DevSecOps Master Class - 2024
DevOps has changed the way we deliver apps. However, security remains a serious bottleneck, especially Application Security. This is largely due to the speed of innovation in DevOps, contrasted with the escalating attacks against Applications.
This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is based on our 4.9/5 Rated DevSecOps Masterclass at Blackhat.
The training is a hardcore hands-on journey into: - Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse! - Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques - Assurance and Provenance for artifacts. Mastery over Cosign and SLSA for Supply-Chain Provenance - DAST Automation and Security Regressions with ZAP and Nuclei. - Policy-As-Code: Leverage Open Policy Agent (OPA) with use-cases from API Access Control to OS Policy Controls.
Participants get a 2 month access to our online lab environment for DevSecOps training
This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.
The Training starts with a view of DevSecOps, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.
In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to:
- Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
- Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques.
- Supply-Chain Assurance and Provenance for artifacts.
- Secret Management
- DAST Automation with OWASP ZAP and Nuclei.
- Policy-As-Code with Open Policy-Agent (OPA)
- Integrating Security Automation with CI/CD tooling
Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning.
Detailed Overview
Day 1
- The Problem with the old models of Application Delivery
- A Quick History of Agile and DevOps
- The Coming of DevOps
- The Need for Security in DevOps
- Security in Continuous Integration and Continuous Deployment
- Introduction to Static Application Security Testing (SAST) for Continuous Integration
- Static Analysis Types
- Hands-on:
- RegEx Tools
- Abstract Syntax Trees
- QL/Semantic Grep Tools => CodeQL and Semgrep
- Semgrep Deep-Dive
- Rules Syntax
- Taint Analysis
- Metavariables, Metafunctions, and MetaClasses
- Semgrep against multiple languages:
- Python
- JavaScript
- Go(lang)
- Java
- Ruby
- CodeQL Deep-Dive
- Rule Syntax
- CodeQL VSCode Composition Tools
- CodeQL for multiple languages:
- C#
- Python
- Java
- JavaScript
- Hands-on:
- Challenge Segment - Finding security bugs with Semgrep and CodeQL
- Static Analysis Automation Strategies
- Hands-on:
- Automation in IDE
- Automation - Part of Git hooks
- Automation - PR and MR Static Analysis Tooling (Github Actions, etc)
- Automation - Build Pipeline and Pre-Deployment
- Hands-on:
- Static Analysis for Infrastructure-as-Code
- Hands-on:
- Kube-Linter
- Checkov
- Integrating Infrastructure-as-Code Scanning with GitHub Actions and Deploy Pipelines
- Hands-on:
- Static Analysis Types
- Source Composition Analysis and Software Bill of Materials in DevSecOps
- Concept Overview:
- Artifact Lifecycle
- SBOM
- Package Provenance
- SLSA - Supply-Chain Levels for Software Artifacts
- Source Composition Analysis
- Package Provenance and Assurance Deep-Dive
- Cosign Deep-Dive - Keyed and Keyless
- SLSA Provenance Generator for GitHub Actions and Levels
- SBOM Deep-dive:
- Hands-on:
- CycloneDX
- SPDX, SWID
- VEX - Vulnerability Exploitability eXchange
- Hands-on:
- SCA Deep-dive and Automation Strategies:
- Hands-on:
- Incremental SCA with GitHub Actions => Pull Requests and Merge Requests
- Package Manager integrated SCA with NPM, Poetry, Dependabot
- OWASP Dependency Track and Dependency Check
- Hands-on:
Day 2
- Dynamic Application Security Testing with Continuous Integration
- Concepts of DAST with Security Testing
- Security Automation Testing using OWASP ZAP, Selenium, OpenAPI (Swagger)
- Security Regression Tests - How to design and write them
- Nuclei Deep-Dive
- Hands-on:
- Nuclei Templates
- Integrating Nuclei into Pipelines
- Using Nuclei for Security Regression
- Using Nuclei for Security Scanning
- Hands-on:
- Application Security Automation and Test Orchestration – Deep-Dive:
- Hands-on:
- OWASP ZAP Deep-Dive
- Scan Policy
- Extensions
- OWASP ZAP API Deep-Dive
- Leveraging OWASP ZAP API with Selenium for testing browser-based applications
- Leveraging OWASP ZAP API and (Tavern/RESTInstance/Chai) to test web services and microservices
- OWASP ZAP API Testing with OpenAPI Specification
- OWASP ZAP Scripting Workshop
- Create Active Scan Scripts for Custom Application Vulnerabilities
- OWASP ZAP Deep-Dive
- Hands-on:
- Policy-as-code with Open Policy Agent
- Open Policy Agent Basics and Framework Overview
- Hands-on: Rego Basics - Language essentials and composition rules
- Hands-on:
- Using OPA and Rego for API RBAC and AuthZ Implementation with API Gateways
- Using OPA for Advanced Input Validation for APIs
- Using OPA for Terraform Policy Definition and Enforcement
- Secrets Management
- Intro to Secrets Management - A Case for a structured approach to managing secrets
- Secrets vs Sensitive Information - A Distinction and Varied Threat Model
- Secret Management Fails:
- Secret Management in GitOps fails
- Real-world incidents that were caused extensively by bad secrets management
- Secrets Management with Hashicorp Vault (Hands-on):
- Introduction to HashiCorp Vault and its API
- Deploying Vault in Production
- Managing Secrets with Vault => Static Secrets
- Encryption, Key Rotation, and Rewrapping with Vault Transit Secrets Engine
- Dynamic Secrets with Vault => Utilizing Dynamic Secrets for short-term leases for databases
- Pipelnies and Tooling
- Overview of Tooling:
- Github Actions
- Gitlab
- Jenkins
- Data Flow Automation Tools: Prefect, Gaia, Apache Airflow -Hand-on:
- DevSecOps Pipelines with Github Actions
- DevSecOps Pipelines with Gitlab
- DevSecOps with Jenkins
- DevSecOps with Gaia and Prefect
- Overview of Tooling: