Secure Coding and DevSecOps [October 2021 CEST]

$4,299.00

Duration

4 days

Delivery Method

virtual

Level

advanced

Seats Available

20

Duration

4 days

Delivery Method

virtual

Level

advanced

DELIVERY: VIRTUAL LIVE STREAM 

DATE: 18-21 October 2021 

TIME: 09:00 to 17:00 CDT     

             09:00 to 17:00 CEST 

Date Day Time Duration
18 Oct Monday 09:00 to 17:00 CDT/CEST 8 Hours
19 Oct Tuesday 09:00 to 17:00 CDT/CEST 8 Hours
20 Oct Wednesday 09:00 to 17:00 CDT/CEST 8 Hours
21 Oct Thursday 09:00 to 17:00 CDT/CEST 8 Hours

The goal of this training is to equip participants with the skills, techniques, and mindset needed to secure applications using DevSecOps best practices.

 

In this training, participants will learn how to handle security at scale using DevSecOps practices. We will start with the basics of the Secure Coding, Secure SDLC, DevSecOps and move towards advanced concepts such as Security as Code, Configuration management, and Infrastructure as code.

The content of the training includes the know-how to do secure code reviews, security testing (SAST, DAST, SCA), and ways to support their teams in adopting the security tools and increase in the security posture of the applications through “secure by design” principles.

Training sessions will be comprised of both theory, demos, and hands-on exercises.

Agenda

  • 01 INTRODUCTION TO APPLICATION SECURITY

    ● Introduction to Application Security ● OWASP TOP 10 Vulnerabilities ● SQL Injection ● Cross-Site Scripting ● Cross-Site Request Forgery (CSRF) ● Server-Side Request Forgery (SSRF) ● Local File Inclusions ● File upload (RCE) ● Hands-On Labs​: SQL Injection ● Hands-On Labs​: XSS and CSRF ● Hands-On Labs​: SSRF ● Hands-On Labs​: LFI and File Upload issues.

  • 02 SECURE DESIGN - INPUT AND OUTPUT VALIDATION TECHNIQUES

    ● Character Encoding ● Input Validation ● Output Encoding ● Whitelisting & Blacklisting ● Normalization of the input and output ● Regular Expressions ● HTML Encoding ● Prepared Statements ● Stored Procedures ● Hands-sOn Labs​: Input validation using industry best practices ● Hands-On Labs​: Output encoding to prevent client-side attacks like XSS

  • 03 SECURE DESIGN - AUTHENTICATION ATTACKS & DEFENSE

    ● AUTHENTICATION ATTACKS - Brute force attacks - Weak password storage - Default passwords - Password reset - Remember me - Secret questions - Account lockout - Logout - Hands-On Labs​: Bruteforce attacks and secret questions - Hands-On Labs​: Information leakage with password reset workflows ● AUTHENTICATION DEFENSES - Strong Password policy - Basic Authentication - Form-Based Authentication - CAPTCHA - Hands-On Labs​: Secure password storage and rainbow table attacks - Hands-On Labs​: Implement JWT securely in Golang

  • 04 SECURE DESIGN - AUTHORIZATION ATTACK & DEFENSE

    ● Role-based access control ● Declarative access control ● Unvalidated redirects and forwards ● Hands-On Labs​: Best practices in implementing role-based access control ● Hands-On Labs​: Risks with unvalidated redirects and forwards

  • 05 SECURE DESIGN - SESSION MANAGEMENT ​(Auth0, O365)

    ● Weak session management ● Session hijacking/Session fixation ● Client certificates ● Protecting Sessions ● Regeneration of Session tokens ● Session Timeouts ● MITM attacks and defenses ● Using third party IAM services (Auth0, O365) ● Hands-On Labs​: Session hijacking and fixation attacks ● Hands-On Labs​: Secure randomness for sensitive features ● Hands-On Labs​: Preventing MITM using industry best practices

  • 06 SECURE DESIGN - SECURITY CONFIGURATION (HSTS, TLS)

    ● Using ​Transport Layer Security (TLS) ● HTTP Strict Transport Security (HSTS) ● Hands-On Labs​: How to configure TLSv1.2 and beyond securely to achieve A+ on SSLlabs scans. ● Hands-On Labs​: Configure HSTS to prevent MITM attacks

  • 07 INTRODUCTION TO DEVSECOPS

    ● What is DevSecOps? ● DevSecOps Building Blocks- People, Process, and Technology. ● DevSecOps Principles – Culture, Automation, Measurement and Sharing (CAMS) ● Benefits of DevSecOps – Speed, Reliability, Availability, Scalability, Automation, Cost, and Visibility. ● What is Continuous Integration and Continuous Deployment?. - Continuous Integration to Continuous Deployment to Continuous Delivery. - Continuous Delivery vs. Continuous Deployment. - General workflow of CI/CD pipeline. - Achieving full automation. - Designing a CI/CD pipeline for a web application. ● Common Challenges faced when using DevOps principle. ● Case studies on DevOps of cutting edge technology at Facebook, Amazon, and Google ● Demo:​ How to implement a full-blown Enterprise DevSecOps Pipeline.

