Hi, I’m John Rofrano, Senior Technical Staff Member and DevOps Champion at IBM Research, and I’d like to welcome you to Application Security and Monitoring. Notice I said, "Application security and monitoring.” We're not going to discuss securing infrastructure or monitoring infrastructure. That's what the security teams and the operations or SRE teams do. This course is specifically focused on Software Engineers and what you need to know to truly embrace the DevOps mantra of "You built it, you run it." Did you know that the biggest security risks and concerns for developers two decades ago are almost the same concerns today? Many of the most recent concerns included on the Open Web Application Security Project (OWASP) Top 10 list were the same as they were in 2007. With ever-changing technology and almost incredible advancements in computer science and software engineering, software engineers still fail to take the most basic security safety measures to safeguard their applications and close the door to threats and attacks. According to the OWASP 2016 report, identifying a security breach took an average of 191 days. Check your calendar, that's over 6 months! Plenty of time for attacker to use a small exploit and launch a full-fledged attack. And this is mostly due to poorly implemented logging and monitoring, and complete lack of logging of login failures and other events that could have alerted the team of malicious attempts to break the system. We can do better. We need to start practicing security by design. This course will help you understand the common risks and vulnerabilities that threaten your applications and systems. In this course, we’ll start by learning about DevSecOps. It’s an essential part of development and operations. You'll learn about proactively integrating security into your software development process. You'll learn how mapping security into your development plan will increase your ability to recover from attacks and even secure your systems before an attack can happen. You'll learn about vulnerability scanning, threat modeling, and gain a deeper understanding of threat monitoring. And by the end of the course, you'll be familiar with many of the key security terms and concepts commonly used by Security and Monitoring teams. You'll also explore security testing and the different tools and procedures you can use to mitigate risks and impacts of the security threats and vulnerabilities. We're not just going to talk about these tools. You're software engineers; you learn by doing! So in the hands-on labs, you'll practice analyzing code using static and dynamic analysis tools and running tests to help you understand the process. These are open source tools that you can start using today on your projects. Then we'll dive into the OWASP Top 10 report that identifies current security vulnerability and concerns. You'll discover how hackers are exploiting common vulnerabilities in applications and systems. Then, in the labs you'll get hands-on practice once again setting up tools like the vault secrets manager via both the user interface and programmatically by reading and writing secrets to vault. You'll also learn tools that will help you check and test the security of your code, dependencies, and development environments. Additionally, we'll learn the importance of monitoring and observability to secure your applications and systems. You will be introduced to application monitoring and why it matters to you. You'll become familiar with the four Golden Signals of Monitoring and how they can help you mitigate security risks and even stop them before they occur. In the following weeks, you'll learn more about monitoring and visualization tools like Prometheus and Grafana. Also, you’ll explore how these tools can help you organize and understand your monitoring data so that you can use metrics to develop charts, graphs, timelines, and many other visuals to show real-time data to help your team plan, execute, and reach its development goals. Finally, you'll explore application logging and learn more about why logging is a key to helping you understand your application's vulnerabilities, its dependencies, system events, and how well it's performing. You know, when my development teams deploy an application to the cloud and it is misbehaving, they ask me what might be wrong. The first question I ask them is, "What do the logs say?" When they invariably come back and tell me, “There’s nothing in the logs," I smile and I say, "I guess it's time to add more log statements to your code.” By the end of this course, you'll understand how security risks and vulnerabilities threaten your applications and systems, and you'll be prepared to handle these security nightmares so that you can sleep soundly at night. You know, I can remember when I used to deploy my applications without any thought about security, and the operations team would tell me, “It failed the security scans, and, oh! Here is a list of vulnerabilities that you need to fix.” When I asked the security team, “Well, how do I fix them?” they’d said, "How should I know? You're the developer." And I was left to fend for myself without even understanding what many of the terms they were using mean. THIS is the course that I wish I had when my deployment was being held up by the security team. Don't let that happen to you. So, join me. Learn how to start coding defensively, and make sure that your applications are secure by design. Watch the videos, immerse yourself in the labs, and take the quizzes, and interact with your peers in the forums because software engineering is a team sport and collaboration is encouraged.
