Practical DevSecOps - Continuous Security in the age of cloud

Trainer Name: Imran A Mohammed & Raghunath G
Title: Practical DevSecOps - Continuous Security in the age of cloud
Duration: 3 Days
Dates: 20^th - 22^nd June 2018

Objective

We all have heard about DevSecOps, Shifting Left, and Rugged DevOps but there are no clear examples or frameworks available for security professionals to implement in their organization. This course will teach you exactly that, tools and techniques to embed security as part of DevOps pipeline. We will learn with examples of, how unicorns like Google, Facebook, Amazon, Etsy handle security at scale and what we can learn from them to mature our security programs.

Preview

Ever wondered how to handle deluge of security issues and reduce cost of fixing before software goes to production? How unicorns like Google, Facebook, Amazon, Etsy handle security at scale? In Practical DevSecOps training you will learn how to handle security at scale using DevSecOps practices. We will start off with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration management, Infrastructure as code etc.,

The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learnt as part of the course.

We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening and Security Monitoring as part of the Secure SDLC and how to select tools which fit your organization needs and culture.

After the training, the students will be able to successfully hack and secure applications before hackers do. The students will be provided with slides, tools and Virtual machines used during the course.

This course will cover the following DevSecOps topics and techniques:

Day 1:

• Introduction to DevOps and DevSecOps:
• DevSecOps Tools of the trade including DevSecOps Studio
• Secure SDLC and CI/CD pipeline
• SAST (Static Analysis) in CI/CD pipeline
• DAST (Dynamic Analysis) in CI/CD pipeline
• Infrastructure as Code and Its Security
• Automate compliance activities to achieve PCI/DSS/HIPAA compliance

Day 2:

Amazon Web Services and its various security features

Day 3:

• Container (Docker) Security
• Configuration/Secret Management and its Security
• Runtime Analysis( RASP, IAST) and how to select tools.
• Vulnerability Management with custom tools
• Patch Management and Security Monitoring

Full course outline:

Introduction to DevOps and DevSecOps

• What is DevOps?
• DevOps Building Blocks- People, Process and Technology.
• DevOps Principles - Culture, Automation, Measurement and Sharing (CAMS)
• Benefits of DevOps - Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
• What is Continuous Integration and Continuous Deployment?.
  • Continuous Integration to Continuous Deployment to Continuous Delivery.
  • Continuous Delivery vs Continuous Deployment.
  • General workflow of CI/CD pipeline.
  • Blue/Green deployment strategy
  • Achieving full automation.
  • Designing a CI/CD pipeline for web application.
• Common Challenges faced when using DevOps principle.
• Case studies on DevOps of cutting edge technology at Facebook, Amazon and Google

Introduction to the Tools of the trade:

• Github/BitBucket
• Vagrant
• Docker
• Terraform
• Ansible
• Jenkins/Travis
• Spinnaker
• Gauntlt
• AWS
• OpenScap
• Consul/Vault
• Inspec
• Clair - Docker container scanner
• Demo: Use Vagrant to practice Infrastructure as a Code
• Demo: Building a CI Pipeline using Jenkins/Travis and github/bitbucket.
• Demo: Use the above tools to create a complete CI/CD pipeline.

Secure SDLC and CI/CD pipeline

• What is Secure SDLC
• Secure SDLC Activities and Security Gates
  • Security Requirements ( Requirements)
  • Threat Modelling (Design)
  • Static Analysis and Secure by Default ( Implementation)
  • Dynamic Analysis(Testing)
  • OS Hardening, Web/Application Hardening (Deploy)
  • Security Monitoring/Compliance (Maintain)
• Usings tools of the trade to do the above activities in CI/CD
• Embedding Security as part of CI/CD pipeline
• DevSecOps and challenges with Pentesting and Vulnerability Assessment.

Introduction to Amazon Web Services

• What is Cloud Computing
• IaaS, PaaS, SaaS
• Key cloud computing characteristics
• Cloud deployment methodologies
• What is AWS/GCP
• AWS Services and Use Cases
• EC2 Introduction
• OpenScap
• AWS CLI
• VPC and Security Groups.
• Deployment to Cloud.
  • Deploying to Cloud vs Own Datacenter
  • Deploying to AWS via EC2
  • Using AWS S3 and Cloudfront to enable CDN for a web application
  • Demo: Automating AWS infrastructure via TerraForm aka Infrastructure as a code.
• Security
  • AWS IAM and Security Groups.
  • AWS Security Token Service (STS) and CloudHSM.
  • AWS VPC and API Gateway.
  • AWS WAF and Key Management.
  • Compliance and Legal Issues in Cloud.