  • 08 SECURE SDLC AND CI/CD PIPELINE

    ● What is Secure SDLC in DevSecOps ● Secure SDLC Activities and Security Gates - Security Requirements ( Requirements) - Threat Modelling (Design and Architecture) - Static Analysis and Secure by Default ( Implementation) - Dynamic Analysis(Testing) - OS Hardening, Web/Application Hardening (Deploy) - Security Monitoring/Compliance (Maintain) ● Security Requirement gathering ● Secure Design and Architecture ● Security Principles ● Hands-On Labs​: Implement CI/CD pipelines.

  • 09 SOFTWARE COMPONENT ANALYSIS(CSA) IN CI/CD PIPELINE

    ● What is Software Component Analysis? ● Software Component Analysis and challenges. ● What to look for in an SCA solution (Free or Commercial). ● Embedding SCA tools like OWASP Dependency Checker, Safety, RetireJS, and NPM Audit, Snyk into the pipeline. ● Demo: using OWASP Dependency Checker to scan third-party component vulnerabilities in Java Code Base. ● Hands-On Labs​: using RetireJS and NPM to scan third-party component vulnerabilities in Javascript Code Base. ● Hands-On Labs​: using Safety/pip to scan third-party component vulnerabilities in Python Code Base.

  • 10 STATIC ANALYSIS(SAST) IN CI/CD PIPELINE

    ● What is Static Application Security Testing? ● Static Analysis and challenges. ● Embedding SAST tools like Fortify, Checkmarx, find bugs into the pipeline. ● Secrets scanning to prevent secret exposure in the code. ● Writing custom checks to catch secrets leakage in an organization. ● Hands-On Labs​: using GoSec to scan Golang code. ● Hands-On Labs​: using Trufflehog/Gitrob to scan for secrets in CI/CD pipeline. ● Hands-On Labs​: using nodescan to scan node.js code.

  • 11 DAST (Dynamic Analysis) in CI/CD pipeline

    ● What is Dynamic Application Security Testing? ● Dynamic Analysis and Its challenges ( Session Management, AJAX Crawling ) ● Embedding DAST tools like ZAP and Burp Suite into the pipeline. ● SSL misconfiguration testing ● Server Misconfiguration Testing like secret folders and files. ● Hands-On Labs​: using ZAP to configure per commit/weekly/monthly scans. ● Demo​: using Burp Suite to configure per commit/weekly/monthly scans.

  • 12 INFRASTRUCTURE AS CODE(IAC) AND ITS SECURITY

    ● What is Infrastructure as Code and its benefits ● Introduction to Ansible - Benefits of Ansible - Push and Pull Model - Modules, tasks, roles, and Playbooks - Ansible for continuous security in DevOps Pipelines ● Tools and Services for practicing IaaC ( Packer + Ansible + Docker ) ● Hands-On Labs:​ Using Ansible to harden on-prem/cloud machines for PCI-DSS ● Hands-On Labs:​ Create hardened Golden images using Packer + Ansible

  • 13 CONTAINER SECURITY

    ● What is Docker ● Docker vs. Vagrant ● Basics of Docker and its challenges - Vulnerabilities in images (Public and Private) - Denial of service attacks - Privilege escalation methods in Docker. - Security misconfigurations. ● Container Security. - Content Trust and Integrity checks. - Capabilities and namespaces in Docker. - Segregating Networks. - Kernel Hardening using SecComp and AppArmor. ● Static Analysis of container(Docker) images. ● Dynamic Analysis of container hosts and daemons. ● Hands-On Labs: - Scanning docker images using Clair and its APIs. - Auditing Docker daemon and host for security issues.

  • 14 SECRETS MANAGEMENT IN MUTABLE AND IMMUTABLE INFRASTRUCTURE

    ● Managing secrets in traditional infrastructure. ● Managing secrets in containers at Scale. ● Secret Management in Cloud - Version Control Systems and Secrets. - Environment Variables and Configuration files. - Docker, Immutable systems, and security challenges. - Secrets management with Hashicorp Vault and consul. ● Hands-On Labs​: Securely store Encryption keys and other secrets using Vault/Consul.

  • 15 VULNERABILITY MANAGEMENT WITH CUSTOM TOOLS

    ● Approaches to manage the vulnerabilities in the organization. ● Hands-On Labs: ​Using Defect Dojo for vulnerability management.

Why You Should Take This Course

TBA

Who Should Attend

This course is aimed at anyone who is looking to embed security as part of agile/cloud/DevOps environments:
  • Security Professionals
  • Penetration Testers
  • Red Teamers
  • IT managers
  • Developers
  • DevOps Engineers
Delegates will receive 30 days of course support via slack and email.

Key Learning Objectives

  • Secure Coding and Application Security

  • DevSecOps (Security Assessments)
  • Prerequisite Knowledge

    TBA

    Hardware / Software Requirements

    Our state of the lab is deployed on AWS, so trainees would need the following to connect to the lab environment.
    1. Laptop / PC with decent specs, at least 4GB of RAM, and a modern CPU.
    2. A modern browser like Chrome/Firefox/Safari

    Your Instructor

    No data was found