Scroll Top

DevSecOps Masterclass: AppSec Automation Edition

Course Description

DevOps has changed the way we deliver apps. However, security remains a serious bottleneck, especially Application Security. This is largely due to the speed of innovation in DevOps, contrasted with the escalating attacks against Applications.

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is based on our 4.9/5 Rated DevSecOps Masterclass at Blackhat.

The training is a hardcore hands-on journey into:

  • Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
  • Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques
  • Assurance and Provenance for artifacts. Mastery over Cosign and SLSA for Supply-Chain Provenance
  • DAST Automation and Security Regressions with ZAP and Nuclei.
  • Policy-As-Code: Leverage Open Policy Agent (OPA) with use-cases from API Access Control to OS Policy Controls.

Participants get a 2 month access to our online lab environment for DevSecOps training

Course contents

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to:

  • Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
  • Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers
  • Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts)
    Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs.
  • Secret Management – This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets
  • DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities
  • Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks.
  • Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation.

Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning

Detailed Outline

Day 1

  • The Problem with the old models of Application Delivery
    • A Quick History of Agile and DevOps
    • The Coming of DevOps
    • The Need for Security in DevOps
    • Security in Continuous Integration and Continuous Deployment
  • Introduction to Static Application Security Testing (SAST) for Continuous Integration
    • Static Analysis Types
      • Hands-on:
        • RegEx Tools
        • Abstract Syntax Trees
        • QL/Semantic Grep Tools => CodeQL and Semgrep
      • Semgrep Deep-Dive
        • Rules Syntax
        • Taint Analysis
        • Metavariables, Metafunctions and MetaClasses
        • Semgrep against multiple languages:
          • Python
          • JavaScript
          • Go(lang)
          • Java
          • Ruby
      • CodeQL Deep-Dive
        • Rule Syntax
        • CodeQL VSCode Composition Tools
        • CodeQL for multiple languages:
          • C#
          • Python
          • Java
          • JavaScript
    • Challenge Segment – Finding Bugs with Semgrep and CodeQL
    • Static Analysis Automation Strategies
      • Hands-on:
        • Automation in IDE
        • Automation – Part of Git hooks
        • Automation – PR and MR Static Analysis Tooling (Github Actions,etc)
        • Automation – Build Pipeline and Pre-Deployment
    • Static Analysis for Infrastructure-as-Code
      • Hands-on:
        • Kube-Linter
        • Checkov
        • Integrating Infrastructure-as-Code Scanning with Github Actions and Deploy pipelines
    • Static Analysis in CI and CD pipelines
      • Hands-on:
        • Github Actions
        • Gitlab Dev
        • Jenkins
  • Source Composition Analysis and Software Bill of Materials in DevSecOps
    • Concept Overview:
      • Artifact Lifecycle
      • SBOM
      • Package Provenance
      • SLSA – Supply-Chain Levels for Software Artifacts
      • Source Composition Analysis
    • Package Provenance and Assurance Deep-Dive
      • Cosign Deep-Dive – Keyed and Keyless
      • SLSA Provenance Generator for Github Actions and Levels
    • SBOM Deep-dive:
      • Hands-on:
        • CycloneDX
        • SPDX, SWID
    • SCA Deep-dive and Automation Strategies:
      • Hands-on:
        • Incremental SCA with Github Actions => Pull Requests and Merge Requests
        • Package Manager integrated SCA with NPM, Poetry, Dependabot
        • OWASP Dependency Track and Dependency Check

Day 2

  • Dynamic Application Security Testing with Continuous Integration
  • Concepts of DAST with Security Testing
    • Security Automation Testing using OWASP ZAP, Selenium, OpenAPI (Swagger)
    • Security Regression Tests – How to design and write them
  • Nuclei Deep-Dive
    • Hands-on:
      • Nuclei Templates
      • Integrating Nuclei into Pipelines
      • Using Nuclei for Security Regression
  • Application Security Automation and Test Orchestration – Deep-Dive:
    • Hands-on:
      • OWASP ZAP Deep-Dive
        • Scan Policy
        • Extensions
      • OWASP ZAP API Deep-Dive
        • Leveraging OWASP ZAP API with Selenium for testing  browser-based applications
        • Leveraging OWASP ZAP API and (Tavern/RESTInstance/Chai) to test web services and microservices
        • OWASP ZAP API Testing with OpenAPI Specification
      • OWASP ZAP Scripting Workshop
        • Create Active Scan Scripts for Custom Application Vulnerabilities
  • Policy-as-code with Open Policy Agent
    • Open Policy Agent Basics and Framework Overview
    • Hands-on: Rego Basics – Language essentials and composition rules
    • Hands-on:
      • Using OPA and Rego for API RBAC and AuthZ Implementation with API Gateways
      • Using OPA for Advanced Input Validation for APIs
      • Using OPA for Terraform Policy Definition and Enforcement
  • Secrets Management
    • Intro to Secrets Management – A Case for a structured approach to managing secrets
    • Secrets vs Sensitive Information – A Distinction and varied Threat Model
    • Secret Management Fails:
      • Secret Management in GitOps fails
      • Real-world incidents that were caused extensively by bad secrets management
  • Secrets Management with Hashicorp Vault (Hands-on):
    • Introduction to HashiCorp Vault and its API
    • Deploying Vault in Prod
    • Managing Secrets with Vault => Static Secrets
    • Encryption, Key Rotation and Rewrapping with Vault Transit Secrets Engine
    • Dynamic Secrets with Vault => Using Dynamic Secrets for short-term leases for databases
  • Pipelines and Tooling
    • Overview of Tooling:
      • Github Actions
      • Gitlab
      • Jenkins
      • Data Flow Automation Tools: Prefect, Gaia, Apache Airflow
    • Hands-on:
      • DevSecOps Pipelines with Github Actions
      • DevSecOps Pipelines with Gitlab
      • DevSecOps with Jenkins
      • DevSecOps with Gaia and Prefect

Who should take this course?

This course is intended for  :

  • Pentesters
  • Red-Teamers
  • DevSecOps Professionals
  • DevOps Professionals
  • Cloud Security Pros
  • Application Security Managers

why should people attend ?

  • Immediate applicability to challenges in the workplace. This course has been highly recommended by our attendees as a course that gives them the skills that they can immediately apply to their work after they are done with the course. It’s battle-tested practicality and coverage is something that people really love
  • The training is future-proof. We not only look at AppSec centric DevSecOps workflows. We explore it with very important areas of DevSecOps engagement, i.e. the cloud and container-native workflows. This is very important as students get a well-rounded experience in areas that their companies are already looking at seriously, or have already implemented to a certain extent.
  • Areas around Supply-Chain Security Assurance provides a much-needed insight and practical automation approaches.
  • The training is a one-of-a-kind experience that provides deep, hands-on insights into DevSecOps right from code (dev workflows) to deployment (cloud and cloud-native environments)

Requirements

To be completed

Trainer Biography

Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies. Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He’s a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly. His experience extends even beyond DevSecOps: he designs and develops Web Application Security tools, performs vulnerability management and orchestration, and consults on security assessments for major companies. He’s proficient in languages like Python, Java, Javascript, Angular, and more. He regularly trains major companies and team members on application security automation, DevSecOps, and AppSec Essentials as well.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.