersecurity/index.md b/docs/course/Topic-4-Security/chapter-1-intro-to-cybersecurity/index.md new file mode 100644 index 0000000..03d4abe --- /dev/null +++ b/docs/course/Topic-4-Security/chapter-1-intro-to-cybersecurity/index.md @@ -0,0 +1,76 @@ +--- +title: Chapter 1 - Intro to Cybersecurity +layout: custom +parent: Topic 4 - Cybersecurity +has_toc: false +nav_order: 1 +topic: topic4 +chapter: chapter1 +--- + +# Chapter 1 - Cybersecurity Fundamentals + +In today’s world, software is constantly exposed to threats that can cause: + +- System downtime +- Data theft +- Business operation disruptions + +**Cybersecurity** is the practice of protecting digital assets—such as systems, networks, and applications—from malicious cyberattacks. + +--- + +## The CIA Triad + +The **CIA Triad** is a foundational model used to evaluate risks and protect assets. + +**CIA = Confidentiality, Integrity, Availability** + +- **Confidentiality**: Ensures only authorized users can access data or systems +- **Integrity**: Ensures data is accurate and hasn't been modified by unauthorized users +- **Availability**: Ensures information and systems are accessible when needed + +*Alt text: Image of triangle with the words "Confidentiality," "Integrity," and "Availability" in each corner* + +--- + +## Key Cybersecurity Terms + +| Term | Definition | Example | +|-----------------|-------------------------------------------------------------|-----------------------------------------------------------------| +| **Vulnerability** | A flaw or weakness in software, hardware, or systems | A spare key hidden under a doormat | +| **Threat Actor** | An individual or group that intentionally exploits weaknesses | A burglar trying to break into a house | +| **Exploit** | The method used to take advantage of a vulnerability | The burglar uses the spare key to open the door | +| **Payload** | The malicious code or executable used in the attack | The burglar enters and steals valuables | +| **Risk** | The likelihood and severity of a bad event occurring | The chance the burglar finds the key, breaks in, and steals valuables | + +*Alt text: Image showing "Probability of Occurrence × Severity = Risk"* +[Source: Koven Innovation Blog](https://www.koveninnovation.com/blog/iso14971-the-ultimate-guide-to-risk-management-in-medical-devices.html) + +--- + +## Summary + +A company with poor security practices is at **greater risk** of: + +- A **threat actor** finding a **vulnerability** +- Using an **exploit** +- Delivering a **malicious payload** + +These actions can result in **unauthorized access**, data breaches, or serious damage to systems and business operations. + +Protect your systems by understanding and addressing these cybersecurity fundamentals. + +--- + +{% include quiz.html + id="topic4-chapter1" + data=site.data.quizzes.topic4.chapter1 +%} + +--- + +
+ ⬅️ Chapter 4 Overview + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-4-Security/chapter-2-security-risks-and-vulnerabilities/index.md b/docs/course/Topic-4-Security/chapter-2-security-risks-and-vulnerabilities/index.md new file mode 100644 index 0000000..0cc4aef --- /dev/null +++ b/docs/course/Topic-4-Security/chapter-2-security-risks-and-vulnerabilities/index.md @@ -0,0 +1,56 @@ +--- +title: Chapter 2 - Security Risks and Vulnerabilities in the SDLC +layout: custom +parent: Topic 4 - Cybersecurity +has_toc: false +nav_order: 2 +topic: topic4 +chapter: chapter2 +--- + +# Chapter 2 - Security Risks and Vulnerabilities in the SDLC +## Understanding Software Vulnerabilities in the SDLC + +To understand how to protect software by integrating security into every step of the SDLC, it is vital to first understand what makes software vulnerable. + +--- + +## Causes of Common Vulnerabilities + +| **Risk** | **Definition** | **Example Mitigation Strategy** | +|----------------------------------|--------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------| +| **Improper Access Control** | Users can access data or systems they shouldn’t be allowed to | Role Based Access Controls | +| **Injections** | User input sends malicious code into system | Sanitize user input | +| **SQL Injections** | User inputted malicious SQL queries that are used to gain manipulate the database | Parameterized queries and prepared statements to validate user input | +| **Cross-Site Scripting (XSS)** | Injection of malicious scripts into websites usually using JavaScript | Use output encoding when displaying user input on a web page | +| **Cryptographic Risks** | Weak or outdated data encryption | Modern encryption methods | +| **Improper Authentication** | Weak or outdated login systems | Requiring Multi-factor Authentication (MFA) | +| **Insufficient Logging and Monitoring** | Weak identification and alerting of suspicious activity in a system | Regular log reviews and real-time alerts of suspicious network and system activity | +| **Misconfiguration** | Systems are set up incorrectly | Automated scanning and testing tools and have a separate dev and production project to ensure no misconfigurations are live | + +--- + +{% include quiz.html + id="topic4-chapter2" + data=site.data.quizzes.topic4.chapter2 +%} + +--- + +## Resources for Further Information + +- **OWASP Top Ten**: List of the ten most critical security risks to a web application + [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) + +- **Common Vulnerabilities and Exposures (CVE)**: Public database of all known software vulnerabilities + [https://www.cve.org/](https://www.cve.org/) + +- **CISA’s Known Exploited Vulnerabilities**: The US government catalog of real-world cyber attacks + [https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) + +--- + +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/index.md b/docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/index.md similarity index 94% rename from docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/index.md rename to docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/index.md index cf2ce22..512862c 100644 --- a/docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/index.md +++ b/docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/index.md @@ -1,13 +1,15 @@ --- -title: Chapter 2 - Security Checks in CI/CD +title: Chapter 3 - Security Checks in CI/CD layout: custom -parent: Topic 3 - DevSecOps -has_children: true +parent: Topic 4 - Cybersecurity +has_children: false has_toc: false -nav_order: 2 +nav_order: 3 +topic: topic4 +chapter: chapter3 --- -# Chapter 2 - Security Checks in CD/CD +# Chapter 3 - Security Checks in CD/CD ## The Importance of Security Checks in Each Stage of The Pipeline @@ -137,6 +139,15 @@ Vulnerability scanning in a CI/CD pipeline refers to the automated process of id There are countless variations of vulnerability scanners out there and are constantly being innovated. Every software team should take throrough time to research and test as many tools as possible within their budget and timeline to ensure their pipeline is fully covered. +--- + +{% include quiz.html + id="topic4-chapter3" + data=site.data.quizzes.topic4.chapter3 +%} + +--- + ### References @@ -156,3 +167,7 @@ There are countless variations of vulnerability scanners out there and are const **8.** "What is Fortify and How it works? An Overview and Its Use Cases" *DevOps School*, [Link](https://www.devopsschool.com/blog/what-is-fortify-and-how-it-works-an-overview-and-its-use-cases/). Accessed 9 Apr. 2024. +
