What Will I Learn?
We all have heard about DevSecOps, Shifting Left, Rugged DevOps but there are no clear examples or frameworks available for security professionals to implement in their organization. This hands-on course will teach you exactly that, tools and techniques to embed security as part of the DevOps pipeline. We will learn how unicorns like Google, Facebook, Amazon, Etsy handle security at scale and what we can learn from them to mature our security programs.
In DevSecOps Professional training you will learn how to handle security at scale using DevSecOps practices. We will start off with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration management, Infrastructure as code, etc.
01 - Introduction to DevOps and DevSecOps 7
- What is DevOps?
- DevOps Building Blocks- People, Process and Technology
- DevOps Principles - Culture, Automation, Measurement and Sharing (CAMS)
- Benefits of DevOps - Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
- What is Continuous Integration and Continuous Deployment?
- Common Challenges faced when using DevOps principle.
- Case studies on DevOps of cutting edge technology at Facebook, Amazon,and Google
02 - Introduction to the Tools of the trade 11
- Docker Registry
- Jenkins/Travis/Gitlab CI/Bitbucket
- Hands-On Labs: Use Vagrant to practice Infrastructure as a Code
- Hands-On Labs: Building a CI Pipeline using Jenkins/Travis andGitHub/bitbucket.
- Hands-On Labs: Use the above tools to create a complete CI/CD pipeline. 00:00
03 - Secure SDLC and CI/CD pipeline 8
- What is Secure SDLC
- Secure SDLC Activities and Security Gates
- DevSecOps Maturity Model (DSOMM)
- Using tools of the trade to do the above activities in CI/CD
- Embedding Security as part of CI/CD pipeline
- DevSecOps and challenges with Pentesting and Vulnerability Assessment.
- Hands-on: Create a CI/CD pipeline suitable for modern applications.
- Hands-on: Manage the findings in a fully automated pipeline.
04 - Software Component Analysis(CSA) in CI/CD pipeline 7
- What is Software Component Analysis?
- Software Component Analysis and its challenges.
- What to look in an SCA solution (Free or Commercial).
- Embedding SCA tools like OWASP Dependency Checker, Safety, RetireJs,and NPM Audit, Snyk into the pipeline.
- Demo: using OWASP Dependency Checker to scan third party component vulnerabilities in Java Code Base.
- Hands-On Labs: using Safety/pip to scan third party component vulnerabilities in Python Code Base.
05 - SAST (Static Analysis) in CI/CD pipeline 8
- What is Static Application Security Testing?
- Static Analysis and its challenges.
- Embedding SAST tools into the pipeline.
- Secrets scanning to prevent secret exposure in the code.
- Writing custom checks to catch secrets leakage in an organization.
- Hands-On Labs: using SpotBugs to scan Java code.
- Hands-On Labs: using Trufflehog/Gitrob to scan for secrets in CI/CDpipeline.
- Hands-On Labs: using brakeman/bandit to scan Ruby on Rails and PythonCode Base.
06 - DAST (Dynamic Analysis) in CI/CD pipeline 8
- What is Dynamic Application Security Testing?
- Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling )
- Embedding DAST tools like ZAP and Burp Suite into the pipeline.
- SSL misconfiguration testing
- Server Misconfiguration Testing like secret folders and files.
- Sqlmap testing for SQL Injection vulnerabilities.
- Hands-On Labs: using ZAP to configure per commit/weekly/monthly scans.
- Demo: using Burp Suite to configure per commit/weekly/monthly scans.
07 - Infrastructure as Code and Its Security 6
- What is Infrastructure as Code and its benefits?
- Platform + Infrastructure Definition + Configuration Management.
- Introduction to Ansible.
- Tools and Services which helps to achieve IaaC
- Hands-On Labs: Vagrant, Docker, and Ansible
- Hands-On Labs: Using Ansible to create Golden images and harden Infrastructure.
08 - Compliance as code 5
- Different approaches to handle compliance requirements at DevOps scale
- Using configuration management to achieve compliance.
- Manage compliance using Inspec/OpenScap at Scale.
- Hands-On Labs: Create an Inspec profile to create compliance checks for your organization
- Hands-On Labs: Use Inspec profile to scale compliance.
09 - Vulnerability Management with custom tools 2
- Approaches to manage the vulnerabilities in the organization.
- Hands-On Labs: Using Defect Dojo for vulnerability management.
Mohammed A. “secfigo” Imran
Imran is the Founder and CEO of Hysn/Practical DevSecOps and seasoned security professional with over a decade of experience in helping organizations in their Information Security Programs.
He has a diverse background in R&D, consulting, and product-based companies with a passion for solving complex security programs. Imran is the founder of Null Singapore, the most significant information security community in Singapore, where he has organized more than 60 events & workshops to spread security awareness.
He was also nominated as a community star for being the go-to person in the community whose contributions and knowledge sharing has helped many professionals in the security industry. He is usually seen speaking and giving training in conferences like Blackhat, DevSecCon, AppSec, All Day DevOps, Nullcon, and many other international conferences.