Link Search Menu Expand Document

Web Banner
Back to Pre-Conference Training Page

Back to Conference Home Page

DevSecOps: Automating Security in DevOps

Two-Day Interactive (Live Online) Training - AppSec New Zealand Conference 2021

Abstract

Two Days hands-on training to automate security into a fast-paced DevOps environment, using various open-source tools and scripts.

Key Takeaways:

  • Understand how to tackle security issues in a fast-moving DevOps environment
  • Identify tools/solutions and develop processes to create a secure by default infrastructure
  • In-depth understanding of various tools that can be used for security automation
  • Utilize the integration scripts and tools provided in the DevSecOps Lab to create your own DevSecOps pipeline

Course Details

Dates: Wednesday and Thursday, 10-11 February 2021

Time: 8:45 a.m. to 5:30 p.m. (NZDT), each day

Instructor: Rohit Salecha, NotSoSecure

Course Fee: NZ $900.00 (plus GST and ticketing fees)

Registration Site: https://events.humanitix.com/appsecnz-training

Minimum Enrolment: Ten (10) paid registrations

Prerequisite Skills:

Anybody with a background in IT or related to software development whether a developer or a manager can attend this course to get an insight about DevOps and DevSecOps.

Attendees Should Have:

  • Any computer with an updated browser
  • In order to access our labs, you’ll need an unfiltered direct connection to the Internet. Our labs will not be accessible from behind a proxy or a firewalled Internet connection.

Attendees Will Receive:

  • Access to cloud DevSecOps Lab during the class, and for 24 hours post-training for further hands-on practice
  • A DevSecOps Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools used to build the entire DevSecOps pipeline

Course Overview

Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology, by introducing practices such Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring (CM) and Infrastructure as Code(IaC). DevSecOps extends DevOps, by introducing security in each of these practices, giving a certain level of security assurance in the final product. In this training, we will demonstrate using our state-of-the-art DevSecOps Lab as to how to inject security in CI, CD, CM and IaC.

Every attendee will be provided a personalized cloud setup of our DevSecOps Lab for hands-on implementation of various security tools in the CI/CD/CM pipeline. As a take-away, attendees will receive the complete DevSecOps Lab, built using Vagrant and Ansible and comprising the same tools and scripts as those used in class.

A Short preview of our course is available on YouTube.

Course Objectives

  • Create a security culture/mindset amongst the already integrated “DevOps” team
  • Find and fix security bugs as early in the SDLC as possible
  • Build a secure-by-default infrastructure by automating security
  • Build a system with continuous security monitoring

Course Outline

Lab Setup

  • Online Lab Setup
  • Offline Lab Instructions

Introduction to DevOps

  • What is DevOps?
    • Lab: DevOps Pipeline

Introduction to DevSecOps

  • Challenges for Security in DevOps
  • DevOps Threat Model
  • DevSecOps – Why, What and How?
  • Vulnerability Management

Continuous Integration

  • Pre-Commit Hooks
    • Introduction to Talisman
    • Lab: Running Talisman
    • Lab: Create your own regexes for Talisman
  • Secrets Management
    • Introduction to HashiCorp Vault
    • Demo: Vault Commands

Continuous Delivery

  • Software Composition Analysis (SCA)
    • Introduction to Dependency-Check
    • Lab: Run Dependency-Check pipeline
    • Lab: Fix issues reported by Dependency-Check
  • Static Analysis Security Testing (SAST)
    • Introduction to Semgrep
    • Lab: Run Semgrep pipeline
    • Lab: Create your own Semgrep Rules
    • Lab: Fix Issues reported by Semgrep
  • Dynamic Analysis Security Testing (DAST)
    • Introduction to OWASP ZAP
    • Demo: Creating ZAP Context File
    • Lab: Run ZAP in pipeline

Infrastructure As Code

  • Vulnerability Assessment (VA)
    • Introduction to OpenVAS
    • Lab: Run OpenVAS pipeline
  • Container Security (CS)
    • Introduction to Trivy
    • Lab: Run Trivy in Pipeline
    • Lab: Improvise Docker base image
  • Compliance as Code (CaC)
    • Introduction to Inspec
    • Lab: Run Inspec in Pipeline
    • Lab: Improvise Docker compliancy controls

Continuous Monitoring

  • Logging
    • Introduction to the ELK Stack
    • Lab: View Logs in Kibana
  • Alerting
    • Introduction to ElastAlert and ModSecurity
    • Lab: View Alerts in Kibana
  • Monitoring
    • Lab: Create Attack Dashboards in Kibana

DevSecOps in AWS

  • DevOps on Cloud Native AWS
  • AWS Threat Landscape
  • DevSecOps in Cloud Native AWS

DevSecOps Challenges and Enablers

  • Challenges with DevSecOps
  • Building DevSecOps Culture
  • Security Champions
  • Case Studies
  • Where do we Begin?
  • DevSecOps Maturity Model

Your Instructor

Rohit Salecha

Rohit is an Associate Director with NotSoSecure, part of Claranet Cyber Security. He is a technology enthusiast with more than 10 years of experience in hacking anything that runs on binaries and is on the ground. He also delivers one of the bestselling classes by NotSoSecure titled ‘Application Security for Developers’ and ‘DevSecOps’. He has trained and spoken at premier security conferences like Blackhat, OWASP AppSec Global, and Nullcon. He also loves to reverse engineer binaries and mobile applications and find and exploit vulnerabilities in them. He spends his free time learning new technologies, programming languages or maybe even tinkering with open source tools. Twitter: @salecharohit