{"id":1720,"date":"2018-12-17T17:07:56","date_gmt":"2018-12-17T15:07:56","guid":{"rendered":"https:\/\/archive.brucon.org\/2022\/?page_id=1720"},"modified":"2021-06-16T14:24:40","modified_gmt":"2021-06-16T12:24:40","slug":"practical-devsecops-continuous-security-in-the-age-of-cloud","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2022\/brucon-2022-training\/practical-devsecops-continuous-security-in-the-age-of-cloud\/","title":{"rendered":"Practical DevSecOps &#8211; Continuous Security in the age of the cloud"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course Description<\/h2>\n<p>Ever wondered how to handle the deluge of security issues and reduce the cost of fixing before software goes to production? How unicorns like Google, Facebook, Amazon, Etsy handle security at scale? In Practical DevSecOps training, you will learn how to handle security at scale using DevSecOps practices. We will start o\ufb00 with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Con\ufb01guration management, Infrastructure as code, etc.,<\/p>\n<p>The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learned as part of the course. We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening and Security Monitoring as part of the Secure SDLC and how to select tools that fit your organization\u2019s needs and culture. After the training, the students will be able to successfully hack and secure applications before hackers do.<\/p>\n<p>This course will cover the following DevSecOps topics and techniques:<\/p>\n<ul>\n<li>Overview of DevSecOps<\/li>\n<li>Overview of the Tools of the trade<\/li>\n<li>Secure SDLC and CI\/CD pipeline<\/li>\n<li>Security Requirements and Threat Modelling (TM)<\/li>\n<li>Static Analysis(SAST) in CI\/CD pipeline<\/li>\n<li>Dynamic Analysis(DAST) in CI\/CD pipeline<\/li>\n<li>Runtime Analysis(RASP\/IAST) in CI\/CD pipeline<\/li>\n<li>Infrastructure as Code(IaC) and Its Security<\/li>\n<li>Secrets management on mutable and immutable infra<\/li>\n<li>Vulnerability Management with custom tools<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course contents<\/h2>\n<h4><strong>1)\u00a0<\/strong><strong>Overview of DevSecOps<\/strong><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What is DevOps?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">DevOps Building Blocks- People, Process and Technology.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">DevOps Principles &#8211; Culture, Automation, Measurement and Sharing (CAMS)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Benefits of DevOps &#8211; Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What is Continuous Integration and Continuous Deployment?.<\/span>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Continuous Integration to Continuous Deployment to Continuous Delivery.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Continuous Delivery vs Continuous Deployment.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">General workflow of CI\/CD pipeline.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Blue\/Green deployment strategy<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Achieving full automation.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Designing a CI\/CD pipeline for a web application.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Common Challenges faced when using DevOps principle.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Case studies on DevOps of cutting edge technology at Facebook, Amazon, and Google<\/span><\/li>\n<li style=\"font-weight: 400\"><b>Demo:<\/b> Advanced enterprise-grade DevSecOps Pipeline.<\/li>\n<\/ul>\n<h4><strong>2) Overview to the Tools of the trade<\/strong><\/h4>\n<ul>\n<li>Github\/Gitlab\/BitBucket<\/li>\n<li>Vagrant<\/li>\n<li>Docker<\/li>\n<li>Ansible<\/li>\n<li>Jenkins\/Travis\/Gitlab CI\/Bitbucket<\/li>\n<li><strong>Hands-On Labs:<\/strong> Building a CI Pipeline using Jenkins\/Travis and Github\/bitbucket.<\/li>\n<li><strong>Hands-On Labs:<\/strong> Use the above tools to create a complete CI\/CD pipeline.