+ ⬅️ Previous Chapter + Topic 5 ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/lab/devsecops-lab-1.md b/docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/lab/devsecops-lab-1.md similarity index 69% rename from docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/lab/devsecops-lab-1.md rename to docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/lab/devsecops-lab-1.md index f047f05..53aa5ca 100644 --- a/docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/lab/devsecops-lab-1.md +++ b/docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/lab/devsecops-lab-1.md @@ -1,9 +1,9 @@ --- layout: custom title: Lab 1. Securing a Vulnerable Application -grand_parent: Topic 3 - DevSecOps -parent: Chapter 2 - Security Checks in CI/CD -nav_order: 2 +grand_parent: Topic 4 - Cybersecurity +parent: Chapter 3 - Security Checks in CI/CD +nav_order: --- # Lab - Securing a Vulnerable Application **Estimated Time to Complete:** 30-45 minutes diff --git a/docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/lab/overview.md b/docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/lab/overview.md similarity index 96% rename from docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/lab/overview.md rename to docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/lab/overview.md index d570788..1ea3eb1 100644 --- a/docs/course/topic-3-devsecops/chapter-2-security-checks-in-CICD/lab/overview.md +++ b/docs/course/Topic-4-Security/chapter-3-security-checks-in-CICD/lab/overview.md @@ -1,8 +1,8 @@ --- title: Labs Overview layout: custom -grand_parent: Topic 3 - DevSecOps -parent: Chapter 2 - Security Checks in CI/CD +grand_parent: Topic 4 - Cybersecurity +parent: Chapter 3 - Security Checks in CI/CD nav_order: 1 --- diff --git a/docs/course/Topic-4-Security/index.md b/docs/course/Topic-4-Security/index.md new file mode 100644 index 0000000..0b60238 --- /dev/null +++ b/docs/course/Topic-4-Security/index.md @@ -0,0 +1,20 @@ +--- +title: Topic 4 - Cybersecurity +layout: custom +has_children: true +has_toc: false +nav_order: 6 +--- + +# Topic 4 - Cybersecurity + +| Chapter | Learning Objectives | Lab Description | +|---------|---------------------|-----------------| +| Chapter 1: Intro to Cybersecurity | - Understand what cybersecurity is
- Define key terms related to cybersecurity
Know what the cybersecurity CIA triad is
| | +| Chapter 2: Vulnerabilities and Risk | - Understand common vulnerabilities in the SDLC
|| +| Chapter 3: Security Checks in CI/CD | - Understand important of security checks in each stage of the pipeline
- Discuss SAST vs DAST and their pros/cons
- Learn about vulnerability scanning and prominent tools in industry today | **Lab: Securing a Vulnerable Application**
- Fix security vulnerabilities flagged by security checkpoints within a CI/CD pipeline. | + +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-5-Cloud/chapter-1-Intro-to-Cloud/index.md b/docs/course/Topic-5-Cloud/chapter-1-Intro-to-Cloud/index.md new file mode 100644 index 0000000..86fcdcd --- /dev/null +++ b/docs/course/Topic-5-Cloud/chapter-1-Intro-to-Cloud/index.md @@ -0,0 +1,126 @@ +--- +title: Chapter 1 - Intro to Cloud +layout: custom +parent: Topic 5 - Cloud +has_toc: false +nav_order: 1 +topic: topic5 +chapter: chapter1 +--- +# Chapter 1 - Introduction to Cloud + +The cloud has become the foundation upon which DevSecOps practices are built. From scalable infrastructure to rapid deployment capabilities, understanding the cloud is key to implementing secure, efficient pipelines. + +--- + +## What is Cloud Computing? + +Imagine needing a powerful computer to test your code, store large amounts of data, or run an app for millions of users. Instead of buying expensive hardware, you rent what you need—on demand, from someone else’s infrastructure. That, in essence, is cloud computing. + +Cloud computing provides on-demand access to computing resources—like servers, storage, and networking—delivered over the internet. Instead of managing physical hardware, teams can scale up or down their computing needs quickly and cost-effectively. + +> **NIST Definition**: "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources." + +--- + +## Key Benefits + +- **Scalability**: Adjust resources based on demand +- **Cost efficiency**: Pay only for what you use +- **Speed**: Rapid provisioning of infrastructure +- **Accessibility**: Work from anywhere + +--- + +## Example Scenario + +Ani is building a web app that lets users upload and edit videos. She needs a way to store large video files, process them quickly, and make the app available globally. Instead of setting up servers herself, Ani uses Amazon Web Services (AWS) to host her application, run processing jobs, and store videos in the cloud. The cloud lets her focus on building features—not managing hardware. + +--- + +## Cloud Service Models + +Cloud services fall into three main categories. Think of them as layers of abstraction that handle more and more of the infrastructure for you: + +### 1. IaaS – Infrastructure as a Service +You rent virtual machines, storage, and networking. You manage the OS and software. +**Examples**: AWS EC2, Microsoft Azure Virtual Machines + +### 2. PaaS – Platform as a Service +You build apps on top of a managed platform. The provider handles the OS, runtime, and infrastructure. +**Examples**: Heroku, Google App Engine + +### 3. SaaS – Software as a Service +You use the software over the internet without worrying about how it runs. +**Examples**: Google Workspace, GitHub + +![Cloud Service Models](../../../../images/introtocloudcapstone.png) + + +--- + +## Cloud Deployment Models + +Different organizations use the cloud in different ways depending on their needs, size, and security posture. + +- **Public Cloud** + Services offered over the internet and shared across organizations. + *Examples*: AWS, Azure, GCP + *Use Case*: Startups, scalable applications + +- **Private Cloud** + Cloud environment dedicated to a single organization. + *Use Case*: Healthcare, financial institutions + +- **Hybrid Cloud** + Mix of public and private clouds. + *Use Case*: Enterprises with legacy systems + +- **Multi-Cloud** + Using services from multiple cloud providers. + *Use Case*: Large enterprises avoiding vendor lock-in + +--- + +## Cloud Security Fundamentals + +Security in the