Practical DevSecOps - Continuous Security in the Age of Cloud
Overview
Ever wondered how to handle deluge of security issues and reduce cost of fixing before software goes to production ? How unicorns like Google, Facebook, Amazon, Etsy handle security at scale? In Practical DevSecOps training you will learn how to handle security at scale using DevSecOps practices. We will start off with the basics of the DevOps, DevSecOps and move towards advanced concepts such as Security as Code, Compliance as Code, Configuration management, Infrastructure as code etc.,
The training will be based on DevSecOps Studio, a distribution for DevSecOps enthusiasts. We will cover real-world DevSecOps tools and practices in order to obtain an in-depth understanding of the concepts learnt as part of the course.
We will also cover how to use static analysis (SAST), Dynamic Analysis (DAST), OS hardening and Security Monitoring as part of the Secure SDLC and how to select tools which fit your organization needs and culture.
After the training, the students will be able to successfully hack and secure applications before hackers do. The training will also include a CTF challenge in the end where the attendees will use skills learnt in the training to solve the CTF challenges. The students will be provided with slides, tools and Virtual machines used during the course.
This course will cover the following DevSecOps topics and techniques:
1. Introduction to DevOps and DevSecOps:
2. DevSecOps Tools of the trade including DevSecOps Studio
3. Secure SDLC and CI/CD pipeline
4. Amazon Web Services and its various security features
5. Container (Docker) Security
6. Configuration/Secret Management and its Security
7. SAST (Static Analysis) in CI/CD pipeline
8. DAST (Dynamic Analysis) in CI/CD pipeline
9. Runtime Analysis( RASP, IAST) and how to select tools.
10. Infrastructure as Code and Its Security
11. Vulnerability Management with custom tools
12. Patch Management and Security Monitoring
13. Automate compliance activities to achieve PCI/DSS/HIPAA compliance
Who Should Take this Course
This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments, like Security Professionals, Penetration Testers, Red Teamers, IT managers, Developers and DevOps Engineers.
Student Requirements
1. The student should have some knowledge of running basic linux commands like ls, cd, mkdir etc.,
2. The student should have some basic understanding of application Security practices like OWASP Top 10 though not a necessity.
What Students Should Bring
1. Laptop with minimum 8GB of RAM, 60GB free hard disk space and should be able to run 3 Virtual machines simultaneously.
2. Administrator access to install software like virtual box, python etc.,
3. Trainer will provide all needed software and utilities during the first day of course
What Students Will Be Provided With
The students will be provided with
1. Training slides
2. Tools used during the course
3. DevSecOps Studio Virtual machine setup
Trainers
Imran "secfigo" Mohammed is a seasoned security professional with 8 years of experience in helping organisations with their Information Security Programs. He has a diverse background in R&D, consulting and product based industries with a passion to solve complex security programs. Imran is the founder of Null Singapore, the largest information security community in Singapore where he has organised more than 60 events & workshops to spread security awareness. He was also nominated as community star for being the go to person in the community whose contribution and knowledge sharing has helped many professionals in the security industry. He is also the author of DevSecOps Studio and Awesome-Fuzzing projects.