Cloud Legion - DevSecOps theory to practice

DevSecOps theory to practice

DevSecOps theory is a course to learn to dominate the theory and practical concepts of DevSecOps from the hand of industry experts with a dynamic course between theory and practice.

About the Instructor

Christian Ibiri

He is a person passionate about technology and above all, the disruptive or the transformations of the way we are used to doing things, such as cloud computing, agile methodologies and agile Infrastructures. He is a founding member of DevSecOps Argentina, has more than 10 years of experience in IT, of which the last 7 years in the areas of Hybrid Infrastructures, Cloud, DevOps and automation of tools. He participates in many infrastructure projects, networking, migration and implementation of private and public clouds, automation, unified communications and collaboration, accompanying the other parts involved in them, from the requirements stage to the implementation and post-implementation. DevOps enthusiast, agile infrastructures and infrastructure as code.

About the Instructor

Luciano Moreira

Vice President of Argentina chapter of the CSA, Luciano Moreira has over 17 years of experience, where the last 12 years specifically in the area of Information Security. Solid knowledge and experience in projects for the implementation and improvement of quality management systems and information security, auditing and compliance control of national and international standards. Instructor of several talks and courses in different training centers and companies. In the last years he has been working to develop and promote the security of information in Argentina through activities carried out with associations such as CSA, DevSecOps, Owasp, ISACA, IEEE. Lead Auditor ISO 27001, 27017 and 27018 ISO 9001 Lead Auditor, CSA STAR Auditor, CCSK (Certificate of Cloud Security Knowledge), Certified Integrator in Secure Cloud Services, etc. Elected Cybersecurity Consultant of the Year at the Cybersecurity Excellence Awards in 2016, 2017 and 2018.

Objectives

The objective of this course is to introduce the attendees of this training to the basic concepts of DevSecOps and to go deeper from a security point of view, topics such as:

▪ The purpose, benefits, concepts and vocabulary of DevSecOps.

▪ DevOps security practices.

▪ Business-driven security strategies.

▪ The use and benefits of red and blue teams.

▪ Integrating security into continuous delivery workflows,

▪ How DevSecOps roles fit into a DevOps culture and organization.

▪ Docker + Kubernetes security.

▪ Jenkins - Orchestrating AST (App Security Testing).

▪ Gitlab - Community vs. Enterprise (Security Features)

▪ SAST (how to integrate static code analysis into the pipeline).

▪ DAST (how to integrate dynamic analysis in the pipeline)

▪ Auditing and control of the entire pipeline.

▪ Agile infrastructure availability (infrastructure as code).

▪ Blue and Green deployment

▪ Integration with network security infrastructure (WAF, etc)

Plan of studies

This workshop is divided into 4 days: It is designed to teach practical steps on how to integrate security programs into DevOps practices and highlights how professionals can use data and security science as the primary means to protect the organization and to the client.

Using real-life arguments and case studies, participants will have tangible opportunities to take advantage when they return to the office.

Course Scheme

Aperture

• Course Objectives

• Course agenda

Introduction

• What is DevOps?

• DevOps building blocks: people, processes and technology.

• DevOps Principles - Culture, Automation, Measurement and Sharing (CAMS)

• DevOps Benefits - Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.)

• What is Continuous Integration and Continuous Deployment?

• Common challenges faced when using the DevOps principle.

• State-of-the-art DevOps case studies on Facebook, Amazon and Google

Introduction to the Tools of the trade

• Gitlab/BitBucket/Github/

• Docker

• Gitlab CI/Bitbucket/Jenkins/Travis

• OWASP ZAP

• Ansible

• Inspec

Infrastructure as code and its security

• What is Infrastructure as Code and its benefits.

• Platform definition + infrastructure + configuration management.

• Introduction to Ansible.

• Benefits of Ansible.

• Configuration management systems based on Push and Pull.

• Tools and services that help achieve IaaC

Container (Docker) Security

• What is Docker

• Docker vs Vagrant

• Docker Fundamentals and Its Challenges

• Vulnerabilities in images (public and private)

• Denial-of-service attacks

• Privilege escalation methods in Docker.

• Container security.

• Content integrity and trust controls.

• Capabilities and namespaces in Docker.

• Segregation of networks.

• Kernel Hardening using SecComp and AppArmor.

• Static analysis of container images (Docker).

• Dynamic analysis of hosts and container daemons ..

Secure SDLC and CI/CD pipeline

• What is Secure SDLC

• Activities of the secure SDLC

• Security Requirements ("Requirements")

• Threat Modeling (Design)

• Static Analysis and Default Security (Implementation)

• Dynamic analysis (testing)

• Operating system hardening, web/application hardening (Deployment)

• Security/compliance monitoring (maintenance)

• DevSecOps Maturity Model (DSOMM)

• Maturity levels and tasks involved

• 4 axes in the DSOMM

• How to Move from Maturity Level 1 to Maturity Level 4

• Use of tools of the trade to carry out the previous activities in CI/CD

• Incorporating safety as part of the CI/CD pipeline

• DevSecOps and challenges with Pentesting and Vulnerability Assessment.

SAST (Static Analysis) in CI/CD pipeline

• What is static application security testing.

• Static analysis and its challenges.

• Incorporation of SAST tools such as Find Bugs in the pipeline.

• Scanning secrets to prevent the exposure of secrets in the code.

• Write custom controls to detect the age of secret leakage in an organization.

Secrets management on mutable and immutable infra

• Management of secrets in traditional infrastructure.

• Container secrets management at scale.

• Secrets management in the cloud

• Version control systems and secrets.

• Environment variables and configuration files.

• Docker, immutable systems and their security challenges.

• Secrets management with Hashicorp Vault and consul.

DAST (Dynamic Analysis) in CI/CD pipeline

• What is dynamic application security testing.

• Dynamic analysis and its challenges (Session management, AJAX Crawling)

• Incorporation of DAST tools such as ZAP and Burp Suite in the pipeline.

• SSL deconfiguration testing

• Creation of reference scans for DAST.

Runtime Analysis(RASP/IAST) in CI/CD pipeline

• What is real-time application security analysis?

• Differences between RASP and IAST.

• Runtime analysis and challenges.

• RASP/IAST and its suitability in the CI/CD pipeline.

Vulnerability management with custom tools

• Approaches to managing vulnerabilities in the organization.

• Creation of different metrics for CXO, developers and security teams.

Compliance as code

• Different approaches to handling compliance requirements at DevOps scale

• Use configuration management to achieve compliance.

• Manage compliance using Inspec/OpenScap at scale.

Course review

• Where we started

• What we cover

• Key reminders of what is important

• Exercise: Creating a personal action plan (Pipeline)

Who should attend

The target audience of the DevSecOps theory to practice course are professionals that include:

Anyone involved or interested in learning about the strategies and automation of DevSecOps
Anyone involved in chain architectures of continuous delivery tools
Compliance team
DevOps Engineers
IT Managers
Computer security professionals and managers
Maintenance and support staff
Managed service providers
Project & Product Managers
Quality Assurance Teams
Scrum Masters
Site reliability engineers
Software Engineers
Testers

If you want to know more about our courses and workshops, you can send us your query by completing the form below. We will contact you as soon as possible.