About The Training

Keep up with DevOps modernization and widen your career prospects. This practical 3-day course will help you build your own DevSecOps pipeline so you can make products secure by design. Get your hands dirty with our popular virtual labs and learn from experienced, practicing penetration testers with a legacy of training at Black Hat. Learn how to use and automate the most popular and effective security tools and practices, overcome common DevSecOps challenges, instill security culture within your team, and more...

Intermediate - Advanced 

What’s in the syllabus: Note: our syllabuses are subject to change based on new vulnerabilities found and exploits released.

LAB SETUP

• Online lab setup
• Offline lab instructions

INTRODUCTION TO DEVOPS

• What is DevOps?
• Lab: Creating a DevOps pipeline

INTRODUCTION TO DEVSECOPS

• Security challenges in DevOps
• Threat modeling for DevOps
• DevSecOps – why you need it, how you use it, and what it is
• Vulnerability management

CONTINUOUS INTEGRATION

• Pre-commit hooks
• Introduction to Talisman
• Lab: Running Talisman
• Lab: Create your own regexes for Talisman
• Secrets management
• Introduction to HashiCorp Vault
• Demo: Vault commands

CONTINUOUS DELIVERY

• Software Composition Analysis (SCA)
• Introduction to OWASP Dependency- Check
• Lab: Run OWASP Dependency- Check pipeline
• Lab: Fix issues reported by Dependency- Check
• Static Analysis Security Testing (SAST)
• Introduction to Semgrep
• Lab: Run Semgrep pipeline
• Lab: Create your own Semgrep rules
• Lab: Fix issues reported by Semgrep
• Dynamic Analysis Security Testing (DAST)
• Introduction to OWASP ZAP
• Demo: Creating OWASP ZAP Context File
• Lab: Run OWASP ZAP in the pipeline

INFRASTRUCTURE AS CODE

• Vulnerability Assessment (VA)
• Introduction to OpenVAS
• Lab: Run OpenVAS pipeline
• Container Security (CS)
• Introduction to Trivy
• Lab: Run Trivy in Pipeline
• Lab: Improvise Docker base image
• Compliance as Code (CaC)
• Introduction to Chef Inspec
• Lab: Run Chef Inspec in the pipeline
• Lab: Improvise with Docker compliance controls

CONTINUOUS MONITORING

• Logging – why to do it, how, and what logs to collect.
• Introduction to the ELK Stack
• Lab: View Logs in Kibana
• Alerting – how to create alerts that help you prioritize
• Introduction to ElastAlert and ModSecurity
• Lab: View alerts in Kibana
• Monitoring – how to track and learn from malicious activity
• Lab: Create Attack Dashboards in Kibana

DEVSECOPS IN AWS

• What does DevOps on Cloud Native AWS look like?
• AWS threat landscape
• Shifting to DevSecOps in Cloud Native AWS

DEVSECOPS CHALLENGES AND ENABLERS

• Challenges with DevSecOps
• How to build a DevSecOps culture
• Security champions – how to create DevSecOps advocates across your team
• Case study: how organizations use automation to implement development security best practice
• Where to begin
• DevSecOps maturity model

The attendees will need a laptop with admin privileges and unfiltered access to the internet.

• The course is browser based and hence having a chrome/firefox browser will be needed in the laptops.
• Additionally the attendees need their own GitHub account

• Developers
• DevOps/DevSecOps engineers
• Application security engineers
• Ops teams
• CISOs

This course is suitable for organizations and teams with a DevOps pipeline already in place, as well as those planning to implement one. The syllabus has been designed to help different key stakeholders improve their skills and knowledge across different security practices and embed “security by design” as the way of working. Putting these learnings to use will lead to improvements in the overall security posture of your applications over time.

This course uses a Defense by Offence methodology based on real world offensive research (not theory). That means everything we teach has been tried and tested, either on a live environment or in our labs, and can be applied (by you) once the course is over. By the end of the course, you’ll know:

• How cyber criminals and penetration testers exploit insecure DevOps practices
• Exactly where to start when shifting from DevOps to DevSecOps
• How to use Talisman to create pre-commit hooks to lower the chance of credentials and other secrets being exposed during development
• How to automate security into a fast-paced DevOps environment using various open-source tools and scripts that don’t slow down delivery
• How to secure your methodology for managing and delivering Infrastructure as Code (IaC)
• How to use the Elastic (ELK) Stack to monitor your applications’ behaviors with logs and alerts
• How to achieve DevSecOps in cloud native AWS
• What challenges to expect when moving to a DevSecOps model and how to overcome them
• How to mature your DevSecOps approach over time

• Certificate of completion.
• Your own offline lab setup to use after the course.
• 8 Continuing Professional Education (CPE) credits awarded per day of training fulfilled.
• Learning pack: question & answer sheets, setup documents, and command cheat sheet.

The course is focused on DevSecOps using open-source tools. We will not be covering comparisons of paid tools or endorsing commercial tools.