Date | Day | Time | Duration |
19 Mar | Friday | 09:00-17:00 SGT/GMT+8 | 8 Hours |
20 Mar | Saturday | 09:00-17:00 SGT/GMT+8 | 8 Hours |
26 Mar | Friday | 09:00-17:00 SGT/GMT+8 | 8 Hours |
27 Mar | Saturday | 09:00-17:00 SGT/GMT+8 | 8 Hours |
In this training, participants will learn how to handle security at scale using DevSecOps practices. We will start with the basics of the Secure Coding, Secure SDLC, DevSecOps and move towards advanced concepts such as Security as Code, Configuration management, and Infrastructure as code.
The content of the training includes the know-how to do secure code reviews, security testing (SAST, DAST, SCA), and ways to support their teams in adopting the security tools and increase in the security posture of the applications through “secure by design” principles.
Training sessions will be comprised of both theory, demos, and hands-on exercises.
● Introduction to Application Security ● OWASP TOP 10 Vulnerabilities ● SQL Injection ● Cross-Site Scripting ● Cross-Site Request Forgery (CSRF) ● Server-Side Request Forgery (SSRF) ● Local File Inclusions ● File upload (RCE) ● Hands-On Labs: SQL Injection ● Hands-On Labs: XSS and CSRF ● Hands-On Labs: SSRF ● Hands-On Labs: LFI and File Upload issues.
● Character Encoding ● Input Validation ● Output Encoding ● Whitelisting & Blacklisting ● Normalization of the input and output ● Regular Expressions ● HTML Encoding ● Prepared Statements ● Stored Procedures ● Hands-sOn Labs: Input validation using industry best practices ● Hands-On Labs: Output encoding to prevent client-side attacks like XSS
● AUTHENTICATION ATTACKS - Brute force attacks - Weak password storage - Default passwords - Password reset - Remember me - Secret questions - Account lockout - Logout - Hands-On Labs: Bruteforce attacks and secret questions - Hands-On Labs: Information leakage with password reset workflows ● AUTHENTICATION DEFENSES - Strong Password policy - Basic Authentication - Form-Based Authentication - CAPTCHA - Hands-On Labs: Secure password storage and rainbow table attacks - Hands-On Labs: Implement JWT securely in Golang
● Role-based access control ● Declarative access control ● Unvalidated redirects and forwards ● Hands-On Labs: Best practices in implementing role-based access control ● Hands-On Labs: Risks with unvalidated redirects and forwards
● Weak session management ● Session hijacking/Session fixation ● Client certificates ● Protecting Sessions ● Regeneration of Session tokens ● Session Timeouts ● MITM attacks and defenses ● Using third party IAM services (Auth0, O365) ● Hands-On Labs: Session hijacking and fixation attacks ● Hands-On Labs: Secure randomness for sensitive features ● Hands-On Labs: Preventing MITM using industry best practices
● Using Transport Layer Security (TLS) ● HTTP Strict Transport Security (HSTS) ● Hands-On Labs: How to configure TLSv1.2 and beyond securely to achieve A+ on SSLlabs scans. ● Hands-On Labs: Configure HSTS to prevent MITM attacks
● What is DevSecOps? ● DevSecOps Building Blocks- People, Process, and Technology. ● DevSecOps Principles – Culture, Automation, Measurement and Sharing (CAMS) ● Benefits of DevSecOps – Speed, Reliability, Availability, Scalability, Automation, Cost, and Visibility. ● What is Continuous Integration and Continuous Deployment?. - Continuous Integration to Continuous Deployment to Continuous Delivery. - Continuous Delivery vs. Continuous Deployment. - General workflow of CI/CD pipeline. - Achieving full automation. - Designing a CI/CD pipeline for a web application. ● Common Challenges faced when using DevOps principle. ● Case studies on DevOps of cutting edge technology at Facebook, Amazon, and Google ● Demo: How to implement a full-blown Enterprise DevSecOps Pipeline.
● What is Secure SDLC in DevSecOps ● Secure SDLC Activities and Security Gates - Security Requirements ( Requirements) - Threat Modelling (Design and Architecture) - Static Analysis and Secure by Default ( Implementation) - Dynamic Analysis(Testing) - OS Hardening, Web/Application Hardening (Deploy) - Security Monitoring/Compliance (Maintain) ● Security Requirement gathering ● Secure Design and Architecture ● Security Principles ● Hands-On Labs: Implement CI/CD pipelines.
● What is Software Component Analysis? ● Software Component Analysis and challenges. ● What to look for in an SCA solution (Free or Commercial). ● Embedding SCA tools like OWASP Dependency Checker, Safety, RetireJS, and NPM Audit, Snyk into the pipeline. ● Demo: using OWASP Dependency Checker to scan third-party component vulnerabilities in Java Code Base. ● Hands-On Labs: using RetireJS and NPM to scan third-party component vulnerabilities in Javascript Code Base. ● Hands-On Labs: using Safety/pip to scan third-party component vulnerabilities in Python Code Base.
● What is Static Application Security Testing? ● Static Analysis and challenges. ● Embedding SAST tools like Fortify, Checkmarx, find bugs into the pipeline. ● Secrets scanning to prevent secret exposure in the code. ● Writing custom checks to catch secrets leakage in an organization. ● Hands-On Labs: using GoSec to scan Golang code. ● Hands-On Labs: using Trufflehog/Gitrob to scan for secrets in CI/CD pipeline. ● Hands-On Labs: using nodescan to scan node.js code.
● What is Dynamic Application Security Testing? ● Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling ) ● Embedding DAST tools like ZAP and Burp Suite into the pipeline. ● SSL misconfiguration testing ● Server Misconfiguration Testing like secret folders and files. ● Hands-On Labs: using ZAP to configure per commit/weekly/monthly scans. ● Demo: using Burp Suite to configure per commit/weekly/monthly scans.
● What is Infrastructure as Code and its benefits ● Introduction to Ansible - Benefits of Ansible - Push and Pull Model - Modules, tasks, roles, and Playbooks - Ansible for continuous security in DevOps Pipelines ● Tools and Services for practicing IaaC ( Packer + Ansible + Docker ) ● Hands-On Labs: Using Ansible to harden on-prem/cloud machines for PCI-DSS ● Hands-On Labs: Create hardened Golden images using Packer + Ansible
● What is Docker ● Docker vs. Vagrant ● Basics of Docker and its challenges - Vulnerabilities in images (Public and Private) - Denial of service attacks - Privilege escalation methods in Docker. - Security misconfigurations. ● Container Security. - Content Trust and Integrity checks. - Capabilities and namespaces in Docker. - Segregating Networks. - Kernel Hardening using SecComp and AppArmor. ● Static Analysis of container(Docker) images. ● Dynamic Analysis of container hosts and daemons. ● Hands-On Labs: - Scanning docker images using Clair and its APIs. - Auditing Docker daemon and host for security issues.
● Managing secrets in traditional infrastructure. ● Managing secrets in containers at Scale. ● Secret Management in Cloud - Version Control Systems and Secrets. - Environment Variables and Configuration files. - Docker, Immutable systems, and security challenges. - Secrets management with Hashicorp Vault and consul. ● Hands-On Labs: Securely store Encryption keys and other secrets using Vault/Consul.
● Approaches to manage the vulnerabilities in the organization. ● Hands-On Labs: Using Defect Dojo for vulnerability management.