cloud is a shared responsibility between the cloud provider and the customer. + +### Shared Responsibility Model + +- **Provider**: Security *of* the cloud (hardware, infrastructure, etc.) +- **Customer**: Security *in* the cloud (data, apps, IAM) + +### Key Concepts + +- **IAM (Identity & Access Management)**: Control who can access what, and what actions they can take +- **Encryption**: Protect data in transit and at rest +- **Logging & Monitoring**: Track system activity for threats and auditing + +--- + +## Summary + +Cloud computing is the backbone of modern DevSecOps. It allows teams to innovate quickly, deploy securely, and scale easily. From choosing the right service model to understanding your security responsibilities, cloud knowledge is essential for any DevSecOps practitioner. + +--- + +{% include quiz.html + id="topic5-chapter1" + data=site.data.quizzes.topic5.chapter1 +%} + +--- + +## Resources + +- [Google Cloud Security Overview](https://cloud.google.com/blog/topics/developers-practitioners/google-cloud-security-overview) +- [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) +- [Azure Cloud Adoption Framework](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/) +- [NIST SP 800-145](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf) +- [IBM – What is Cloud Computing](https://www.ibm.com/think/topics/cloud-computing) + +
+ ⬅️ Chapter 5 Overview + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-5-Cloud/chapter-2-cloud-in-devsecops/index.md b/docs/course/Topic-5-Cloud/chapter-2-cloud-in-devsecops/index.md new file mode 100644 index 0000000..fd28845 --- /dev/null +++ b/docs/course/Topic-5-Cloud/chapter-2-cloud-in-devsecops/index.md @@ -0,0 +1,129 @@ +--- +title: Chapter 2 - Cloud in DevSecOps +layout: custom +parent: Topic 5 - Cloud +has_toc: false +nav_order: 2 +topic: topic5 +chapter: chapter2 +--- + +# Chapter 2 - Cloud-Native DevSecOps + +DevSecOps is about integrating security into every part of the software development lifecycle. When you move to the cloud, it transforms how you build, test, deploy, and secure applications. Cloud-native DevSecOps means adapting security practices to the flexibility, speed, and scale the cloud offers. + +Instead of securing systems after they're built, teams using the cloud embed security into their continuous integration and continuous delivery (CI/CD) pipelines. The cloud enables: + +- Faster feedback loops +- Automated security checks +- Easier compliance management + +--- + +## Key Cloud Concepts for DevSecOps + +Here are the fundamental concepts every DevSecOps engineer needs to understand when working with the cloud: + +### Infrastructure as Code (IaC) + +Instead of manually configuring servers and networks, you write code to provision and manage infrastructure. This makes it easier to review, audit, and secure environments. + +**Examples:** + +- AWS CloudFormation +- Terraform +- Azure Resource Manager (ARM) templates + +--- + +### Immutable Infrastructure + +In traditional systems, servers are updated and patched manually. In cloud DevSecOps, servers are often replaced instead of updated. This reduces configuration drift and security risks. + +**Example:** +Deploying new Amazon EC2 instances from an updated AMI rather than patching existing instances. + +--- + +### Security as Code + +Security policies (firewall rules, IAM permissions, encryption settings) are defined and managed as code. This allows you to version, review, and automate security just like application code. + +--- + +### Microservices and Serverless + +Cloud-native architectures break applications into small, independent services that communicate over APIs. Serverless computing lets you run functions without managing servers. + +**Security Implications:** + +- More endpoints to protect (API security is critical) +- Function isolation and permission scoping are necessary +- Identity and access management becomes even more important + +--- + +### The Shared Responsibility Model + +Understanding who is responsible for what is critical in cloud environments. +See: [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) + +--- + +## Common Cloud Security Practices in DevSecOps + +- **Use Identity Federation**: Centralize user access management through secure identity providers. +- **Encrypt Everything**: Encrypt data at rest and in transit by default. +- **Shift Security Left**: Integrate security testing (e.g., SAST, DAST) early in the development cycle. +- **Implement Zero Trust Principles**: Verify every access attempt, regardless of source. +- **Use Container Security Tools**: Scan container images before deployment (e.g., Trivy, AWS ECR scanning). +- **Continuous Compliance Monitoring**: Automate checks for frameworks like SOC2, GDPR, HIPAA using cloud-native tools (e.g., AWS Config, Azure Policy). + +--- + +## Example Scenario: DevSecOps in the Cloud + +**Pat is building a fintech app that processes sensitive financial data.** +She uses AWS to deploy her app and sets up the following: + +- **Infrastructure as Code** with Terraform +- **CI pipelines** that run security tests (SAST, dependency checks) +- **Encryption** for all stored data in Amazon S3 buckets +- **Fine-grained IAM Roles** for different microservices +- **Automated Compliance Reports** using AWS Security Hub + +Thanks to the cloud, Pat’s team can deploy updates daily, automate security, and scale globally—all while maintaining strong security standards. + +--- + +## Summary + +The cloud has revolutionized DevSecOps by making it easier to automate, secure, and scale applications. However, it introduces new challenges: + +- Shared responsibility +- Infrastructure complexity +- Constant vigilance required + +Mastering cloud-native DevSecOps practices ensures that security is not a bottleneck—but an enabler for innovation. + +--- + +{% include quiz.html + id="topic5-chapter2" + data=site.data.quizzes.topic5.chapter2 +%} + +--- + +## Resources + +- [NIST SP 800-210](https://csrc.nist.gov/pubs/sp/800/210/final) +- [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) +- [Microsoft Azure Security Documentation](https://learn.microsoft.com/en-us/azure/security/) +- [Google DevSecOps Toolkit](https://cloud.google.com/blog/products/networking/introducing-the-devsecops-toolkit) +- [HashiCorp Terraform Recommended Practices](https://developer.hashicorp.com/terraform/cloud-docs/recommended-practices) + +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-5-Cloud/chapter-3-cloud-tools-and-platforms/index.md b/docs/course/Topic-5-Cloud/chapter-3-cloud-tools-and-platforms/index.md new file mode 100644 index 0000000..abdab6c --- /dev/null +++ b/docs/course/Topic-5-Cloud/chapter-3-cloud-tools-and-platforms/index.md @@ -0,0 +1,169 @@ +--- +title: Chapter 3 - Cloud Tools and Platforms +layout: custom +parent: Topic 5 - Cloud +has_toc: false +nav_order: 3 +topic: topic5 +chapter: chapter3 +--- + +# Chapter 3 - DevSecOps Cloud Tools and Platforms + +DevSecOps isn’t just a set of principles—it’s enabled by a powerful ecosystem of tools and platforms that make cloud-native development, security, and operations possible. In this chapter, we’ll explore essential cloud tools across categories like automation, CI/CD, security scanning, monitoring, and compliance, tailored to a DevSecOps pipeline. + +--- + +## Why Tooling Matters + +Without the right tools, DevSecOps in the cloud is nearly impossible to scale. Cloud tools let you: + +- Automate security testing and deployments +- Monitor for threats in real time +- Enforce policies across distributed infrastructure +- Shift security left without slowing down development + +Most tools are designed to integrate with cloud services (AWS, Azure, GCP) and provide API-driven, scalable automation—a must in any DevSecOps pipeline. + +--- + +## Categories of DevSecOps Tools in the Cloud + +### 1. CI/CD Orchestration Tools + +CI/CD tools automate code building, testing, and deployment—core to continuous integration and delivery. The best CI/CD tools support plugin architectures and security scanning hooks. + +**Popular Platforms:** + +- **GitHub Actions**: Native to GitHub. Easily integrates security checks (e.g., SAST, secrets scanning). +- **GitLab CI**: Built-in DevSecOps support including SAST, DAST, dependency scanning. +- **AWS CodePipeline / CodeBuild**: Integrates with AWS services for cloud-native CI/CD. +- **Azure DevOps**: Full lifecycle management with security scanning extensions. + +> Example: Add an `npm audit` step to a GitHub Actions workflow to scan for vulnerable dependencies every time code is pushed. + +--- + +### 2. Security Scanning Tools + +Security tools in the cloud should fit seamlessly into your CI/CD process and cover multiple layers: + +**SAST (Static Application Security Testing)**: Scans source code for vulnerabilities. +**Tools**: SonarQube, Semgrep, CodeQL (GitHub) + +**DAST (Dynamic Application Security Testing)**: Tests running applications. +**Tools**: OWASP ZAP, Burp Suite, StackHawk + +**SCA (Software Composition Analysis)**: Identifies vulnerable dependencies. +**Tools**: Snyk, Dependabot, WhiteSource + +> Integrate Semgrep or Snyk into your build pipeline to block insecure code from being deployed. +> For more information about this, check out Topic 4 Chapter 3! + +--- + +### 3. Secrets Management Tools + +Hardcoding secrets like API keys in your source code is a major security risk. Cloud-native secrets managers solve this by centralizing and encrypting credentials. + +**Popular Tools:** + +- **HashiCorp Vault**: Manages secrets across multi-cloud environments. +- **AWS Secrets Manager**: Native AWS integration, with auto-rotation support. +- **Azure Key Vault**: Protects credentials, keys, and certificates in Azure. +- **Google Secret Manager**: Fully managed, GCP-native secret storage. + +> Best practice: Inject secrets into your apps at runtime via environment variables or cloud SDKs—never hardcode them. + +--- + +### 4. Container & Kubernetes Security Tools + +Containers are everywhere in cloud DevSecOps—but they bring unique risks. Use purpose-built tools to scan images, enforce policies, and monitor runtime behavior. + +**Key Tools:** + +- **Trivy**: Lightweight vulnerability scanner for container images and Kubernetes. +- **Aqua Security / Prisma Cloud / Sysdig Secure**: Full-featured platforms for runtime protection. +- **OPA / Gatekeeper**: Policy-as-code for Kubernetes environments (e.g., disallow root containers). +- **Kube-bench**: Tests your clusters against the CIS Kubernetes Benchmark. + +> Use GitOps-style workflows to deploy Kubernetes manifests and scan them for misconfigurations. + +--- + +### 5. Monitoring, Logging & Threat Detection + +To detect and respond to incidents, you need visibility. Cloud providers offer native tools, but third-party platforms can centralize data from multi-cloud environments. + +**Logging & Monitoring Tools:** + +- AWS CloudWatch / GuardDuty +- Azure Monitor / Microsoft Defender for Cloud +- Google Cloud Operations Suite +- Datadog, Splunk, New Relic (cloud-agnostic options) + +**SIEM & Threat Detection:** + +- Elastic Security (ELK Stack) +- Falco (runtime security for containers) +- Wazuh (open-source threat detection) + +> Example: Set up GuardDuty to monitor for suspicious activity like unusual API calls or unauthorized access. + +--- + +### 6. Cloud Compliance Automation Tools + +For organizations in regulated industries, meeting compliance requirements (e.g., SOC2, HIPAA, PCI-DSS) in the cloud can be automated and integrated into the pipeline. + +**Notable Tools:** + +- AWS Config + Security Hub +- Azure Policy +- GCP Security Command Center +- Bridgecrew (IaC and cloud compliance scanning) +- OpenSCAP (Open-source compliance assessment) + +> Automate scanning of Terraform or CloudFormation templates for policy violations before deployment. + +--- + +## Summary + +DevSecOps in the cloud is powered by a rich ecosystem of specialized tools. From CI/CD to runtime protection and compliance monitoring, the right tools enable you to bake security into every stage of your development lifecycle—without slowing innovation. + +**Choose tools that:** + +- Integrate with your cloud provider +- Support automation +- Fit your team’s workflows +- Help you monitor, detect, and respond in real time + +> Remember: tools don’t replace strategy—but they do make secure development scalable and repeatable. + +--- + +{% include quiz.html + id="topic5-chapter3" + data=site.data.quizzes.topic5.chapter3 +%} + +--- + +## References + +- [GitHub Actions Documentation](https://docs.github.com/en/actions) +- [Semgrep CI Integration](https://semgrep.dev/docs/deployment/add-semgrep-to-ci) +- [HashiCorp Vault](https://developer.hashicorp.com/vault) +- [Trivy Scanner](https://github.com/aquasecurity/trivy) +- [Falco](https://falco.org/) +- [AWS Config Guide](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) +- [AWS Marketplace Compliance Tools](https://aws.amazon.com/marketplace/pp/prodview-yfh7zy22jbbt2) +- [Azure Policy Overview](https://learn.microsoft.com/en-us/azure/governance/policy/overview) +- [Google Cloud Security Command Center](https://cloud.google.com/security/products/security-command-center?hl=en) + +
+ ⬅️ Previous Chapter + Topic 6 ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-5-Cloud/index.md b/docs/course/Topic-5-Cloud/index.md new file mode 100644 index 0000000..dd1bd32 --- /dev/null +++ b/docs/course/Topic-5-Cloud/index.md @@ -0,0 +1,19 @@ +--- +title: Topic 5 - Cloud +layout: custom +has_children: true +has_toc: false +nav_order: 7 +--- +# Topic 5 – Cloud in DevSecOps + +| Chapter | Learning Objectives | +|---------|---------------------| +| Chapter 1: Introduction to Cloud | - Define cloud computing and its benefits for scalability and speed.
