Has anyone used practical-devsecops.com?

I am curious if anyone has been through this course: https://www.practical-devsecops.com/certified-devsecops-professional/. I don't necessarily want the cert but interested in the training.

Find more posts tagged with

devsecops

Comments

xXxKrisxXx

Also curious about this one as well.

Practical DevSecOps is in the YourAcclaim Database which is neat.

Most recent review l found on it was: https://medium.com/@jassics/certified-devsecops-professional-cdp-course-and-exam-review-2ea22938bd10

I've also seen a similar course called DevSecOps Engineering:
https://devopsinstitute.com/courses/devsecops-engineering/

But the exam is multiple choice instead of hands-on practical.

FluffyBunny

This is exactly the training I'm looking to start in a few weeks. I've got a specific set of gaps in my experience and have been looking all over for a training that grabs me by the scruff of my neck and drags me through the whole A-to-Z process of code-to-deployment-through-CICD.

And seriously, I adore hardcore practical exams, so this one's right up my alley!

I'd love to hear about your experiences if you've taken the class in the mean time.

scasc

I know someone who has taken and enjoyed it a lot, though I have not done myself. If you have any questions the guy who runs it is pretty good at getting back too. Based in Singapore I think. 3 paths to the expert I believe unless its changed, and he teaches at Black Hat too so that must be something.

FluffyBunny

Aye, I also spoke to an ex-colleague who'd taken the class a while back. So far, the endorsements look good. I'm going for it, RSN (tm).

Also found this free, community-run bootcamp programme -> https://github.com/devsecops/bootcamp

xXxKrisxXx

I went through the CDP course back in August and I thought it was pretty good. The exam definitely enforces the content taught in the course. I also like that it’s a certification that doesn’t expire.

Most people do the 1 course. There’s not too many CDE’s out there at the moment.

6 months ago when I went through it, the course was setup with a VPN environment. Since then, they’ve moved out to a cloud environment for the labs. It’s the right route going forward for sure,

Once you sign up and pay, you get added into a practical DevSecOps slack channel #cdp. If you want to get more feedback before enrolling, search for write-ups/reviews on Medium about the course. It’ll also help you have an edge up on how to best prepare for the exam.

FluffyBunny

xXxKrisxXx said:

6 months ago when I went through it, the course was setup with a VPN environment. Since then, they’ve moved out to a cloud environment for the labs. It’s the right route going forward for sure,

The migration to cloud might've been a great idea and I support it, but let me tell you that this is not what you want to see on your Gitlab at 11.5 hours into your 12 hour exam.

I'm very happy I made local clones of my repos. Otherwise I would've lost all my work for the exam.

I'll do a proper write-up / review RSN(tm).

FluffyBunny

Good news is that I passed the CDP exam. It was fun, it was frustrating at times and I was very tired at the end. But worth it.

Again, review coming RSN(tm).

FluffyBunny

As promised here's a review-of-sorts -> https://www.kilala.nl/index.php?id=2515

scasc

Thank you for sharing. Very useful indeed. Well done....

I did the SANS 540 myself which was outstanding and really threw me in the deep end to harden and secure pipelines whilst delivering software changes.

FluffyBunny

I'll have to take a look at SEC540 then

Knowing SANS it's very expensive, but probably great. With any luck they'll have a work/study opportunity for it soon.

SEC540 will probs be overkill for me though, since I just wanted a quick bootcamp on CI/CD principles with security thrown in.

scasc

That's how I did it - work study

.

Sure, I wanted to really understand or at least start to understand the pipeline, security pain-points, tools to use to facilitate scanning etc. What I really liked was the ability to understand each phase of the pipeline, utilise web hooks or plugins with CI/CD such as Jenkins and then leverage AWS Code pipeline to funnel changes into the cloud. Also was covered in depth IaC, Vault, Docker, k8S etc. Truly drinking from a firehose and I can put my hand up and say it was the best SANS course I have ever done along with 530.

LonerVamp

This sounds really pretty interesting. Even from other reviews, I really wasn't sure the quality or intensity of the offerings, but seeing your background and all definitely brings more perspective and heft.

This is also adjacent to things I do for my day job, but also on my mind recently for evening studies...things like Docker, and coding, and more ability to dive harder into Secure SDLC and devops topics while not being a native/prior developer entirely. I get all of that stuff, but I also get enough to know I don't know a lot of it!

The practical exam also has a warm spot for me.

Sometimes with topics like these, where it's just outside one's comfort level, it just takes a few projects to get going out of the mud. And sometimes, it can be hard to think up, find, or devise those projects, and it sort of sounds like this course would be a great start in that area.

Grats and nice review! I think I'll add this at least onto my task list to evaluate and plan out more.

FluffyBunny

I get all of that stuff, but I also get enough to know I don't know a lot of it!

This. That was me with regards to DevSecOps / Security in DevOps.

What helped me tremendously was to, next to the CDP labs, also build a similar environment in my homelab. I already had Docker and Ansible servers in there, so all I needed to do was add a Gitlab box. Mind you, Gitlab is resource hungry and likes at least 4GB of RAM. Of course, you can also use something different from Gitlab! There are many possible solutions and combinations, with Gitlab being one of those who combines source code management with CI/CD into one.

Having your private environment allows more flexibility and longer testing, because the CDP machines get shut off every two hours. Besides, this way you can easily work on CI/CD pipelines for multiple projects. Simply for learning and testing I have at least six vulnerable webapps in there, two of which I have managed to also "deploy to prod" so they run on the network after build+testing.