Finished a lot of hard work: the CDP exam, Certified DevSecOps Professional

2021-03-04 10:10:00

I know, I know: the past weeks it's been nothing but Gitlab over here :D That's going to quiet down now. How did all of that get started though?

Back in January, I posted the following question on the BHIS Discord:

"When it comes to CICD, microservices and the whole modern API reality I'm quite out of my depth. I never was a developer, can't code my way out of a wet paper bag; was always on the sysadmin and secops side. 

Are you guys aware of any trainings or bootcamps that are squarely aimed at grabbing my demography (sysadmin, secops) by the scruff of their neck and dumping them through the whole process of building a sample API, automated building and testing and then ramming it onto something like Azure of CloudFoundry? 

I've been on the sidelines of plenty CICD, helping DevOps teams with their Linux and security troubles... but now I really need to know what they do all day.

Anything commercial, that lasts multiple days and is from a reputable vendor would be absolutely great. I don't care too much about which solutions are used in said training. Key words may include: Spring.boot, Maven, Git, Azure DevOps, Github Actions, Fortify. Just an all-in-one "journey" would be lovely."

I asked around with friends and colleagues. Most folks weren't aware of any such trainings, though one pointed me at Kode Kloud, another suggested Dev Champs and two of them suggested Practical DevSecOps.

PDSO's CDP course, Certified DevSecOps Professional, listed selling points that matched what I wanted:

• Self-paced learning,
• Extensive labs,
• Working with a real project in CI/CD,
• Integrating security and on top of that
• A challenging exam.

Having now completed the whole course and having passed the exam, here's my impressions about PDSO's CDP course:

• The online learning environment on Teachable is nice, to Teachable's credit. It does what it needs to do and doesn't get in the way of your learning. 
• The online labs are cloud based and fully performed in your browser. It gets a bit annoying that your lab servers auto-shutdown after two hours but they're quickly re-provisioned so it's not a problem. 
• The online labs are extensive! Every topic gets a handful of labs, so you get to try different combinations of tools and pipelines. They don't just focus on one language or framework, nor on one tool for the job. They even include exercises for both Gitlab and Jenkins. 
• The online labs are constantly getting updates. In the three to four weeks I was in class, every week we'd see a short downtime while new exercises get added and problems get fixed.
• Staff are available on Slack and email. The Slack channels themselves are mostly quiet, especially if you're used to the very hectic BHIS Discord. Overall, Staff respond relatively quickly and feedback may also be submitted through a Google form. 
• Staff are open to suggestions, corrections and feedback. These often make their way into documentation and labs within days. 
• The video lessons are okay. The narrator has a pleasant voice, but quite literally reads from the slides and "book". Video quality is good and the slides have a nice design.
• With some of the slides and book content I noticed that it was literally copy/pasted from vendors' or open source tools' websites. That doesn't have to be a problem, as long as it's properly credited (which may have been lacking in places).
• The "book" PDF can be completely ignored: it's narrated on the videos and most content is covered in the slides. The PDF consists of exported graphics instead of searchable text which IMO is absolutely worthless: if you can't search your book for key words, there's no point to it. 

My overall verdict, was the CDP course worth it? Yes, it was. I learned a lot, I got to mess around with a lot of cool tools and the exam was challenging.

One tip that I'd give students is to also run a CI/CD environment of their own, with more projects than the one or two in the labs. I have gained so much extra knowledge from running Gitlab in my homelab, with 6-7 vulnerable apps! It's been awesome and educational. 

A few of my fellow students asked for pointers on the exam. I wouldn't want to give anything away that's covered by the NDAs, but I can tell you this much:

• Expect other tools (SAST, DAST, etc) than the ones we used in the labs.
• Expect more advanced features for tools that we did use.
• Expect different languages than the ones we did use. 

Basically, be ready to do high-paced learning and studying on-the-fly. In that regards, this exam isn't too different from the OSCP pen-testing exam: the concepts are the same, but you will need to do research on the job :)

Most importantly:

1. As John Strand always says: "Document as you go!" Take notes all the way through your work, don't put that off until the end.
2. Clone your exam repository to your local computer and pull updates regularly! I lost 11 hours of work on my exam, because my Gitlab got reprovisioned.

kilala.nl tags: work, studies,

View or add comments (curr. 0)