- Distinguish between IaaS, PaaS, and SaaS service models.
- Compare public, private, hybrid, and multi-cloud deployments.
- Understand the shared responsibility model and key cloud security concepts. | +| Chapter 2: The Role of Cloud in DevSecOps | - Explain how cloud-native practices transform DevSecOps workflows.
- Describe core concepts like Infrastructure as Code and immutable infrastructure.
- Identify best practices such as Zero Trust, security as code, and continuous compliance.
- Apply DevSecOps principles to cloud-native architectures including microservices and serverless. | +| Chapter 3: Cloud Tools and Platforms | - Identify essential DevSecOps tools for CI/CD, scanning, monitoring, and compliance.
- Match cloud-native tools to stages of the DevSecOps lifecycle.
- Understand how secrets management and container security tools reduce risk.
- Recognize how automation supports scalable, secure cloud operations. | + +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-6-DevSecOps-in-Industry/chapter-1-use-of-devsecops-in-industry/index.md b/docs/course/Topic-6-DevSecOps-in-Industry/chapter-1-use-of-devsecops-in-industry/index.md new file mode 100644 index 0000000..e66e758 --- /dev/null +++ b/docs/course/Topic-6-DevSecOps-in-Industry/chapter-1-use-of-devsecops-in-industry/index.md @@ -0,0 +1,143 @@ +--- +title: Chapter 1 - Use of DevSecOps in Industry +layout: custom +parent: Topic 6 - DevSecOps in Industry +has_toc: false +nav_order: 1 +topic: topic6 +chapter: chapter1 +--- + +# Chapter 1 - DevSecOps Use Cases Across Industries + +Now, we have laid out 6 Use Cases and Industries where the skills and information you have learned will be useful. They are as follows: + +--- + +## 1. Finance & Banking: Continuous Compliance and Risk Mitigation + +**The Challenge:** +Financial institutions operate under strict regulatory frameworks (such as PCI-DSS, SOX, GDPR). Any data breach or non-compliance can result in hefty fines and reputational damage. + +**DevSecOps Use Case:** +Banks and fintech firms embed security controls into CI/CD pipelines. They automate vulnerability scanning, configuration checks, and policy enforcement with tools like Aqua, Twistlock, or Checkov. + +**Key Benefits:** +- Immediate feedback to developers on security risks. +- Automated compliance reporting. +- Early detection of misconfigured cloud services (e.g., open S3 buckets). + +> **Example:** JPMorgan Chase uses DevSecOps pipelines to secure microservices and APIs in real-time, preventing threats without slowing down development. + +--- + +## 2. Tech & SaaS Companies: Securing CI/CD Pipelines + +**The Challenge:** +Startups and cloud-native companies rely heavily on fast deployment. However, fast releases can introduce unseen vulnerabilities if security isn’t embedded from the start. + +**DevSecOps Use Case:** +Companies like GitHub and Netflix use DevSecOps to integrate Static Application Security Testing (SAST) and Dynamic Analysis (DAST) tools into Git-based workflows. Every pull request is automatically scanned, and developers receive security alerts inline with their code reviews. + +**Key Benefits:** +- Eliminates “security bottleneck” by shifting left. +- Reduces post-production vulnerabilities. +- Encourages secure-by-design development culture. + +> **Example:** Netflix uses automated policy-as-code tools and secure infrastructure provisioning to safeguard its large-scale cloud environments. + +--- + +## 3. Healthcare: Protecting Patient Data (HIPAA Compliance) + +**The Challenge:** +Healthcare apps and devices manage highly sensitive patient data. They must comply with HIPAA regulations while still pushing updates quickly for bug fixes and new features. + +**DevSecOps Use Case:** +Hospitals and healthtech companies automate threat modeling, security testing, and incident response through DevSecOps. Security gates prevent non-compliant code from being deployed. + +**Key Benefits:** +- Ensures data encryption standards are maintained. +- Enables secure data transmission over APIs. +- Enhances auditability and traceability in logs. + +> **Example:** A telemedicine platform uses DevSecOps to automatically encrypt stored data and monitor for anomalous access patterns using tools like AWS GuardDuty. + +--- + +## 4. E-Commerce & Retail: Preventing Data Breaches at Scale + +**The Challenge:** +Retail companies collect customer PII, credit card info, and behavior data. These platforms are prime targets for attackers, especially during peak seasons like Black Friday. + +**DevSecOps Use Case:** +DevSecOps pipelines are used to scan containers and infrastructure code before deploying to production. Cloud Security Posture Management (CSPM) tools are integrated to enforce least-privilege access. + +**Key Benefits:** +- Real-time security alerts reduce Mean Time to Detect (MTTD). +- Helps maintain uptime by proactively identifying risks. +- Protects customer data and payment infrastructure. + +> **Example:** Walmart automates threat detection across multi-cloud environments and employs role-based access control (RBAC) policies using Infrastructure as Code (IaC). + +--- + +## 5. Government & Defense: Building Secure Software Supply Chains + +**The Challenge:** +Agencies and contractors must ensure software integrity due to nation-state threats and the need for secure communications and critical infrastructure. + +**DevSecOps Use Case:** +Government agencies apply DevSecOps to enforce software supply chain security using tools like Sigstore, SLSA, and in-toto. Every build artifact is signed and traceable. + +**Key Benefits:** +- Reduces risk of software tampering (e.g., SolarWinds-style attacks). +- Encourages end-to-end visibility across the SDLC. +- Improves security posture against zero-day exploits. + +> **Example:** The U.S. Department of Defense (DoD) incorporates DevSecOps practices in its Platform One initiative to build secure, scalable digital services. + +--- + +## 6. Pharmaceutical & R&D: Accelerating Secure Innovation + +**The Challenge:** +R&D departments in pharmaceutical companies rely on complex data pipelines and simulations. Intellectual property (IP) and patient trial data must be tightly secured. + +**DevSecOps Use Case:** +DevSecOps is applied to ensure that data pipelines, machine learning models, and simulation software are secure by design. Role-based secrets management and encrypted storage are enforced throughout. + +**Key Benefits:** +- Prevents IP theft by limiting insider and external threats. +- Reduces friction between compliance and innovation. +- Enables reproducible and verifiable research environments. + +> **Example:** A global biotech firm uses GitOps and DevSecOps tools to manage its infrastructure-as-code for automated, auditable experimentation environments. + +--- + +## Final Thoughts + +DevSecOps is not a tool or a product, but a philosophy—a cultural and technical shift that brings development, security, and operations together. + +These real-world use cases highlight how critical DevSecOps is for: +- Accelerating time-to-market +- Strengthening security posture +- Enabling regulatory compliance +- Reducing incident recovery times + +As you continue to learn DevSecOps, always think in terms of **automation**, **integration**, and **visibility**. And remember: security isn't a gate at the end—it's a thread that runs through every step. + +--- + +{% include quiz.html + id="topic6-chapter1" + data=site.data.quizzes.topic6.chapter1 +%} + +--- + +