<\/li>\n<\/ul>\n<h4><strong>3) Overview SDLC and CI\/CD pipeline<\/strong><\/h4>\n<ul>\n<li>What is Secure SDLC<\/li>\n<li>Secure SDLC Activities and Security Gates\n<ul>\n<li>Security Requirements (Requirements)<\/li>\n<li>Threat Modelling (Design)<\/li>\n<li>Static Analysis and Secure by Default (Implementation)<\/li>\n<li>Dynamic Analysis(Testing)<\/li>\n<li>OS Hardening, Web\/Application Hardening (Deploy)<\/li>\n<li>Security Monitoring\/Compliance (Maintain)<\/li>\n<\/ul>\n<\/li>\n<li>DevSecOps Maturity Model (DSOMM)<\/li>\n<li><strong>Hands-on:<\/strong> Create a CI\/CD pipeline suitable for modern application.<\/li>\n<li><strong>Hands-on:<\/strong> Manage the findings in a fully automated pipeline.<\/li>\n<\/ul>\n<h4><strong>4) Security Requirements and Threat Modelling (TM)<\/strong><\/h4>\n<ul>\n<li>What is Threat Modelling.<\/li>\n<li>STRIDE vs DREAD approaches<\/li>\n<li>Threat modelling and Its challenges.<\/li>\n<li>Classical Threat modelling tools and how they fit in CI\/CD pipeline<\/li>\n<li><strong>Hands-On Labs:<\/strong> Automate security requirements as code.<\/li>\n<li><strong>Hands-On Labs:<\/strong> using ThreatSpec to do Threat Modelling as Code.<\/li>\n<\/ul>\n<h4><strong>5) Static Analysis(SAST) in CI\/CD pipeline<\/strong><\/h4>\n<ul>\n<li>SWOT analysis of SAST technology<\/li>\n<li>Writing custom rules to weed out false positives and improve quality of the results.<\/li>\n<li>Various approaches to write custom rules in free and paid tools.\n<ul>\n<li>Regular expressions<\/li>\n<li>Abstract Syntax Trees<\/li>\n<li>Graphs ( Data and Control Flow analysis)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Hands-On Labs:<\/strong> Writing custom checks in bandit for your enterprise applications.<\/li>\n<\/ul>\n<h4><strong>6) Dynamic Analysis(DAST) in CI\/CD pipeline<\/strong><\/h4>\n<ul>\n<li>Dynamic Analysis and Its challenges (Session Management, AJAX Crawling )<\/li>\n<li>Embedding DAST tools like ZAP and BurpSuite into the pipeline.<\/li>\n<li>Leveraging QA\/Performance automation to drive DAST scans.<\/li>\n<li>Using Swagger (OpenAPI) and ZAP to scan APIs iteratively.<\/li>\n<li>Ways to handle custom authentications for ZAP Scanner.<\/li>\n<li><strong>Hands-On Labs: <\/strong>using ZAP + Selenium + Zest to configure in-depth scans<\/li>\n<li><strong>Hands-On Labs:<\/strong> using Burp Suite Pro to configure per commit\/weekly\/monthly scans.<\/li>\n<\/ul>\n<p><em>Note: Students need to bring their Burp Suite Pro License to use in CI\/CD<\/em><\/p>\n<h4><strong>7) Runtime Analysis(RASP\/IAST) in CI\/CD pipeline<\/strong><\/h4>\n<ul>\n<li>What is Runtime Analysis Application Security Testing?.<\/li>\n<li>Differences between RASP and IAST.<\/li>\n<li>Runtime Analysis and Its challenges.<\/li>\n<li>RASP\/IAST and its suitability in CI\/CD pipeline.<\/li>\n<li><strong>Hands-On Labs:<\/strong> A commercial implementation of IAST tool.<\/li>\n<\/ul>\n<h4><strong>8) Infrastructure as Code(IaC) and Its Security<\/strong><\/h4>\n<ul>\n<li>What is Infrastructure as Code and its benefits<\/li>\n<li>Introduction to Ansible\n<ul>\n<li>Benefits of Ansible<\/li>\n<li>Push and Pull Model<\/li>\n<li>Modules, tasks, roles and Playbooks<\/li>\n<li>Ansible for continuous security in DevOps Pipelines<\/li>\n<\/ul>\n<\/li>\n<li>Introduction to Packer\n<ul>\n<li>Benefits of Packer<\/li>\n<li>Modules, tasks, roles and Playbooks<\/li>\n<li>Packer for continuous security in DevOps Pipelines<\/li>\n<\/ul>\n<\/li>\n<li>Tools and Services for practising IaaC ( Packer + Ansible + Docker )<\/li>\n<li><strong>Hands-On Labs:<\/strong> Using Ansible to harden on-prem\/cloud machines for PCI-DSS<\/li>\n<li><strong>Hands-On Labs:<\/strong> Create hardened Golden images using Packer + Ansible<\/li>\n<\/ul>\n<h4><strong>9) Secrets management on mutable and immutable infra<\/strong><\/h4>\n<ul>\n<li>Managing secrets in traditional infrastructure.<\/li>\n<li>Managing secrets in containers at Scale.<\/li>\n<li>Secret Management in Cloud\n<ul>\n<li>Version Control systems and Secrets.<\/li>\n<li>Environment Variables and Configuration files.<\/li>\n<li>Docker, Immutable systems and its security challenges.<\/li>\n<li>Secrets management with Vault and consul.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Hands-On Labs:<\/strong> Securely store Encryption keys and other secrets using Vault\/Consul.<\/li>\n<\/ul>\n<h4><strong>10) Vulnerability Management with custom tools<\/strong><\/h4>\n<ul>\n<li>Approaches to manage the vulnerabilities in the organization.<\/li>\n<li>False positives and False Negatives.