Practical DevSecOps – Continuous Security in the age of the cloud

Course Description

UPDATE May 10th – We have decided to host this training virtually due to the Corona crisis. 

Ever wondered how to handle the deluge of security issues and reduce the cost of fixing before software goes to production? How unicorns like Google, Facebook, Amazon, Etsy handle security at scale?  In Practical DevSecOps training, you will learn how to handle security at scale using DevSecOps practices. We will start off with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration management, Infrastructure as code, etc., 

The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learned as part of the course. We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening and Security Monitoring as part of the Secure SDLC and how to select tools that fit your organization’s needs and culture. 

After the training, the students will be able to successfully hack and secure applications before hackers do.

This course will cover the following DevSecOps topics and techniques:

  1. Overview of DevSecOps
  2. Overview of the Tools of the trade
  3. Secure SDLC and CI/CD pipeline
  4. Security Requirements and Threat Modelling (TM)
  5. Static Analysis(SAST) in CI/CD pipeline
  6. Dynamic Analysis(DAST) in CI/CD pipeline
  7. Runtime Analysis(RASP/IAST) in CI/CD pipeline
  8. Infrastructure as Code(IaC) and Its Security
  9. Container (Docker) Security
  10. Secrets management on mutable and immutable infra
  11. Vulnerability Management with custom tools

Course contents

1) Overview of DevSecOps

  • What is DevOps?
  • DevOps Building Blocks- People, Process and Technology.
  • DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
  • Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
  • What is Continuous Integration and Continuous Deployment?.
    • Continuous Integration to Continuous Deployment to Continuous Delivery.
    • Continuous Delivery vs Continuous Deployment.
    • General workflow of CI/CD pipeline.
    • Blue/Green deployment strategy
    • Achieving full automation.
    • Designing a CI/CD pipeline for a web application.
  • Common Challenges faced when using DevOps principle.
  • Case studies on DevOps of cutting edge technology at Facebook, Amazon, and Google
  • Demo: Advanced enterprise-grade DevSecOps Pipeline.

2) Overview to the Tools of the trade

  • Github/Gitlab/BitBucket
  • Vagrant
  • Docker
  • Ansible
  • Jenkins/Travis/Gitlab CI/Bitbucket
  • Gauntlt
  • AWS
  • Inspec
  • Hands-On Labs: Use Vagrant to practice Infrastructure as a Code
  • Hands-On Labs: Building a CI Pipeline using Jenkins/Travis and github/bitbucket.
  • Hands-On Labs: Use the above tools to create a complete CI/CD pipeline.

3) Overview SDLC and CI/CD pipeline

  • What is Secure SDLC
  • Secure SDLC Activities and Security Gates
    • Security Requirements ( Requirements)
    • Threat Modelling (Design)
    • Static Analysis and Secure by Default ( Implementation)
    • Dynamic Analysis(Testing)
    • OS Hardening, Web/Application Hardening (Deploy)
    • Security Monitoring/Compliance (Maintain)
  • DevSecOps Maturity Model (DSOMM)
  • Hands-on: Create a CI/CD pipeline suitable for modern application.
  • Hands-on: Manage the findings in a fully automated pipeline.

4) Security Requirements and Threat Modelling (TM)

  • What is Threat Modelling.
  • STRIDE vs DREAD approaches
  • Threat modelling and Its challenges.
  • Classical Threat modelling tools and how they fit in CI/CD pipeline
  • Hands-On Labs: Automate security requirements as code.
  • Hands-On Labs: using ThreatSpec to do Threat Modelling as Code.
  • Hands-On Labs: using BDD security to codify threats.

5) Static Analysis(SAST) in CI/CD pipeline

  • SWOT analysis of SAST technology
  • Writing custom rules to weed out false positives and improve quality of the results.
  • Various approaches to write custom rules in free and paid tools.
    • Regular expressions
    • Abstract Syntax Trees
    • Graphs ( Data and Control Flow analysis)
  • Hands-On Labs: Writing custom checks in bandit for your enterprise applications.