Containers Security

• What is Docker
• Docker vs Vagrant
• Basics of Docker
• Container Security
• Demo: Deploying docker containers to AWS EC2 container service
• Demo: Setup Docker container and Push to Docker Hub

Configuration/Secret Management and its Security

• Managing configurations with Ansible and Chef
• Deployment of Docker container at Scale
• Demo: Monitoring Security of the Cloud using ELK stack.
• Secret Management in Cloud
  • Version Control systems and Secrets.
  • Environment Variables and Configuration files.
  • Docker, Immutable systems and its security challenges.
  • Secrets management with Vault and consul.
• Demo: Secure store Encryption keys and other secrets using Vault/Consul.

SAST (Static Analysis) in CI/CD pipeline

• What is Static Application Security Testing.
• Static Analysis and Its challenges.
• Embedding SAST tools like fortify, checkmarx, find bugs into the pipeline.
• Demo: using FindBugs to scan Java code.
• Demo: using brakeman/bandit to scan Ruby on Rails and Python Code Base.

DAST (Dynamic Analysis) in CI/CD pipeline

• What is Dynamic Application Security Testing.
• Dynamic Analysis and Its challenges (Session Management, AJAX Crawling).
• Embedding DAST tools like ZAP and BurpSuite into the pipeline.
• Demo: using ZAP to configure per commit/weekly/monthly scans.

Runtime Analysis( RASP, IAST) in CI/CD pipeline

• What is Runtime Analysis Application Security Testing?.
• RASP vs IAST.
• Dynamic Analysis and Its challenges (Session Management, AJAX Crawling).
• Embedding DAST tools like ZAP and BurpSuite into the pipeline.
• Demo: using ZAP to configure per commit/weekly/monthly scans.

Infrastructure as Code and Its Security

• What is Infrastructure as Code and its benefits
• Tools and Services which helps to achieve IaaC
• Demo: Vagrant, Docker, AWS and Terraform

Vulnerability Management with custom tools

• Approaches to manage the vulnerabilities in the organization.
• False positives and False Negatives.
• Culture and Vulnerability Management.

Patch Management and Security Monitoring

• Approaches for patching running applications.
• Approaches for patching Immutable applications.
• Hot swap EC2 instances using Ansible.
• Security Monitoring using Elastic Search, Logstash and Kibana.

Compliance as code

• Different approaches to handle compliance requirements at DevOps scale
• Using configuration management to achieve compliance.
• Manage compliance using Inspec.

Who should attend ?

This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments, like Security Professionals, Penetration Testers, Red Teamers, IT managers, Developers and DevOps Engineers.

Prerequisites

• The student should have some knowledge of basic linux commands like ls, cd, mkdir etc.,
• The student should have some basic understanding of application Security vulnerabilities like OWASP Top 10.

Software and Hardware Requirements

• Laptop with atleast 8GB of RAM, 60GB free hard disk space and should be able to run 3 Virtual machines simultaneously.
• Administrator access to install software like virtual box, python etc.,
• Trainer will provide all needed software and utilities during the first day of course
• AWS free tier access is needed for AWS exercises

WHAT STUDENTS WILL BE PROVIDED WITH

The students will be provided with

• Training slidesTools used during the course
• Tools used during the course
• DevSecOps Studio Virtual machine setup

TRAINER BIO(S)

Mohammed A. "secfigo" Imran is a seasoned security professional with 8 years of experience in helping organizations with their Information Security Programs. He has a diverse background in R&D, consulting and product-based industries with a passion to solve complex security programs. Imran is the founder of Null Singapore, the largest information security community in Singapore where he has organized more than 60 events & workshops to spread security awareness.

He was also nominated as community star for being the go-to person in the community whose contribution and knowledge sharing has helped many professionals in the security industry. He is usually seen speaking in conferences like Blackhat, DevSecCon, Null and OWASP chapters.

Raghunath G

Raghu is an information security enthusiast and primarily focused on Application security services from past 7.9 years. He presently works on security automation using DevSecOps practices. Also, he is a founder of null Hyderabad chapter and one of the lead for null Singapore chapter - an open information security community.

Raghu even has a history of training students on performing penetration testing, web application assessments, cybersecurity and promoting security knowledge across local communities. He's even been the mentor for upcoming security professionals and also does hold Information Security certifications like CEH & OSCP.