+ ⬅️ Chapter 6 Overview + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-6-DevSecOps-in-Industry/chapter-2-industry-roles/index.md b/docs/course/Topic-6-DevSecOps-in-Industry/chapter-2-industry-roles/index.md new file mode 100644 index 0000000..15f9fab --- /dev/null +++ b/docs/course/Topic-6-DevSecOps-in-Industry/chapter-2-industry-roles/index.md @@ -0,0 +1,154 @@ +--- +title: Chapter 2 - Common DevSecOps Industry Roles +layout: custom +parent: Topic 6 - DevSecOps in Industry +has_toc: false +nav_order: 2 +topic: topic6 +chapter: chapter2 +--- + +# Chapter 2 - Common DevSecOps Roles in the Industry + +In this section, we’ll break down the most common DevSecOps roles in today’s tech landscape. You’ll learn what each role does, their core responsibilities, and the essential skills required. 🔐 + +--- + +## 1. DevSecOps Engineer + +**What They Do:** +A DevSecOps Engineer embeds security throughout the software development lifecycle. They design secure pipelines, integrate security tools into CI/CD workflows, and help developers write safer code. + +**Key Responsibilities:** +- Automate security testing (SAST, DAST, SCA) in CI/CD pipelines +- Implement security as code using Infrastructure as Code (IaC) +- Monitor for vulnerabilities in code, containers, and dependencies +- Collaborate with developers, ops, and security teams + +**Essential Skills:** +- CI/CD tools (e.g., Jenkins, GitHub Actions, GitLab CI) +- Scripting (Bash, Python, Groovy) +- IaC tools (Terraform, CloudFormation) +- Security tools (Snyk, Checkov, Trivy, OWASP ZAP) + +--- + +## 2. Security Automation Engineer + +**What They Do:** +Focuses on scripting and tool creation to automate security tasks, reducing manual effort and ensuring consistent policy enforcement. + +**Key Responsibilities:** +- Develop custom tools for vulnerability scanning and reporting +- Automate access control and secrets management +- Integrate security alerts with monitoring and ticketing systems +- Build remediation playbooks using automation platforms + +**Essential Skills:** +- Programming (Python, Go, JavaScript) +- Automation tools (Ansible, Puppet, Chef) +- API integrations (e.g., GitHub + Slack + Jira) +- Knowledge of SIEM systems (Splunk, ELK, QRadar) + +--- + +## 3. Application Security Engineer (AppSec) + +**What They Do:** +Specializes in the security of application code, libraries, and frameworks. Often conducts code reviews and helps developers fix vulnerabilities. + +**Key Responsibilities:** +- Perform static and dynamic code analysis (SAST/DAST) +- Conduct threat modeling and security reviews +- Review open-source dependencies (SCA) +- Educate developers on secure coding practices + +**Essential Skills:** +- Secure coding in Java, Python, JavaScript, etc. +- Familiarity with tools like SonarQube, Veracode, Fortify +- Deep understanding of OWASP Top 10 +- Strong communication for developer collaboration + +--- + +## 4. Cloud Security Engineer + +**What They Do:** +Secures cloud-native infrastructure, ensuring cloud environments are safe and compliant with organizational policies. + +**Key Responsibilities:** +- Define IAM (Identity and Access Management) policies +- Monitor cloud misconfigurations and enforce guardrails +- Secure container orchestration (e.g., Kubernetes) +- Manage encryption, logging, and secrets + +**Essential Skills:** +- Cloud platforms (AWS, Azure, GCP) +- Tools like Prisma Cloud, AWS GuardDuty, Azure Security Center +- Container security (Falco, Aqua, Sysdig) +- Kubernetes security and RBAC + +--- + +## 5. Site Reliability Engineer (SRE) with Security Focus + +**What They Do:** +Ensures system reliability and performance while also focusing on threat detection, incident response, and reducing the attack surface. + +**Key Responsibilities:** +- Design secure and resilient systems +- Automate monitoring and alerts for suspicious activity +- Collaborate with SOC teams to resolve incidents +- Implement Zero Trust and defense-in-depth strategies + +**Essential Skills:** +- Systems architecture (Linux, networking, load balancing) +- Observability tools (Grafana, Prometheus, Datadog) +- Incident response frameworks +- Scripting and automation + +--- + +## 6. DevSecOps Architect + +**What They Do:** +A strategic leadership role responsible for designing and driving DevSecOps strategies across the organization. + +**Key Responsibilities:** +- Design secure DevOps workflows across teams and tools +- Choose and standardize CI/CD, IaC, and security toolchains +- Develop governance policies for compliance and risk +- Align technical and business goals with security practices + +**Essential Skills:** +- Deep understanding of DevOps principles and security frameworks +- Experience across cloud, CI/CD, containers, and automation +- Risk management and compliance (SOC2, HIPAA, NIST) +- Leadership and stakeholder communication + +--- + +## Other Supporting Roles in a DevSecOps Team + +In larger organizations, additional roles often support DevSecOps efforts: + +| Role | Description | +|----------------------------------|-------------------------------------------------------------| +| Product Manager (Security-focused) | Ensures security is prioritized in product roadmaps | +| Compliance Analyst | Helps teams meet regulatory standards | +| Penetration Tester | Simulates attacks and recommends security improvements | +| Security Champion | Promotes secure coding within development teams | + +--- + +{% include quiz.html + id="topic6-chapter2" + data=site.data.quizzes.topic6.chapter2 +%} + +--- + +
+ ⬅️ Previous Chapter + Other Documents ➡️ +
\ No newline at end of file diff --git a/docs/course/Topic-6-DevSecOps-in-Industry/index.md b/docs/course/Topic-6-DevSecOps-in-Industry/index.md new file mode 100644 index 0000000..096b917 --- /dev/null +++ b/docs/course/Topic-6-DevSecOps-in-Industry/index.md @@ -0,0 +1,18 @@ +--- +title: Topic 6 - DevSecOps in Industry +layout: custom +has_children: true +has_toc: false +nav_order: 8 +--- +# Topic 6 - DevSecOps in Industry + +| Chapter | Learning Objectives | +|---------|---------------------| +| Chapter 1: Use of DevSecOps in Industry | - Describe how DevSecOps is used across key industries.
