Applied DevSecOps

Applied DevSecOps

In Applied DevSecOps training, you will learn how to handle security at scale using DevSecOps practices. We will start with the basics of the DevOps, DevSecOps principles and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration Management as code, Infrastructure as code etc.,

The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learned as part of the course.

We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening and Security Monitoring as part of the Secure SDLC and how to select tools which fit your organization needs and culture.

After the training, the students will be able to successfully hack and secure applications before hackers do. The training will also include a CTF challenge in the end, where the attendees will use skills learned in the training to solve the CTF challenges. The students will be provided with slides, tools and Virtual machines used during the course.

Syllabus

This course will cover the following DevSecOps topics and techniques:

1. Introduction to DevOps and DevSecOps

• What is DevOps?
• DevOps Principles: Culture, Automation, Measurement, and Sharing (CAMS)
• Benefits of DevOps : Speed, Reliability, Availability, Scalability, Automation, Cost, and
Visibility.
• What are Continuous Integration(CI), Continuous Deployment(CD)?
• Continuous Delivery vs Continuous Deployment.
• General workflow of CI/CD pipeline.
• Designing a CI/CD pipeline for web applications.
• Common Challenges faced when implementing DevOps practices

2. DevSecOps Tools of the trade including DevSecOps Studio

• GitLab, GitLab Runner, GitLab CI
• Ansible
• Docker
• Inspec
• threatspec
• Hands-On Labs: Building a CI Pipeline using GitLab
• Hands-On Labs: Integrating security tools to create a DevSecOps pipeline in GitLab.

3. Secure SDLC and CI/CD pipeline

• What is Secure SDLC?
• Threat Modeling (Design)
• Static Analysis and Secure by Default (Implementation)
• Dynamic Analysis (Testing)
• OS Hardening, Web/Application Hardening (Deploy)
• Security Hardening/Compliance (Maintain)
• DevSecOps Maturity Model (DSOMM)
• Embedding Security as part of CI/CD pipeline
• DevSecOps and challenges & Use cases

4. SCA (Software Component Analysis) in CI/CD pipeline

• What is Software Component Analysis?
• Finding a right SCA tool for CI
• Embedding SCA tools like Safety, RetireJS and NPM Audit,
to find bugs in the pipeline.
• Hands-On Lab: using NPM to scan third-party component vulnerabilities in
JavaScript Code Base.
• Hands-On Lab: using safety tool to scan third-party component vulnerabilities in Python code base.
• Software Component Analysis and Its challenges.

5. SAST (Static Analysis) in CI/CD pipeline

• What is Static Application Security Testing?
• Static Analysis and Its challenges.
• Finding a right SAST tools for CI
• Embedding SAST tools like a bandit, and find bugs into the pipeline.
• Hands-On Lab: using bandit to scan and Python Code Base.
• Hands-On Lab: using trufflehog, gitleaks to scan for secrets as part of code base.

6. DAST (Dynamic Analysis) in CI/CD pipeline

• What is Dynamic Application Security Testing?
• Finding a right tool that fits into CI/CD
• Embedding DAST tools like ZAP into the pipeline.
• SSL misconfiguration testing
• Server Misconfiguration Testing like secret folders and files.
• Hands-On Labs: Performing scans using nuclei, nmap, sslyze etc..
• Hands-On Labs: Performing ZAP baseline scans.
• Hands-On Labs: Performing ZAP Active – Authenticated scans.
• Dynamic Analysis and Its challenges (Session Management, AJAX Crawling)

7. Threat Modeling as Code in CI

• What is Threat Modeling?
• Finding a right Threat Modeling tool that fits into CI/CD
• Hands-On Lab Performing threat modeling as code using threatspec.

8. Infrastructure as Code and Its Security

• Managing configurations with Ansible
• Infrastructure as Code and its benefits
• Tools and Services which help to achieve IaaC
• Hands-On Lab: Vagrant, Docker, and Ansible
• Hands-On Lab: Server hardening using Ansible

9. Container Security

• Overview of container technology
• Docker Security
• Hands-On Lab: Auditing the deployed docker containers with CIS benchmarks
• Hands-On Labs: Scanning for container vulnerabilities using Trivy.

10. Vulnerability Management with custom tools

• Approaches to managing the vulnerabilities in the organization.
• False positives vs False Negatives.
• Different metrics for stakeholders, devs, and security teams.
• Hands-On Labs: Using Defect Dojo for vulnerability management.

11. Compliance as Code as part of CI

• Different approaches to handle compliance requirements at DevOps scale
• Using configuration management to achieve compliance.
• Manage compliance using Inspec.
• Hands-On Lab: Using Inspec as of CI to verify the compliance checks.

Who should take this course?

This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments, like Security Professionals, Penetration Testers, Red Teamers, IT managers, Developers, and DevOps Engineers.

Requirements

1. The student should have some knowledge of running basic Linux commands like ls, cd, mkdir etc.,

2. The student should have some basic understanding of Information Security practices like OWASP Top 10, network etc. though not a necessity.

What Students Should Bring

1. Laptop with minimum 16GB of RAM, 80GB free hard disk space and should be able to run 3 virtual machines simultaneously.

2. Administrator access to install software like virtual box, python etc.,

3. Trainer will provide all needed software and utilities during the first day of course

What Students Will Be Provided With

1. Tools used during the course

2. DevSecOps Studio Virtual machine setup

3 Lab Manual and Practice notes.


Testimonials

Appreciate the partnership in customizing the course rightly to meet our needs well. Very professional, supportive and effective. Thanks for the support and looking forward to the next session.

Amlan, Infosys

I am thankful for the DevSecOps classes by Raghunath. Being a Pen-Tester, these DevSecOps classes gave me more insight into the critical importance of security in both DevOps. The classes were interactive, and my doubts were well received and cleared. The practical classes were highly informative and gave me hands-on experience in the topic. I’m glad that I took the classes from Mr. Raghunath from Eracorp.

Arvind V, ADP/

This course offers a unique, rich program in skills that are highly sought after today. I had a wonderful experience with highly trained and helpful trainer Raghu, who is a leader in this field and went out of his way to make sure I understood the how and why of our training. I came with a security background looking to learn security implementation in DevOps (training that is not easy to find) and I successfully learned with the ability to implement security in the DevOps pipeline and have a stronger understanding of many concepts in DevOps.

Naveen Yellani, Student

Raghu is an excellent trainer, He explained the devsecops big picture and cleared my doubts, I feel more confident about configuring client’s security pipeline with the notes provided.

Vamsi Kishore, Infosys