home




TRAINING

Trainer Name: Karan Shah

Title: Securing DevSecOps - A Hands-on Experience

Duration: 3 Days

Dates: Sept. 20, 2023 To Sept. 22, 2023

Training Objectives

Keep up with DevOps modernization and widen your career prospects. This practical 3-day course will help you build your own DevSecOps pipeline so you can make products secure by design. Get your hands dirty with our popular virtual labs and learn from experienced, practicing penetration testers with a legacy of training at Black Hat. Learn how to use and automate the most popular and effective security tools and practices, overcome common DevSecOps challenges, instill security culture within your team, and more...

Training level: Intermediate

Top 3 takeaways:

  • Hands-on experience with DevSecOps tools to help you learn what they do and how to use them.
  • Working knowledge of how to implement these security tools and other practices in your DevOps pipeline.
  • An offline lab setup, which you can replicate on your own computer to create and practice in the same environment in your own time (we will provide a folder and instructions for setup on Linux/MAX or Windows).

Course highlights:

  • Offensive angle: you’ll learn from practicing penetration testers and red teamers with working knowledge of the latest and most common software hacks.
  • Browser-based: the course has no software dependency and requires no installations, making it fast to get set up and easier to get security clearance (all you need is internet access and a GitHub account).
  • Multiple mitigations: for every vulnerability covered, you’ll explore 3 to 4 remediations, helping you develop a versatile approach.
  • Technology focus: almost two full days were spent testing the industry’s preferred DevSecOps tools, for free.
  • Real-world learning: in an industry where most of the leading cybersecurity training courses are based on theory, our scenario-led, research-based approach ensures you learn how real threat actors think and act.

Training Outlines

What’s in the syllabus:

Note: our syllabuses are subject to change based on new vulnerabilities found and exploits released.

LAB SETUP

  • Online lab setup
  • Offline lab instructions

INTRODUCTION TO DEVOPS

  • What is DevOps?
  • Lab: Creating a DevOps pipeline

INTRODUCTION TO DEVSECOPS

  • Security challenges in DevOps
  • Threat modeling for DevOps
  • DevSecOps – why you need it, how you use it, and what it is
  • Vulnerability management

CONTINUOUS INTEGRATION

  • Pre-commit hooks
  • Introduction to Talisman
  • Lab: Running Talisman
  • Lab: Create your own regexes for Talisman
  • Secrets management
  • Introduction to HashiCorp Vault
    • ase image
  • Compliance as Code (CaC)
  • Introduction to Chef Inspec
  • Lab: Run Chef Inspec in the pipeline
  • Lab: Improvise with Docker compliance controls

CONTINUOUS MONITORING

  • Logging – why to do it, how, and what logs to collect.
  • Introduction to the ELK Stack
  • Lab: View Logs in Kibana
  • Alerting – how to create alerts that help you prioritize
  • Introduction to ElastAlert and ModSecurity
  • Lab: View alerts in Kibana
  • Monitoring – how to track and learn from malicious activity
  • Lab: Create Attack Dashboards in Kibana

DEVSECOPS IN AWS

  • What does DevOps on Cloud Native AWS look like?
  • AWS threat landscape
  • Shifting to DevSecOps in Cloud Native AWS

DEVSECOPS CHALLENGES AND ENABLERS

  • Challenges with DevSecOps
  • How to build a DevSecOps culture
  • Security champions – how to create DevSecOps advocates across your team
  • Case study: how organizations use automation to implement development security best practice
  • Where to begin
  • DevSecOps maturity model

What to Bring?

A Laptop with the ability to access the internet. And a Browser eg Firefox, Chrome

Training Prerequisite

Students are recommended to read an introduction to DevOps and the importance of having CI/CD pipelines.

Who Should Attend? | Target Audience

  • Developers
  • DevOps/DevSecOps engineers
  • Application security engineers
  • Ops teams
  • CISOs

This course is suitable for organizations and teams with a DevOps pipeline already in place, as well as those planning to implement one. The syllabus has been designed to help different key stakeholders improve their skills and knowledge across different security practices and embed “security by design” as the way of working. Putting these learnings to use will lead to improvements in the overall security posture of your applications over time.

What to Expect?

What you’ll learn:

This course uses a Defense by Offence methodology based on real-world offensive research (not theory). That means everything we teach has been tried and tested, either in a live environment or in our labs, and can be applied (by you) once the course is over. By the end of the course, you’ll know the following:

  • How cybercriminals and penetration testers exploit insecure DevOps practices.
  • Exactly where to start when shifting from DevOps to DevSecOps.
  • How to use Talisman to create pre-commit hooks to lower the chance of credentials and other secrets being exposed during development.
  • How to automate security in a fast-paced DevOps environment using various open-source tools and scripts that don’t slow down the delivery.
  • How to secure your methodology for managing and delivering Infrastructure as Code (IaC).
  • How to use the Elastic (ELK) Stack to monitor your applications’ behaviors with logs and alerts.
  • How to achieve DevSecOps in cloud native AWS.
  • What challenges to expect when moving to a DevSecOps model and how to overcome them?
  • How to mature your DevSecOps approach over time

What you’ll be doing:

Our interactive course format enables you to get hands-on throughout the session, including:

  • Running different tools and testing them against realistic use cases in your own dedicated lab.
  • Automating code reviews to check software for vulnerabilities.
  • Modeling a Secure by Design environment module by module.
  • Discussing how to embed the human and cultural aspects of DevSecOps

What attendees will get

  • Certificate of completion.
  • Your own offline lab setup to use after the course.
  • 8 Continuing Professional Education (CPE) credits awarded per day of training fulfilled.
  • Learning pack: question & answer sheets, setup documents, and command cheat sheet.

What not to expect?

The course is focused on DevSecOps using open-source tools. We will not be covering comparisons of paid tools or endorsing commercial tools.

About the Trainer

Karan joined NotSoSecure in 2019 and works with clients operating across a broad range of business sectors, including banking, e-commerce, and software development. Working as part of a small team of Security Consultants on- and off-site, he carries out various types of Penetration Testing on web applications, mobile applications, and networks. This part of his work also involves providing practical, actionable reports and being responsible for ensuring that clients’ secured environments meet required standards. He also delivers NotSoSecure training, such as the Application Security for Developers course, and undertakes various types of research for the company.

Background
Karan gained a Master's in Computer Applications in 2014 and immediately began working as an Information Security consultant. Since then, he has gained extensive experience in a variety of business sectors across the globe, in particular banking, government, finance, media, telecoms, and oil & gas, specializing in web application security and mobile application security. During this period, he also gained professional project-leading experience as a Deputy Manager at Protiviti and expert knowledge in source code review, HTML, and JavaScript – interests he also pursues in his spare time.

Certifications

  • CEH

Key Skills

  • Web applications Penetration Testing
  • Mobile application Penetration Testing
  • Network Penetration Testing
  • Source Code Review
  • API Testing
  • Thick Client
  • HTML & Javascript