- Recognize unique security and compliance needs in each sector.
- Identify tools and practices that enable secure, fast delivery.
- Understand how DevSecOps protects data and IP.
- Recall real-world examples of DevSecOps in action. | +| Chapter 2: Common DevSecOps Industry Roles | - Identify key DevSecOps roles and their focus areas.
- Summarize each role’s responsibilities and impact on security.
- Recognize essential tools and skills used across roles.
- Understand the importance of cross-team collaboration.
- Distinguish between core and supporting DevSecOps roles. | + +
+ ⬅️ Previous Chapter + Next Chapter ➡️ +
\ No newline at end of file diff --git a/docs/course/index.md b/docs/course/index.md index 85f5e33..4444099 100644 --- a/docs/course/index.md +++ b/docs/course/index.md @@ -9,7 +9,7 @@ nav_order: 1 - + @@ -17,7 +17,16 @@ nav_order: 1 - + + + + + + + + + + @@ -34,37 +43,68 @@ nav_order: 1 - - + - + + - - + + - + - + + + + + - + + + + + + - - + + + + + + - - + + + + + + + + + + + + + + + + + + + +
Topic Chapter and Title Interactive Lab
GitIntroduction to
SDLC and
DevSecOps		Chapter 1: Introduction to SDLC
Chapter 2: Introduction to DevOps
Git Chapter 1: Version Control
DevOpsChapter 1: Intro to DevOpsChapter 5: Advanced Git Techniques
Chapter 2: Intro to CI/CDDevSecOps
Fundamentals		Chapter 1: DevSecOps
Chapter 3: ContainerizationYesChapter 2: CI/CD Fundamentals
Chapter 4: WebhooksChapter 3: Automated Tests
Chapter 5: Automated TestsChapter 4: DeploymentYes
Chapter 5: Webhooks
Chapter 6: DeploymentChapter 6: Containerization Yes
CybersecurityChapter 1: Intro to Cybersecurity
DevSecOpsChapter 1: DevSecOpsChapter 2: Security Risks and Vulnerabilities in the SDLC
Chapter 3: Security Checks in CI/CD
Chapter 2: Security Checks in CI/CDYesCloudChapter 1: Intro to Cloud
Chapter 2: Cloud in DevSecOps
Chapter 3: Cloud Tools and Platforms
DevSecOps in
Industry		Chapter 1: Use of DevSecOps in Industry
Chapter 2: Common DevSecOps Industry Roles
@@ -86,3 +126,8 @@ Our [Literature Review](../others/research/literature-review) provides a compreh Incorporating DevSecOps and CI/CD practices into academic curricula prepares students to meet the demands of modern software engineering, making them valuable assets to the industry from the outset. For a detailed understanding of the current market needs that our curriculum addresses, refer to our [Market Research](../others/research/market-research). + +
+ ⬅️ Home + Lab Infrastructure Setup Guide ➡️ +
\ No newline at end of file diff --git a/docs/course/topic-3-devsecops/index.md b/docs/course/topic-3-devsecops/index.md deleted file mode 100644 index 91dad1d..0000000 --- a/docs/course/topic-3-devsecops/index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Topic 3 - DevSecOps -layout: custom -has_children: true -has_toc: false -nav_order: 5 ---- - -# Topic 3 - DevSecOps - -| Chapter | Learning Objectives | Lab Description | -|---------|---------------------|-----------------| -| Chapter 1: DevSecOps | - Define DevSecOps
- Understand Why Implement
- Understand Shift Left/Right Testing
- Learn about Related Tools and Technologies | | -| Chapter 2: Security Checks in CI/CD | - Understand important of security checks in each stage of the pipeline
- Discuss SAST vs DAST and their pros/cons
- Learn about vulnerability scanning and prominent tools in industry today | **Lab: Securing a vulnerable application
- Fix security vulnerabilities flagged by security checkpoints within a CI/CD pipeline. | - - diff --git a/docs/lab-setup-guide/index.md b/docs/lab-setup-guide/index.md index b888d24..41e7acb 100644 --- a/docs/lab-setup-guide/index.md +++ b/docs/lab-setup-guide/index.md @@ -20,4 +20,9 @@ Please follow the links to access detailed instructions for setting up the lab e | Topic Name | Chapters | Cloud Vendors | Setup Guide Link | | ---------- | -------- | ------------ | ---------------- | | Topic 2 - DevOps | `Chapter 3 - Containerization` `Chapter 6 - Deployment` | AWS | [DevOps Infrastructure Setup Overview](./topic-2-devops-lab/) | -| Topic 3 - DevSecOps | `Chapter 2 - Security Checks in CI/CD` | AWS | [DevSecOps Infrastructure Setup Overview](./topic-3-devsecops-lab/) | \ No newline at end of file +| Topic 3 - DevSecOps | `Chapter 2 - Security Checks in CI/CD` | AWS | [DevSecOps Infrastructure Setup Overview](./topic-3-devsecops-lab/) | + +
+ ⬅️ Course Overview + Next ➡️ +
\ No newline at end of file diff --git a/docs/lab-setup-guide/topic-2-devops-lab/aws/index.md b/docs/lab-setup-guide/topic-2-devops-lab/aws/index.md index ea2c4da..7efd59b 100644 --- a/docs/lab-setup-guide/topic-2-devops-lab/aws/index.md +++ b/docs/lab-setup-guide/topic-2-devops-lab/aws/index.md @@ -190,4 +190,10 @@ BlueOcean improves the user experience of Jenkins, providing a more visual and i 3. Check the box next to Blue Ocean 4. Click on Install to begin installing the selected plugins. -![blueocean](./assets/blueocean.png) \ No newline at end of file +![blueocean](./assets/blueocean.png) + +
+ ⬅️ Previous + Next ➡️ +