6) Dynamic Analysis(DAST) in CI/CD pipeline

  • Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling )
  • Embedding DAST tools like ZAP and BurpSuite into the pipeline.
  • Leveraging QA/Performance automation to drive DAST scans.
  • Using Swagger (OpenAPI) and ZAP to scan APIs iteratively.
  • Ways to handle custom authentications for ZAP Scanner.
  • Using Zest Language to provide better coverage for DAST scans.
  • Hands-On Labs: using ZAP + Selenium + Zest to configure in-depth scans
  • Hands-On Labs: using Burp Suite Pro to configure per commit/weekly/monthly scans.

Note: Students need to bring their Burp Suite Pro License to use in CI/CD

7) Runtime Analysis(RASP/IAST) in CI/CD pipeline

  • What is Runtime Analysis Application Security Testing?.
  • Differences between RASP and IAST.
  • Runtime Analysis and Its challenges.
  • RASP/IAST and its suitability in CI/CD pipeline.
  • Hands-On Labs: A commercial implementation of IAST tool.

8) Infrastructure as Code(IaC) and Its Security

  • What is Infrastructure as Code and its benefits
  • Introduction to Ansible
    • Benefits of Ansible
    • Push and Pull Model
    • Modules, tasks, roles and Playbooks
    • Ansible for continuous security in DevOps Pipelines
  • Introduction to Packer
    • Benefits of Packer
    • Modules, tasks, roles and Playbooks
    • Packer for continuous security in DevOps Pipelines
  • Tools and Services for practising IaaC ( Packer + Ansible + Docker )
  • Hands-On Labs: Using Ansible to harden on-prem/cloud machines for PCI-DSS
  • Hands-On Labs: Create hardened Golden images using Packer + Ansible

9) Container (Docker) Security

  • What is Docker
  • Docker vs Vagrant
  • Basics of Docker and its challenges
    • Vulnerabilities in images (Public and Private)
    • Denial of service attacks
    • Privilege escalation methods in Docker.
    • Security misconfigurations
  • Container Security
    • Content Trust and Integrity checks
    • Capabilities and namespaces in Docker
    • Segregating Networks
    • Kernel Hardening using SecComp and AppArmor
  • Static Analysis of container(Docker) images.
  • Dynamic Analysis of container hosts and daemons.
  • Hands-On Labs: Scanning docker images using clair and its APIs
  • Hands-On Labs: Auditing Docker daemon and host for security issues.

10) Secrets management on mutable and immutable infra

  • Managing secrets in traditional infrastructure.
  • Managing secrets in containers at Scale.
  • Secret Management in Cloud
    • Version Control systems and Secrets.
    • Environment Variables and Configuration files.
    • Docker, Immutable systems and its security challenges.
    • Secrets management with Vault and consul.
  • Hands-On Labs: Securely store Encryption keys and other secrets using Vault/Consul.

11) Vulnerability Management with custom tools

  • Approaches to manage the vulnerabilities in the organization.
  • False positives and False Negatives.
  • Culture and Vulnerability Management.
  • Creating different metrics for CXOs, devs and security teams.
  • Hands-On Labs: Using Defect Dojo for vulnerability management.

Target audience

This course is aimed at anyone who is trying to embed security as part of agile/cloud/DevOps environments like Security Professionals, Penetration Testers, Red Teamers, IT managers, developers, and DevOps Engineers

Requirements

To be completed

What will be provided

  • Course PDF manual and Lab Guide.
  • Certified DevSecOps Professional (CDP) Exam Attempt.
  • 30 days of Online Lab after the class.

Trainer Biography

Mohammed A. “secfigo” Imran is the Founder and CEO of Hysn/Practical DevSecOps and seasoned security professional with over a decade of experience in helping organizations in their Information Security Programs.  He has a diverse background in R&D, consulting, and product-based companies with a passion for solving complex security programs. Imran is the founder of Null Singapore, the most significant information security community in Singapore, where he has organized more than 60 events & workshops to spread security awareness.

He was also nominated as a community star for being the go-to person in the community whose contributions and knowledge sharing has helped many professionals in the security industry. He is usually seen speaking and giving training in conferences like Blackhat, DevSecCon, AppSec, All Day DevOps, Nullcon, and many other international conferences.

Twitter : @secfigo

LinkedIn : https://www.linkedin.com/in/secfigo/

Website : https://www.practical-devsecops.com