DevSecOps Masterclass - Discoverer Edition (Online Training)

DevOps is a movement that has seeped into organizations across the globe, resulting in Continuous delivery of apps. However, security remains a serious bottleneck for DevOps. Organizations struggle with including security in continuous delivery processes. This training is a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline. The training is backed by tons of hands-on labs, original research and real-world implementations of DevSecOps that work. The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. Participants get a free (OSS) toolkit for DevSecOps Implementations and a month access to our online lab environment for DevSecOps training

This training is a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline. The training is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work. The training begins with a detailed view of Continuous Application Security, through Application Security Automation with SAST, DAST, SCA, IAST and RASP. We will focus on real-world tools and techniques to automate application security tooling in a CI/CD pipeline. In addition, there will be a deep-dive of several popular Test Automation Frameworks that can be leveraged extensively to parameterize application security tests with test automation scripts. All of this expertise will go into actually “building” security pipelines that can be integrated into the organization’s DevOps processes. In the 2022 Edition, we’re bringing all new research to training on DevSecOps including, but not limited to:

  • Deep-dive into new-age Static Analysis tools like Semgrep and CodeQL for faster, more accurate Static Analysis, Invariant identification
  • Focus on more scalable and long-term DevSecOps wins in the form of invariant analysis and secure-defaults, that actually reduce security vulnerabilities over time
  • DevSecOps with Github Actions => Multiple recipes from Custom Actions to Leveraging Existing Actions in iterative and build pipelines
  • Deep-dive into Github Security including Code Scanning Alerts, the Static Analysis Results Interchange Format
  • DevSecOps with Gitlab Pipelines => Multiple recipes for developing custom Gitlab Pipelines
  • Leveraging Open Policy Agent to perform decoupled API Security and testing APIs and Microservices for Authorization and Business Logic Flaws, with just Open Policy Agent rules and unit tests
  • Newer browser automation frameworks including Cypress and Playwright instead of Selenium, resulting in faster, more efficient Dynamic Application Security testing
  • Integrating Secrets Management Solutions into DevOps Processes for higher security during build processes. Detailed walkthroughs and examples of using Hashicorp Vault, AWS Secrets Manager in build pipelines
  • OWASP ZAP and BurpSuite Automation and Deep-dive including newer scripting frameworks for both tools in the form of GraalVM-JS and Kotlin Scripting
  • Nuclei Framework for discovery and fuzzing
  • Leverage OSS Orchestration Frameworks to run automated security tools across the pipeline, from SAST to Cloud Security Scanning

Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning Subsequently, the training focuses on Cloud Security with a focus on Amazon Web Services (AWS), where we will use AWS CDK, Terraform and Boto3 among other tools to deploy and configure security parameters and features for various Cloud services. In addition, this segment of the class will focus on Cloud-native security pipelines from Azure DevOps, Github Actions and Gitlab, to more cloud-specific pipelines that utilize asynchronous and event-based frameworks like AWS Lambda and Fargate. The Cloud Security section of the class will also focus on integrating Cloud Vulnerability Assessment and Benchmark tools like Scout2, Prowler and CSSuite as part of the CI/CD Pipeline. In the 2022 Edition of this class, we are adding several cookbook style implementations for Cloud Security Automation. At the end of the training, participants will have immediate takeaways and practical techniques that they can use for their own implementations of DevSecOps, within their organization. The tools and frameworks detailed in the program are largely open-source or freely available, thereby ensuring that participants can actually implement these scalable DevSecOps programs without having to additionally invest in tooling. Several frameworks and tools have been developed by the authors of the program, as part of their extensive implementation expertise of DevSecOps, ranging from Threat Modeling to Cloud Security to Application Security Automation. Frameworks like ThreatPlaybook (Open Source) and Orchestron (Open Source Vulnerability Management and Correlation tool), which can be used to simplify Application Security Automation have been born out of extensive experience with real-world DevSecOps implementations.

This training gives the participant and comprehensive and practical view of:

  • DevSecOps Practices for Continuous Application Security with SAST, DAST, SCA
  • Merging Test Automation Techniques with Security Testing Techniques to create more scalable and cross-functional quality and security practices
  • Multiple views of Continuous Integration and Continuous Delivery Pipelines with traditional CI tools like Jenkins and more cloud-native CI environments like Azure DevOps, AWS Step Functions and Lambda, etc
  • Vulnerability Management and Vulnerability Correlation Tools to manage the information deluge from DevSecOps implementations
  • Cloud-Native DevSecOps and Security Automation Practices for AWS and Azure

About the Speaker