Class mode: VIRTUAL LIVE STREAM
DATE: 15 – 18 November 2020
TIME: 09:00 to 17:00 GST / GMT+4
The goal of this training is to equip participants with the skills, techniques, and mindset needed to secure applications using DevSecOps best practices.
In this training, participants will learn how to handle security at scale using DevSecOps practices. We will start with the basics of the Secure Coding, Secure SDLC, DevSecOps and move towards advanced concepts such as Security as Code, Conﬁguration management, and Infrastructure as code.
The content of the training includes the know-how to do secure code reviews, security testing (SAST, DAST, SCA), and ways to support their teams in adopting the security tools and increase in the security posture of the applications through “secure by design” principles.
Training sessions will be comprised of both theory, demos, and hands-on exercises.
This BRAND NEW training by the highly-lauded trainers from Practical DevSecOps is offered EXCLUSIVELY for HITB+CyberWeek 2020!
Key Learning Objectives
- Secure Coding and Application Security
- DevSecOps (Security Assessments)
Who Should Attend
This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments:
- Security Professionals
- Penetration Testers
- Red Teamers
- IT managers
- DevOps Engineers
Delegates will receive 30 days of course support via slack and email.
What Students Say About This Training
The course, in general, was a great experience, really well structured and quite intense. The teacher was really happy to cover and answer all of our questions and make sure we understand the connection between various DevOps processes. – Spyridon Manglis, ING Europe
Overall I find the course was a success. I learned a lot of new and interesting things about security, like security principles and tools used to put those principles into action. Clearly, a lot of effort was put into creating the material and the exercises. This is much appreciated! – Dan Herghelegiu, Europe
Amazing, insightful, and informative course. I have learned a lot, and this has now prepared me to assist our organization in reaching the next maturity level on our DevSecOps journey. Thank you! – Erhan Temurkan, London
Highly recommend this training. It has been one of the best so far, fully hands-on, and covered lots of topics in Secure SDLC. Kudos to the team on delivering such high-quality training. – Pranav Patel, Dow Jones, USA
I really loved the training. The structure is great and gets us ready to do actual work and not dependent on budgets to prove concepts and visibility. The delivery with a practical focus and the emphasis on the gospel really helps internalize the key aspects we need to consider to provide effective advice and how to approach the matters with our business stakeholders and DevOps teams. – Mario Platt, Privacy Beacon, London
Hardware / Software Requirements
Our state of the lab is deployed on AWS, so trainees would need the following to connect to the lab environment.
- Laptop / PC with decent specs, at least 4GB of RAM, and a modern CPU.
- A modern browser like Chrome/Firefox/Safari
01 INTRODUCTION TO APPLICATION SECURITY
● Introduction to Application Security
● OWASP TOP 10 Vulnerabilities
● SQL Injection
● Cross-Site Scripting
● Cross-Site Request Forgery (CSRF)
● Server-Side Request Forgery (SSRF)
● Local File Inclusions
● File upload (RCE)
● Hands-On Labs: SQL Injection
● Hands-On Labs: XSS and CSRF
● Hands-On Labs: SSRF
● Hands-On Labs: LFI and File Upload issues.
02 SECURE DESIGN - INPUT AND OUTPUT VALIDATION TECHNIQUES
● Character Encoding
● Input Validation
● Output Encoding
● Whitelisting & Blacklisting
● Normalization of the input and output
● Regular Expressions
● HTML Encoding
● Prepared Statements
● Stored Procedures
● Hands-sOn Labs: Input validation using industry best practices
● Hands-On Labs: Output encoding to prevent client-side attacks like XSS
03 SECURE DESIGN - AUTHENTICATION ATTACKS & DEFENSE
● AUTHENTICATION ATTACKS
– Brute force attacks
– Weak password storage
– Default passwords
– Password reset
– Remember me
– Secret questions
– Account lockout
– Hands-On Labs: Bruteforce attacks and secret questions
– Hands-On Labs: Information leakage with password reset workflows
● AUTHENTICATION DEFENSES
– Strong Password policy
– Basic Authentication
– Form-Based Authentication
– Hands-On Labs: Secure password storage and rainbow table attacks
– Hands-On Labs: Implement JWT securely in Golang
04 SECURE DESIGN - AUTHORIZATION ATTACK & DEFENSE
● Role-based access control
● Declarative access control
● Unvalidated redirects and forwards
● Hands-On Labs: Best practices in implementing role-based access control
● Hands-On Labs: Risks with unvalidated redirects and forwards
05 SECURE DESIGN - SESSION MANAGEMENT (Auth0, O365)
● Weak session management
● Session hijacking/Session fixation
● Client certificates
● Protecting Sessions
● Regeneration of Session tokens
● Session Timeouts
● MITM attacks and defenses
● Using third party IAM services (Auth0, O365)
● Hands-On Labs: Session hijacking and fixation attacks
● Hands-On Labs: Secure randomness for sensitive features
● Hands-On Labs: Preventing MITM using industry best practices
06 SECURE DESIGN - SECURITY CONFIGURATION (HSTS, TLS)
● Using Transport Layer Security (TLS)
● HTTP Strict Transport Security (HSTS)
● Hands-On Labs: How to configure TLSv1.2 and beyond securely to achieve A+ on SSLlabs scans.
