Introduction
In the rapidly evolving world of software development, staying ahead of the curve is crucial. As security becomes an integral part of the development lifecycle, certifications like the Certified DevSecOps Professional (CDP) from Practical DevSecOps are becoming increasingly valuable. In this blog post, I will share my experiences, insights, and takeaways from pursuing the CDP certification. Whether you’re considering the certification yourself or simply curious about what it entails, I hope my journey will provide you with a clearer understanding and inspire you to explore the world of DevSecOps.
Why I Chose the CDP Certification
With a strong foundation as a penetration tester and offensive security auditor, and certifications such as OSCP and OSWE, I gradually transitioned my career towards specializing in Product Security. In this area, one must maintain an attacker mindset while also adeptly navigating and reading through codebases. Additionally, it involves aiding and advising developers on architectural decisions and remediations, and building a strategy for Shifting Security Left with the leverage of CI/CD pipelines. This approach helps escalate security awareness and in-house controls, ensuring that security is integrated early in the development process. By doing so, we can proactively identify and mitigate potential vulnerabilities, fostering a culture of security-first thinking throughout the organization.
The Certified DevSecOps Professional (CDP) Certification supported my needs and ambitions, complementing my previously attained certifications and demonstrating my ability to holistically help build secure application stacks.
The Certification Journey
Course Structure and Content
The CDP certification is structured into several modules, each focusing on different aspects of DevSecOps. Here is the core structure:
- Secure SDLC and CI/CD Pipeline: Understanding core DevOps CI/CD stages and how security controls can be integrated;
- Software Component Analysis (SCA) in CI/CD: What is Software Component Analysis, understand its challenges and how to integrate a selected number of SCA tools into the pipeline;
- SAST (Static Analysis) in CI/CD Pipeline: What is Static Application Security Testing, understand its challenges and how to integrate a selected number of SAST tools into the pipeline;
- DAST (Dynamic Analysis) in CI/CD Pipeline: What is Dynamic Application Security Testing, understand its challenges and how to integrate a selected number of DAST tools into the pipeline;
- Infrastructure as Code (IaC) and its Security: What is Infrastructure as Code and its benefit, while integrating a selected number of IaC tools into the pipeline;
- Compliance as Code (CaC): How to use configuration management to achieve compliance and integrating a number of selected tools into the pipeline;
- Vulnerability Management: How the VMS process of identifying, evaluating, treating, and reporting security vulnerabilities in software and systems is important and how to leverage some open-source tools to achieve it.
Hands-On Labs
One of the standout features of the CDP certification is its emphasis on practical, hands-on learning. The labs and real-world scenarios allowed me to apply the theoretical knowledge I gained in a controlled environment, making the learning experience both engaging and effective.
The labs are conducted on their dedicated online platform, eliminating the need for any local machine setup. Additionally, they offer various learning materials, including PDFs, videos, hands-on exercises, and access to an online community that supports you with any questions and helps you progress through the course
Study Tips and Resources
- Prepare in Advance: There’s an abundance of content to study, and it’s unlikely you’ll be able to cover everything, especially if you’re only working on the labs in your free time. Start with the mandatory content and estimate how many hours you’ll need to complete it. Once you’ve finished the required material, use any remaining time to carefully choose the non-mandatory topics you want to review. Focus on those that pique your curiosity, seem most valuable, or are particularly relevant to your needs;
- Create your own Cheatsheets: All the code snippets you find will likely be useful in the future, so be sure to note them down and categorize them. This will be especially helpful during the exam, where stress and time constraints are significant factors;
- Check PDF Learning Material: While the videos and labs are the primary learning channels, always complement them with the PDF materials. There may be valuable information in the PDFs that can enhance and support your learning process.
Exam Experience
The CDP exam is a 36 hour exam divided by 12 hour hands-on exercises followed by a 24 hour report writing.
Personally, my exam experience was quite good and relaxed since I was very well prepared. I did encounter some minor issues when starting the exam, but the Practical DevSecOps team promptly addressed them and extended my exam time by 1 hour to compensate.
Make sure to carefully read the exam instructions, especially the exercises, and plan how to divide your exam time accordingly. Consider that some exercises are more challenging than others and will likely require more of your focus and energy.
Finally, don’t forget to document your solving methodology and process thoroughly and ensure you review the report requirements repeatedly before submitting.
Conclusion
The CDP certification from Practical DevSecOps is a comprehensive and challenging program that equips you with the basic knowledge and skills needed to excel in the field of DevSecOps.
I am pleased to have invested my time and money in this certification and recommend considering it if you aim to build a foundational knowledge base that can enhance your career progression and results in security.
Feel free to reach out if you have any questions or need further insights into the CDP certification. I’m excited to hear about your own DevSecOps journey!