DevSecOps Training

   

DevSecOps Training

TOPIC

Hack and Secure Applications. Learn from a BlackHat trainer.

When

Date: 1 - 3 September 2020
Venue: Dubai World Trade Centre

What Will I Learn?

We all have heard about DevSecOps, Shifting Left, Rugged DevOps but there are no clear examples or frameworks available for security professionals to implement in their organization. This hands-on course will teach you exactly that, tools and techniques to embed security as part of the DevOps pipeline. We will learn how unicorns like Google, Facebook, Amazon, Etsy handle security at scale and what we can learn from them to mature our security programs.

In DevSecOps Professional training you will learn how to handle security at scale using DevSecOps practices. We will start off with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration management, Infrastructure as code, etc.

01 - Introduction to DevOps and DevSecOps 7

  • What is DevOps?
  • DevOps Building Blocks- People, Process and Technology
  • DevOps Principles - Culture, Automation, Measurement and Sharing (CAMS)
  • Benefits of DevOps - Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
  • What is Continuous Integration and Continuous Deployment?
  • Common Challenges faced when using DevOps principle.
  • Case studies on DevOps of cutting edge technology at Facebook, Amazon,and Google


02 - Introduction to the Tools of the trade 11

  • Github/Gitlab/BitBucket
  • Docker
  • Docker Registry
  • Ansible
  • Jenkins/Travis/Gitlab CI/Bitbucket
  • Gauntlt
  • Inspec
  • Bandit/retireJS/Nmap
  • Hands-On Labs: Use Vagrant to practice Infrastructure as a Code
  • Hands-On Labs: Building a CI Pipeline using Jenkins/Travis andGitHub/bitbucket.
  • Hands-On Labs: Use the above tools to create a complete CI/CD pipeline. 00:00

 

03 - Secure SDLC and CI/CD pipeline 8

  • What is Secure SDLC
  • Secure SDLC Activities and Security Gates
  • DevSecOps Maturity Model (DSOMM)
  • Using tools of the trade to do the above activities in CI/CD
  • Embedding Security as part of CI/CD pipeline
  • DevSecOps and challenges with Pentesting and Vulnerability Assessment.
  • Hands-on: Create a CI/CD pipeline suitable for modern applications.
  • Hands-on: Manage the findings in a fully automated pipeline.
     

04 - Software Component Analysis(CSA) in CI/CD pipeline 7

  • What is Software Component Analysis?
  • Software Component Analysis and its challenges.
  • What to look in an SCA solution (Free or Commercial).
  • Embedding SCA tools like OWASP Dependency Checker, Safety, RetireJs,and NPM Audit, Snyk into the pipeline.
  • Demo: using OWASP Dependency Checker to scan third party component vulnerabilities in Java Code Base.
  • Hands-On Labs: using RetireJS and NPM to scan third party component vulnerabilities in Javascript Code Base.
  • Hands-On Labs: using Safety/pip to scan third party component vulnerabilities in Python Code Base.


05 - SAST (Static Analysis) in CI/CD pipeline 8

  • What is Static Application Security Testing?
  • Static Analysis and its challenges.
  • Embedding SAST tools into the pipeline.
  • Secrets scanning to prevent secret exposure in the code.
  • Writing custom checks to catch secrets leakage in an organization.
  • Hands-On Labs: using SpotBugs to scan Java code.
  • Hands-On Labs: using Trufflehog/Gitrob to scan for secrets in CI/CDpipeline.
  • Hands-On Labs: using brakeman/bandit to scan Ruby on Rails and PythonCode Base.


06 - DAST (Dynamic Analysis) in CI/CD pipeline 8

  • What is Dynamic Application Security Testing?
  • Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling )
  • Embedding DAST tools like ZAP and Burp Suite into the pipeline.
  • SSL misconfiguration testing
  • Server Misconfiguration Testing like secret folders and files.
  • Sqlmap testing for SQL Injection vulnerabilities.
  • Hands-On Labs: using ZAP to configure per commit/weekly/monthly scans.
  • Demo: using Burp Suite to configure per commit/weekly/monthly scans.


07 - Infrastructure as Code and Its Security 6

  • What is Infrastructure as Code and its benefits?
  • Platform + Infrastructure Definition + Configuration Management.
  • Introduction to Ansible.
  • Tools and Services which helps to achieve IaaC
  • Hands-On Labs: Vagrant, Docker, and Ansible
  • Hands-On Labs: Using Ansible to create Golden images and harden Infrastructure.


08 - Compliance as code 5

  • Different approaches to handle compliance requirements at DevOps scale
  • Using configuration management to achieve compliance.
  • Manage compliance using Inspec/OpenScap at Scale.
  • Hands-On Labs: Create an Inspec profile to create compliance checks for your organization
  • Hands-On Labs: Use Inspec profile to scale compliance.


09 - Vulnerability Management with custom tools 2

  • Approaches to manage the vulnerabilities in the organization.
  • Hands-On Labs: Using Defect Dojo for vulnerability management.

Mohammed A. “secfigo” Imran

Imran is the Founder and CEO of Hysn/Practical DevSecOps and seasoned security professional with over a decade of experience in helping organizations in their Information Security Programs. 

He has a diverse background in R&D, consulting, and product-based companies with a passion for solving complex security programs. Imran is the founder of Null Singapore, the most significant information security community in Singapore, where he has organized more than 60 events & workshops to spread security awareness.

He was also nominated as a community star for being the go-to person in the community whose contributions and knowledge sharing has helped many professionals in the security industry. He is usually seen speaking and giving training in conferences like Blackhat, DevSecCon, AppSec, All Day DevOps, Nullcon, and many other international conferences.

Supporters & Partners

OFFICIAL GOVERNMENT CYBERSECURITY PARTNER

Dubai Electronic Security Center Logo

dp

OFFICIAL DISTRIBUTION PARTNER

ISPIRE

OFFICIALLY SUPPORTED BY

Telecommunications Regulatory Authority

Official Smart City Partner

Strategic Sponsors & Partners

Strategic Partner

Bluvector_gisec

Official Digital Partner

etisalat_gisec

Strategic Partner

  • Recorded-Future---strategic-partner

Diamond sponsor

Diamond Sponsor

fe

Silver sponsors

webroot-gisec

Industry & Association Partner

Germany Association Partner

TeleTrusT

India Pavilion Partner

Logo

Association Partner

Logo

Knowledge Partner

Frost Logo

Exhibitors

VIEW MORE EXHIBITORS
 

Media Partners