One Day hands-on training to automate security into a fast-paced DevOps environment using various open-source tools and scripts
Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology by introducing practices such Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring (CM) and Infrastructure as Code (IaC). DevSecOps extends DevOps by introducing security in each of these practices giving a certain level of security assurance in the final product. In this training, we will demonstrate using our state-of-the-art DevSecOps Lab as to how to inject security in CI, CD, CM and IaC.
This is a complete hands-on training with attendees requiring only a browser to complete the entire training. Attendees will receive the DevSecOps Lab built using Vagrant and Ansible comprising of various open-source tools and scripts to help the DevOps engineers in automating security within their CI/CD pipeline.
Find and fix security bugs as early in SDLC as possible.
Build a secure by default infrastructure.
Build a system with continuous security monitoring.
Introduction to DevOps
Introduction and Lab Setup
Challenges with Traditional IT
What is DevOps?
Introduction to DevSecOps
Software Composition Analysis (SCA)
Static Analysis Security Testing (SAST)
Dynamic Analysis Security Testing (DAST)
Infrastructure as Code
Vulnerability Assessment (VA)
Container Security (CS)
Compliance as Code (CaC)
Alerting and Monitoring
Introduction to F-ELK
DevSecOps in AWS
DevOps on Cloud Native AWS
AWS Threat Landscape
DevSecOps in Cloud Native AWS
DevSecOps Challenges and Enablers
Challenges with DevSecOps
Building DevSecOps Culture
Today, DevOps is enabling organisations to deploy changes to production environments at blazing speeds. For illustration purposes, we are going to use the effective tools to represent a typical DevOps process. The tools will vary for each organisation, but the process depicted here will be the same.
Sensitive information such as the AWS keys, access tokens, SSH keys etc. are often erroneously leaked via the public source code repositories due to accidental git commits. This can be avoided by using pre-commit hooks like “Talisman” which checks for sensitive information in the files before commits or push activity.
With automation, storing credentials in the files or configuration by developers and administrators can lead to exposure of credentials to an unintended audience. This can be segregated by leveraging secret management services like “Hashicorp vault”. This allows segregation of credentials on a separate level and every environment can pull credentials from a specific environment and use it programmatically.
A lot of organisations make use of open source frameworks/solutions like WordPress, Magento, Drupal or even jQuery which are having new vulnerabilities being discovered every day. For these reasons, it is necessary to perform an analysis of all the dependencies being utilised in the application and check them for vulnerabilities arising from missing security patches and fix them. Below tools help to perform a software composition analysis for security vulnerabilities:
Using automated tools to perform a security code review flushes out many low-hanging fruits like SQL injection, Cross-site scripting, Deserialization vulnerabilities and many more. For Java based applications we can make use of a tool called “FindSecBugs” which performs an in-depth analysis of the code and gives a comprehensive report for all the vulnerabilities that have been identified in the code. Below few open source tools that can be used for SAST purpose.
Security in Infrastructure as Code
One solution which provides a good insight into the security stature of the Docker containers/images is “Clair”. Clair scans the raw docker images and gives an exhaustive report highlighting the vulnerabilities that exist in the image.
While pointing a VA tool on the servers that have been created using Docker, it would execute the scan only on the service that is being exposed on that host. However, if we attach the tool to the docker network and then execute the scan, then it would give us a good picture of services which are running. This can be done using various solutions like OpenVAS which can easily integrate into the pipeline.
Organisations need to apply compliance controls to their IT infrastructure to abide by industry best practices and various regulations like PCI DSS, HIPAA, SOX etc. “Inspec” is one such tool which can help us in performing these tests as we only need to supply a ruby file containing the tests to be conducted in a very simple and lucid manner which is easy for every audit professional to write and code.
vulnerability management solutions are at the core of a DevSecOps process where all tools are required to spool their data into those solutions so that it can be centrally managed, triaged, tracked, and remediated. “ArcherySec” is one such tool which not only has good integration with most of the tools, but we can also initiate scans such as Zap and OpenVAS through ArcherySec.
Production applications are always faced with new threats from unknown and unforeseen vectors. This can be mitigated by having an active intrusion monitoring and prevention solution. One such opensource solution is the “ModSecurity WAF” which detects OWASP Top 10 vulnerabilities like SQL injection, Cross-site scripting etc. being attempted against the application. ModSecurity WAF – https://modsecurity.org/
DevOps engineers, security and solutions architects, and system administrators will strongly benefit from this course as it will give them a holistic approach towards application security.
Anybody with a background in IT or related to software development, whether a developer or a manager can attend this course to get an insight about DevOps and DevSecOps.
Delegates Should Bring
Any device having a browser.
Delegates Will Receive
The attendees will receive a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.
Understand how to tackle security issues in a fast-moving DevOps environment
Identify tools/solutions and develop processes to create a secure by default infrastructure
Utilize the integration scripts and tools provided in the DevSecOps Lab to create your own DevSecOps pipeline
So far, we saw the technical know-how of how DevSecOps would operate in an environment but just having the tools and techniques is not enough. DevSecOps requires a cultural change which promotes the “secure by default” culture. This could be achieved by creating security champions within each domain, increasing collaboration with the security team and so on.
Finally, DevSecOps is important for your DevOps model because it is the only way to handle “security at scale”.
6:00pm-9:00pm (Australia Eastern Time Sydney/Melbourne)