This training is a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline. The training is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.
The training begins with a detailed view of Continuous Application Security, through Application Security Automation with SAST, DAST, SCA, IAST and RASP. We will focus on real-world tools and techniques to automate application security tooling in a CI/CD pipeline. Including a deep-dive of several popular Test Automation Frameworks like Tavern, ThreatPlaybook, Robot Framework and Selenium that can be leveraged extensively to parameterize application security tests with test automation scripts. All of this expertise will go into actually “building” security pipelines that can be integrated into the organization’s DevOps processes.
Subsequently, the training focuses on Cloud Security with a focus on Amazon Web Services (AWS), where will use Terraform and Boto3 among other tools to deploy and configure security parameters and features for various Cloud services. The Cloud Security section of the class, will also focus on integrating Cloud Vulnerability Assessment and Benchmark tools like Scout2, Prowler and CSSuite as part of the CI/CD Pipeline.
Finally the training delves into Container Security, as part of an organization’s DevSecOps initiatives. This section of the program focuses on Containerized deployments, myriad exploits and vulnerabilities with Containerized Deployments. Subsequently, we explore tools and techniques to automate and identify weaknesses and security implementations for containerized deployments. The training additionally focuses on Kubernetes, especially owing to its ubiquity in the Container Orchestration ecosystem. Participants will have a roving view of Kubernetes security, starting off with a detailed exploit of a Kubernetes cluster and exploring the various security and automation options available to identify and secure Kubernetes clusters.
At the end of the training, participants will have immediate takeaways and practical techniques that they can use for their own implementations of DevSecOps, within their organization. The tools and frameworks detailed in the program are largely open-source or freely available, thereby ensuring that participants can actually implement these scalable DevSecOps programs without having to additionally invest in tooling. Several frameworks and tools have for this program have been developed by the authors of the program, as part of their extensive implementation expertise of DevSecOps, ranging from Threat Modeling to Cloud Security to Application Security Automation. Frameworks like ThreatPlaybook (Open Source) and Orchestron (Open Source Vulnerability Management and Correlation tool), which can be used to simplify Application Security Automation have been born out of extensive experience with real-world DevSecOps implementations.
- Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate
- Comprehensive Container Security which is critical, as organizations typically need to use Container Orchestration and security is a key aspect of orchestrating containers.
Technical Requirements / Lab Setup:
- The Lab will be a combination of a minimal VM with tools and apps and a cloud environment that will have some of the more resource intensive labs.
- All of the apps in the local VM will be available as Docker containers that can be run on-demand rather than as persistent services
- Full CI Tooling and Setup will be available on the Cloud, for more resource-intensive tasks, with participants accessing the environments and machines over the network
- Labs for the Cloud Security section of the program will be provisioned, run and operated on the participant’s AWS account with Terraform and boto3 scripts being made available to the participants on the VM and on GitHub
- Labs for Container Security will be made available on the Cloud. There will be a special Kubernetes Cluster(s) setup for participants on the cloud
- Instructions for all the labs will be made available in a “Step-by-Step” style manner on Github/Local VM
- Participants are given extra credit labs to help enhance their skills even after labs