SANS SEC540 Cloud Security and DevSecOps Automation

Created in June 15, 2024

2024   ·   notes   learning

The fourth and final class I took in the SANS Cloud Security certificate program was SEC 540 Cloud Security and DevSecOps Automation. The course just underwent a significant update near the beginning of the year. This was going to be, by far, the most challenging class for me in the cloud program. Though technically, I have a Computer Science degree, I’ve spent most of my time on the administration side. I am aware of things like DevOps and CI/CD pipelines, but actually leveraging them in a day-to-day matter is not something I’ve done. My skills in using git were questionable at best.

This class was extremely useful for any developers who should be moving to these modern DevOps practices, as well as administrators who are moving to more cloud-based architectures. It really helped me see how many of the benefits of the DevOps mindset could be applied. You decide if you want to do the labs in AWS or Azure. The first day of the course focuses on general DevOps practices and pipelines. The last part of day 1 is focused on secrets management. I felt this day really helped me get hands on with these concepts and I actually made a few mistakes in the labs so I really got to understand the setup by troubleshooting different parts.

Day 2 was focused on configuration management and infrastructure as code (IaC). There is also a good section on containers and Docker that I thought was especially helpful for me in understanding how this is leveraged. Day 3, I think, was the hardest day for me; it was almost entirely focused on Kubernetes. Again, I’m aware of this at a high level, but this day forces you to get into the weeds of it. It took me a bit, but now I have a solid understanding of it. Day 4 was microservices and serverless architectures. I was a bit more familiar with these from the previous classes. The final day 5 was how to bake compliance checks into all of this and some additional security protections you can do, like WAFs. This wasn’t too bad.

Overall, the labs were great, and you really see the power of DevOps. My git is a bit better as well. The exam was very similar to the practice exams. I passed this a few weeks ago, and my program has come to an end. I did 4 SANS cloud classes in about 11 months. I would really recommend this program, but I’m very much looking forward to a break from the strict study schedule.