● Hands-On Labs: Configure HSTS to prevent MITM attacks
07 INTRODUCTION TO DEVSECOPS
● What is DevSecOps?
● DevSecOps Building Blocks- People, Process, and Technology.
● DevSecOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
● Benefits of DevSecOps – Speed, Reliability, Availability, Scalability, Automation, Cost, and Visibility.
● What is Continuous Integration and Continuous Deployment?.
– Continuous Integration to Continuous Deployment to Continuous Delivery.
– Continuous Delivery vs. Continuous Deployment.
– General workflow of CI/CD pipeline.
– Achieving full automation.
– Designing a CI/CD pipeline for a web application.
● Common Challenges faced when using DevOps principle.
● Case studies on DevOps of cutting edge technology at Facebook, Amazon, and Google
● Demo: How to implement a full-blown Enterprise DevSecOps Pipeline.
08 SECURE SDLC AND CI/CD PIPELINE
● What is Secure SDLC in DevSecOps
● Secure SDLC Activities and Security Gates
– Security Requirements ( Requirements)
– Threat Modelling (Design and Architecture)
– Static Analysis and Secure by Default ( Implementation)
– Dynamic Analysis(Testing)
– OS Hardening, Web/Application Hardening (Deploy)
– Security Monitoring/Compliance (Maintain)
● Security Requirement gathering
● Secure Design and Architecture
● Security Principles
● Hands-On Labs: Implement CI/CD pipelines.
09 SOFTWARE COMPONENT ANALYSIS(CSA) IN CI/CD PIPELINE
● What is Software Component Analysis?
● Software Component Analysis and challenges.
● What to look for in an SCA solution (Free or Commercial).
● Embedding SCA tools like OWASP Dependency Checker, Safety, RetireJS, and NPM Audit, Snyk into the pipeline.
● Demo: using OWASP Dependency Checker to scan third-party component vulnerabilities in Java Code Base.
● Hands-On Labs: using Safety/pip to scan third-party component vulnerabilities in Python Code Base.
10 STATIC ANALYSIS(SAST) IN CI/CD PIPELINE
● What is Static Application Security Testing?
● Static Analysis and challenges.
● Embedding SAST tools like Fortify, Checkmarx, find bugs into the pipeline.
● Secrets scanning to prevent secret exposure in the code.
● Writing custom checks to catch secrets leakage in an organization.
● Hands-On Labs: using GoSec to scan Golang code.
● Hands-On Labs: using Trufflehog/Gitrob to scan for secrets in CI/CD pipeline.
● Hands-On Labs: using nodescan to scan node.js code.
11 DAST (Dynamic Analysis) in CI/CD pipeline
● What is Dynamic Application Security Testing?
● Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling )
● Embedding DAST tools like ZAP and Burp Suite into the pipeline.
● SSL misconfiguration testing
● Server Misconfiguration Testing like secret folders and files.
● Hands-On Labs: using ZAP to configure per commit/weekly/monthly scans.
● Demo: using Burp Suite to configure per commit/weekly/monthly scans.
12 INFRASTRUCTURE AS CODE(IAC) AND ITS SECURITY
● What is Infrastructure as Code and its benefits
● Introduction to Ansible
– Benefits of Ansible
– Push and Pull Model
– Modules, tasks, roles, and Playbooks
– Ansible for continuous security in DevOps Pipelines
● Tools and Services for practicing IaaC ( Packer + Ansible + Docker )
● Hands-On Labs: Using Ansible to harden on-prem/cloud machines for PCI-DSS
● Hands-On Labs: Create hardened Golden images using Packer + Ansible
13 CONTAINER SECURITY
● What is Docker
● Docker vs. Vagrant
● Basics of Docker and its challenges
– Vulnerabilities in images (Public and Private)
– Denial of service attacks
– Privilege escalation methods in Docker.
– Security misconfigurations.
● Container Security.
– Content Trust and Integrity checks.
– Capabilities and namespaces in Docker.
– Segregating Networks.
– Kernel Hardening using SecComp and AppArmor.
● Static Analysis of container(Docker) images.
● Dynamic Analysis of container hosts and daemons.
● Hands-On Labs:
– Scanning docker images using Clair and its APIs.
– Auditing Docker daemon and host for security issues.
14 SECRETS MANAGEMENT IN MUTABLE AND IMMUTABLE INFRASTRUCTURE
● Managing secrets in traditional infrastructure.
● Managing secrets in containers at Scale.
● Secret Management in Cloud
– Version Control Systems and Secrets.
– Environment Variables and Configuration files.
– Docker, Immutable systems, and security challenges.
– Secrets management with Hashicorp Vault and consul.
● Hands-On Labs: Securely store Encryption keys and other secrets using Vault/Consul.
15 VULNERABILITY MANAGEMENT WITH CUSTOM TOOLS
● Approaches to manage the vulnerabilities in the organization.
● Hands-On Labs: Using Defect Dojo for vulnerability management.