<\/li>\n<li>Culture and Vulnerability Management.<\/li>\n<li>Creating different metrics for CXOs, devs and security teams.<\/li>\n<li><strong>Hands-On Labs: <\/strong>Using Defect Dojo for vulnerability management.<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Target audience<\/h2>\n<p>This course is aimed at anyone who is trying to embed security as part of agile\/cloud\/DevOps environments like Security Professionals, Penetration Testers, Red Teamers, IT managers, developers, and DevOps Engineers[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Requirements<\/h2>\n<p>You just need to bring a laptop with a browser installed. No other installations required.[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Testimonials<\/h2>\n<p>Find the following testimonials about this course :<\/p>\n<ol>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/nathebritton\/status\/1075070666456657922\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/nathebritton\/status\/1075070666456657922<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/PhilipMcHugh_IE\/status\/1110557941105651714\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/PhilipMcHugh_IE\/status\/1110557941105651714<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/madplatt\/status\/1186906585869750272\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/madplatt\/status\/1186906585869750272<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/dickyardidicky\/status\/1194638143430856705\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/dickyardidicky\/status\/1194638143430856705<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/RalfKoellner\/status\/1014574410584518665\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/RalfKoellner\/status\/1014574410584518665<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/arun_agrawalla\/status\/1011909328180109312\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/arun_agrawalla\/status\/1011909328180109312<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/nathebritton\/status\/1052646796541988864\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/nathebritton\/status\/1052646796541988864<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/pranav16\/status\/1027618634158362625\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/pranav16\/status\/1027618634158362625<\/span><\/a><span style=\"font-weight: 400\">\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/twitter.com\/InfosecVandana\/status\/1014793165042339845\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/InfosecVandana\/status\/1014793165042339845<\/span><\/a><\/li>\n<\/ol>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>What will be provided<\/h2>\n<ul>\n<li>Course PDF manual and Lab Guide.<\/li>\n<li>Certified DevSecOps Professional (CDP) Exam Attempt.<\/li>\n<li>30 days of Online Lab after the class.<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Trainer Biography<\/h2>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]<span style=\"font-weight: 400\"><strong>Mohammed A. \u201csecfigo\u201d Imran<\/strong> is the Founder and CEO of Practical DevSecOps and seasoned security professional with over a decade of experience in helping organizations in their Information Security Programs. He has a diverse background in R&amp;D, consulting, and product-based companies with a passion for solving complex security programs. Imran is the founder of Null Singapore, the most significant information security community in Singapore, where he has organized more than 60 events &amp; workshops to spread security awareness.<\/span><\/p>\n<p><span style=\"font-weight: 400\">He was also nominated as a community star for being the go-to person in the community whose contributions and knowledge sharing has helped many professionals in the security industry. He is usually seen speaking and giving training in conferences like Blackhat, DevSecCon, AppSec, All Day DevOps, Nullcon, and many other international conferences.