DevSecOps Tools – Automating Security in DevOps

A Continuous test engineer is an individual accountable for testing software in a DevOps environment.

Corporate Brochure Request a Quote

Overview


DevSecOps - Automating Security in DevOps

One Day hands-on training to automate security into a fast-paced DevOps environment using various open-source tools and scripts

Overview

Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology by introducing practices such Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring (CM) and Infrastructure as Code (IaC). DevSecOps extends DevOps by introducing security in each of these practices giving a certain level of security assurance in the final product. In this training, we will demonstrate using our state-of-the-art DevSecOps Lab as to how to inject security in CI, CD, CM and IaC.

This is a complete hands-on training with attendees requiring only a browser to complete the entire training. Attendees will receive the DevSecOps Lab built using Vagrant and Ansible comprising of various open-source tools and scripts to help the DevOps engineers in automating security within their CI/CD pipeline.

 

  • Find and fix security bugs as early in SDLC as possible.
  • Build a secure by default infrastructure.
  • Build a system with continuous security monitoring.

Introduction to DevOps

  • Introduction and Lab Setup
  • Challenges with Traditional IT
  • What is DevOps?

Introduction to DevSecOps

  • Vulnerability Management
  • Continuous Integration
  • Pre-Commit Hooks
  • Secrets Management

Continuous Delivery

  • Software Composition Analysis (SCA)
  • Static Analysis Security Testing (SAST)
  • Dynamic Analysis Security Testing (DAST)

Infrastructure as Code

  • Vulnerability Assessment (VA)
  • Container Security (CS)
  • Compliance as Code (CaC)

Continuous Monitoring

  • Alerting and Monitoring
  • Introduction to F-ELK

DevSecOps in AWS

  • DevOps on Cloud Native AWS
  • AWS Threat Landscape
  • DevSecOps in Cloud Native AWS

DevSecOps Challenges and Enablers

  • Challenges with DevSecOps
  • Building DevSecOps Culture
  • Security Champions

Today, DevOps is enabling organisations to deploy changes to production environments at blazing speeds. For illustration purposes, we are going to use the effective tools to represent a typical DevOps process. The tools will vary for each organisation, but the process depicted here will be the same.

  • Pre-commit Hooks

Sensitive information such as the AWS keys, access tokens, SSH keys etc. are often erroneously leaked via the public source code repositories due to accidental git commits. This can be avoided by using pre-commit hooks like “Talisman” which checks for sensitive information in the files before commits or push activity.

 

  • Secrets Management

With automation, storing credentials in the files or configuration by developers and administrators can lead to exposure of credentials to an unintended audience. This can be segregated by leveraging secret management services like “Hashicorp vault”. This allows segregation of credentials on a separate level and every environment can pull credentials from a specific environment and use it programmatically.

 

  • Software Composition Analysis

A lot of organisations make use of open source frameworks/solutions like WordPress, Magento, Drupal or even jQuery which are having new vulnerabilities being discovered every day. For these reasons, it is necessary to perform an analysis of all the dependencies being utilised in the application and check them for vulnerabilities arising from missing security patches and fix them.  Below tools help to perform a software composition analysis for security vulnerabilities:

 

  • Static Analysis Security Testing

Using automated tools to perform a security code review flushes out many low-hanging fruits like SQL injection, Cross-site scripting, Deserialization vulnerabilities and many more. For Java based applications we can make use of a tool called “FindSecBugs” which performs an in-depth analysis of the code and gives a comprehensive report for all the vulnerabilities that have been identified in the code. Below few open source tools that can be used for SAST purpose.

  • Graudit
  • SonarQube
  • LGTM

 

  • Security in Infrastructure as Code

One solution which provides a good insight into the security stature of the Docker containers/images is “Clair”. Clair scans the raw docker images and gives an exhaustive report highlighting the vulnerabilities that exist in the image.

 

  • Vulnerability Assessment (VA)

While pointing a VA tool on the servers that have been created using Docker, it would execute the scan only on the service that is being exposed on that host. However, if we attach the tool to the docker network and then execute the scan, then it would give us a good picture of services which are running. This can be done using various solutions like OpenVAS which can easily integrate into the pipeline.

 

  • Compliance As Code

Organisations need to apply compliance controls to their IT infrastructure to abide by industry best practices and various regulations like PCI DSS, HIPAA, SOX etc. “Inspec” is one such tool which can help us in performing these tests as we only need to supply a ruby file containing the tests to be conducted in a very simple and lucid manner which is easy for every audit professional to write and code.

 

  • Vulnerability Management

vulnerability management solutions are at the core of a DevSecOps process where all tools are required to spool their data into those solutions so that it can be centrally managed, triaged, tracked, and remediated. “ArcherySec” is one such tool which not only has good integration with most of the tools, but we can also initiate scans such as Zap and OpenVAS through ArcherySec.

 

  • Alerting and Monitoring

Production applications are always faced with new threats from unknown and unforeseen vectors. This can be mitigated by having an active intrusion monitoring and prevention solution. One such opensource solution is the “ModSecurity WAF” which detects OWASP Top 10 vulnerabilities like SQL injection, Cross-site scripting etc. being attempted against the application. ModSecurity WAF – https://modsecurity.org/

 

DevOps engineers, security and solutions architects, and system administrators will strongly benefit from this course as it will give them a holistic approach towards application security.

Delegate Requirements

Anybody with a background in IT or related to software development, whether a developer or a manager can attend this course to get an insight about DevOps and DevSecOps.

Delegates Should Bring

Any device having a browser.

Delegates Will Receive

The attendees will receive a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.

  • Understand how to tackle security issues in a fast-moving DevOps environment
  • Identify tools/solutions and develop processes to create a secure by default infrastructure
  • Utilize the integration scripts and tools provided in the DevSecOps Lab to create your own DevSecOps pipeline

So far, we saw the technical know-how of how DevSecOps would operate in an environment but just having the tools and techniques is not enough. DevSecOps requires a cultural change which promotes the “secure by default” culture. This could be achieved by creating security champions within each domain, increasing collaboration with the security team and so on.

Finally, DevSecOps is important for your DevOps model because it is the only way to handle “security at scale”.

Schedule


Country Date Time
India 8-9 Aug 9:30am-5:00pm (IST)
US 10-14 Aug 6:00am-9:00am (PST)
Australia 3-6 Aug 6:00pm-9:00pm (Australia Eastern Time Sydney/Melbourne)
Asia batch 24-28 Aug 6:00pm-9:00pm (SGT/ MYT)

DON'T FIND BATCHES YOU ARE LOOKING FOR? request your batch