Practical DevSecOps - Continuous Security in the age of cloud

Trainer Name: Mohammed Imran & Hari Valugonda
Title: Practical DevSecOps - Continuous Security in the age of cloud  
Duration: 2 Days
Dates: 27^th - 28^th Feb 2019

Prerequisites:

• Should know basics of linux and commands.
• Basic Application Security Practices like SAST, DAST, etc.,

Introduction to DevOps and DevSecOps

• What is DevOps?
• DevOps Building Blocks- People, Process and Technology.
• DevOps Principles - Culture, Automation, Measurement and Sharing (CAMS)
• Benefits of DevOps - Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
• What is Continuous Integration and Continuous Deployment?.
  • Continuous Integration to Continuous Deployment to Continuous Delivery.
  • Continuous Delivery vs Continuous Deployment.
  • General workflow of CI/CD pipeline.
  • Blue/Green deployment strategy
  • Achieving full automation.
  • Designing a CI/CD pipeline for web application.
• Common Challenges faced when using DevOps principle.
• Case studies on DevOps of cutting edge technology at Facebook, Amazon and Google

Introduction to the Tools of the trade:

• Github/Gitlab/BitBucket
• Docker
• Ansible
• Jenkins/Travis/Gitlab CI
• Gauntlt/BDD-Security
• Inspec
• Hands-On Labs: Building a CI Pipeline using Jenkins/Travis and github/bitbucket.
• Hands-On Labs: Use the above tools to create a complete CI/CD (DevSecOps) pipeline.

Secure SDLC and CI/CD pipeline

• What is Secure SDLC
• Secure SDLC Activities and Security Gates
  • Security Requirements ( Requirements)
  • Threat Modelling (Design)
  • Static Analysis and Secure by Default ( Implementation)
  • Dynamic Analysis(Testing)
  • OS Hardening, Web/Application Hardening (Deploy)
  • Security Monitoring/Compliance (Maintain)
• DevSecOps Maturity Model (DSOMM)
• Usings tools of the trade to do the above activities in CI/CD
• Embedding Security as part of CI/CD pipeline
• DevSecOps and challenges with Pentesting and Vulnerability Assessment.

SCA (Software Component Analysis) in CI/CD pipeline

• What is Software Component Analysis.
• Software Component Analysis and Its challenges.
• How to analyze and buy a commercial SCA solution.
• Embedding SCA tools like Dependency Checker, Safety, retireJs and NPM Audit, checkmarx, find bugs into the pipeline.
• Hands-On Labs: using Dependency Checker to scan third party component vulnerabilities in Java Code Base.
• Hands-On Labs: using RetireJS and NPM to scan third party component vulnerabilities in Javascript Code Base.
• Hands-On Labs: using Safety/pip to scan third party component vulnerabilities in Python Code Base.

SAST (Static Analysis) in CI/CD pipeline

• What is Static Application Security Testing.
• Static Analysis and Its challenges.
• How to analyze and buy a commercial SAST solution.
• Embedding SAST tools like fortify, checkmarx, find bugs into the pipeline.
• Hands-On Labs: using brakeman/bandit to scan Ruby on Rails and Python Code Base.

DAST (Dynamic Analysis) in CI/CD pipeline

• What is Dynamic Application Security Testing.
• Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling )
• How to analyze and buy a commercial DAST solution which fits into CI/CD
• Embedding DAST tools like ZAP and BurpSuite into the pipeline.
• SSL misconfiguration testing
• Server Misconfiguration Testing like secret folders and files.
• sqlmap testing for SQL Injection vulnerabilities.
• Hands-On Labs: using ZAP to configure per commit/weekly/monthly scans.

Runtime Analysis( RASP, IAST) in CI/CD pipeline

• What is Runtime Analysis Application Security Testing?.
• RASP vs IAST.
• Runtime Analysis and Its challenges
• Demo: A commercial implementation of IAST tool

Vulnerability Management with custom tools

• Approaches to manage the vulnerabilities in the organization.
• Culture and Vulnerability Management.
• False positives vs False Negatives.
• Different metrics for CXOs, devs and security teams.
• Hands-On Labs: Using Defect Dojo for vulnerability management.

Infrastructure (Security) as Code and Its Security

• Managing configurations with Ansible and Chef
• What is Infrastructure as Code and its benefits
• Tools and Services which helps to achieve IaaC
• Hands-On Labs: Vagrant, Docker and Ansible
• Hands-On Labs: Server hardening using Ansible

Compliance as code

• Different approaches to handle compliance requirements at DevOps scale
• Using configuration management to achieve compliance.
• Manage compliance using Inspec and OpenScap.

Trainer Bio -

Mohammed Imran

Mohammed A. “secfigo” Imran is a seasoned security professional with 8 years of experience in helping organizations with their Information Security Programs. He has a diverse background in R&D, consulting and product-based industries with a passion to solve complex security programs. Imran is the founder of Null Singapore, the largest information security community in Singapore where he has organized more than 60 events & workshops to spread security awareness.

He was also nominated as a community star for being the go-to person in the community whose contribution and knowledge sharing has helped many professionals in the security industry. He is usually seen speaking in conferences like Blackhat, DevSecCon, Null and OWASP chapters.

Hari Valugonda

Hari Valugonda is Information security enthusiast, with over a decade of information security experience. His area of interest includes penetration testing, Web application, and DevSecOps. He has implemented Devsecops pipelines for clients from scratch and optimized existing pipelines, He is Null Hyderabad chapter Leader and also the winner of Global Cyberlympics hacking competition.