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Twitter : <a href=\"https:\/\/twitter.com\/secfigo\" target=\"_blank\" rel=\"noopener noreferrer\">@secfigo<\/a><\/span><\/p>\n<p><span style=\"font-weight: 400\">LinkedIn : <a href=\"https:\/\/www.linkedin.com\/in\/secfigo\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.linkedin.com\/in\/secfigo\/<\/a><\/span><\/p>\n<p><span style=\"font-weight: 400\">Website : <a href=\"https:\/\/www.practical-devsecops.com\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.practical-devsecops.com<\/a><\/span>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243;][vc_single_image image=&#8221;2202&#8243; style=&#8221;vc_box_circle&#8221; css=&#8221;.vc_custom_1623766394226{margin-top: 50% !important;}&#8221;][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]<b>Marudhamaran Gunasekaran <\/b><span style=\"font-weight: 400\">is a Security Consultant with a strong passion for securing software development through training and consulting. <\/span><\/p>\n<p><span style=\"font-weight: 400\">He enjoys working with Engineering and Operations teams to seamlessly imbibe the security mindset even before a single line of code is written. He is the developer and maintainer of the OWASP ZAP Dot Net API and you would find him speaking at the various meetup groups and conferences on topics related to Agile Software Development and Security. Some of his certifications include Azure Certified Security Engineer, Microsoft Certified Trainer, ISO 27001 Lead Auditor, Professional Scrum Master I, II, and III, Certified DevSecOps Professional. His specialties are DevSecOps, Agile Coaching, Scrum, Microsoft Stack, threat modeling, and Auditing. He is a part of TUDelft Universities&#8217; MOOC courseware for Global software engineering and an author at Pluralsight.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">Twitter : <a href=\"https:\/\/twitter.com\/gmaran23\" target=\"_blank\" rel=\"noopener noreferrer\">@gmaran23<\/a><\/span><\/p>\n<p><span style=\"font-weight: 400\">LinkedIn : <a href=\"https:\/\/www.linkedin.com\/in\/marudhamaran-gunasekaran\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.linkedin.com\/in\/marudhamaran-gunasekaran<\/a><\/span><\/p>\n<p><span style=\"font-weight: 400\">Website : <a href=\"https:\/\/www.practical-devsecops.com\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.practical-devsecops.com<\/a><\/span>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243;][vc_single_image image=&#8221;2790&#8243; style=&#8221;vc_box_circle&#8221; css=&#8221;.vc_custom_1623846278012{margin-top: 50% !important;}&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<style type=\"text\/css\">.thegem-button-69db67e430fa43740 .gem-button svg {fill: #ffffff;}.thegem-button-69db67e430fa43740 .gem-button:hover svg {fill: #ffffff;}<\/style><div class=\"gem-button-container gem-button-position-fullwidth thegem-button-69db67e430fa43740    \"  ><a class=\"gem-button gem-button-size-giant gem-button-style-flat gem-button-text-weight-normal\" data-ll-effect=\"drop-right-without-wrap\" style=\"border-radius: 3px;background-color: #b43836;color: #ffffff;\" onmouseleave=\"this.style.backgroundColor='#b43836';this.style.color='#ffffff';\" onmouseenter=\"this.style.backgroundColor='#ef5047';this.style.color='#ffffff';\" href=\"https:\/\/brucon0x0d-training.eventbrite.co.uk\" target=\"_self\">Buy Training Ticket<\/a><\/div> [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text] Course Description Ever wondered how to handle the deluge of security issues and reduce the cost of fixing before software goes to production? How unicorns like Google, Facebook, Amazon, Etsy handle security at scale? In Practical DevSecOps training, you will learn how to handle security at scale using DevSecOps practices. We will start o\ufb00 with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code,&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":75,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1720","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/pages\/1720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/comments?post=1720"}],"version-history":[{"count":15,"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/pages\/1720\/revisions"}],"predecessor-version":[{"id":2793,"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/pages\/1720\/revisions\/2793"}],"up":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/pages\/75"}],"wp:attachment":[{"href":"https:\/\/archive.brucon.org\/2022\/wp-json\/wp\/v2\/media?parent=1720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}