+ diff --git a/docs/lab-setup-guide/topic-2-devops-lab/index.md b/docs/lab-setup-guide/topic-2-devops-lab/index.md index 3ee5de8..b3417ab 100644 --- a/docs/lab-setup-guide/topic-2-devops-lab/index.md +++ b/docs/lab-setup-guide/topic-2-devops-lab/index.md @@ -10,4 +10,9 @@ has_toc: false | Cloud Vendor | Setup Guide Link | | ------------ | ---------------- | -| AWS | [DevOps Infrastructure Setup on AWS](./aws/) | \ No newline at end of file +| AWS | [DevOps Infrastructure Setup on AWS](./aws/) | + +
+ ⬅️ Previous + Next ➡️ +
\ No newline at end of file diff --git a/docs/lab-setup-guide/topic-3-devsecops-lab/aws/index.md b/docs/lab-setup-guide/topic-3-devsecops-lab/aws/index.md index 1a37694..145b9c0 100644 --- a/docs/lab-setup-guide/topic-3-devsecops-lab/aws/index.md +++ b/docs/lab-setup-guide/topic-3-devsecops-lab/aws/index.md @@ -266,4 +266,9 @@ We need to create a new quality gate that includes conditions on `Overall Code`, - Click `Add`. - Select the Jenkins credentials you just generated in `Server authentication token` -6. Click `Save` to save the configuration. \ No newline at end of file +6. Click `Save` to save the configuration. + +
+ ⬅️ Previous + Topic 1 ➡️ +
diff --git a/docs/lab-setup-guide/topic-3-devsecops-lab/index.md b/docs/lab-setup-guide/topic-3-devsecops-lab/index.md index f46d1f8..a4bc532 100644 --- a/docs/lab-setup-guide/topic-3-devsecops-lab/index.md +++ b/docs/lab-setup-guide/topic-3-devsecops-lab/index.md @@ -10,4 +10,9 @@ has_toc: false | Cloud Vendor | Setup Guide Link | | ------------ | ---------------- | -| AWS | [DevSecOps Lab Infrastructure Setup Guide on AWS](./aws/) | \ No newline at end of file +| AWS | [DevSecOps Lab Infrastructure Setup Guide on AWS](./aws/) | + +
+ ⬅️ Previous + Next ➡️ +
\ No newline at end of file diff --git a/docs/other/index.md b/docs/other/index.md index a4d252b..480ac35 100644 --- a/docs/other/index.md +++ b/docs/other/index.md @@ -3,5 +3,22 @@ title: Other Documents layout: custom has_children: true has_toc: false -nav_order: 6 ---- \ No newline at end of file +nav_order: 9 +--- + +# 📚 Documentation Overview + +This section contains supporting documentation for the project. You’ll find two main categories: + +- **References**: Resources, tools, and guides that informed our approach. +- **User Research**: Findings and insights gathered through interviews, surveys, and usability testing. + +Each document provides context and justification for design and development decisions, helping to ensure that our work is user-centered, informed, and aligned with best practices. + +--- + + +
+ ⬅️ Previous Chapter + References ➡️ +
\ No newline at end of file diff --git a/docs/other/research/references.md b/docs/other/research/references.md index 0440bd0..685cb8c 100644 --- a/docs/other/research/references.md +++ b/docs/other/research/references.md @@ -37,4 +37,7 @@ has_toc: false 28. "Decoding the Difference: Artifacts vs Packages in Software Development", *cloudsmith*, [https://cloudsmith.com/blog/artifacts-vs-packages-what-is-the-difference](https://cloudsmith.com/blog/artifacts-vs-packages-what-is-the-difference). Accessed 20 Feb. 2024. 29. "Azure Container Registry between Artifactory: Exploring the Differences", *LevInfo*, [https://ievinfo.com/azure-container-registry-between-artifactory-differenc/](https://ievinfo.com/azure-container-registry-between-artifactory-differenc/). Accessed 20 Feb. 2024. - +
+ ⬅️ Other Documents + User Reserach ➡️ +
\ No newline at end of file diff --git a/docs/other/research/user-research.md b/docs/other/research/user-research.md index b616f95..59f75d8 100644 --- a/docs/other/research/user-research.md +++ b/docs/other/research/user-research.md @@ -211,3 +211,8 @@ has_toc: false - Continuous evaluation and update of the curriculum are necessary to keep pace with the rapidly evolving tech landscape. - Gathering feedback from both students and industry professionals post-implementation can guide future improvements in the curriculum. + +
+ ⬅️ User Research + Home 🏠 +
\ No newline at end of file diff --git a/images/introtocloudcapstone.png b/images/introtocloudcapstone.png new file mode 100644 index 0000000..b6bd764 Binary files /dev/null and b/images/introtocloudcapstone.png differ diff --git a/index.md b/index.md index bbd553d..1966ca7 100644 --- a/index.md +++ b/index.md @@ -4,9 +4,6 @@ layout: custom nav_order: 0 --- # DevSecOps Curriculum 💻 ->> Made by 2024 University of Washington Informatics Capstone Team Info Innovators - ->> Sponsored by Boeing Welcome to our open-source DevSecOps curriculum! @@ -38,9 +35,8 @@ To understand the skills gap that new graduates face, refer to our [User Researc ## Contributing to the Curriculum 🤝 Contributions are welcome! Help us keep the curriculum relevant and effective by updating content, adding new exercises, or providing feedback. -### Connect with the Creators 🔗 -- [Sirena Akopyan](https://www.linkedin.com/in/sirena-akopyan/) -- [Bhavya Garlapati](https://www.linkedin.com/in/bhavya-garlapati-95ab46225/) -- [Eric Kim](https://www.linkedin.com/in/taehyunnkim/) -- [Mari Woodworth](https://www.linkedin.com/in/marikowoodworth/) -- [Brandon Mendoza](https://www.linkedin.com/in/bwmendo/) +
+ + Course Overview ➡️ +
+