• Goa 2020
  • Training
  • AppSecOps A Holistic Approach To Application Security

AppSecOps A Holistic Approach To Application Security

Rohit Salecha & Abhijay Singh

SOld Out
Rohit-Salecha Abhijay-Singh

Trainer Name: Rohit Salecha & Abhijay Singh
Title: AppSecOps A Holistic Approach To Application Security
Duration: 3 Days
Dates: 3rd - 5th March 2020

Course Overview

AppSecOps is a 3-day course providing a holistic approach towards application security for developers with automation. This class covers the latest OWASP Top 10 (2017 edition) through an attacker’s perspective and looks at the various best practices/code snippets in Java, .NET and NodeJS to write secure code. Throughout this class, developers will be able to get on the same page with security professionals, understand their language, learn how to fix or mitigate vulnerabilities learnt during the class and also get acquainted with some real-world breaches, for example, “The Equifax” breach in September 2017.Various bug bounty case studies from popular websites like Facebook, Google, Shopify, PayPal, Twitter etc will be discussed explaining the financial repercussions of application security vulnerabilities like SSRF,XXE,SQL Injection, Authentication issues etc… Post learning and understanding what application security vulnerabilities are and how to fix and identify, this class will show how to use automation to weed out some of the vulnerabilities by injecting security into a DevOps pipeline.

As part of the class attendees will be provided access to an online lab for 7 days where they can practice their application security skills and be provided with our custom developed DevSecOps-Lab VM containing all the tools and code which are used for demonstrating the DevSecOps pipeline.

Course Objectives

  • Covers industry standards such as OWASP top 10 with a practical demonstration of vulnerabilities complemented with hands-on lab practice.
  • Provides insights into the latest security vulnerabilities (such as host header injection, XML external entity injection, attacks on JWT tokens, known-plaintext attacks, deserialization vulnerabilities).
  • Offers thorough guidance on best security practices (Introduction to various security frameworks and tools and techniques for secure application development).
  • Makes real-world analogies for each vulnerability explained (Understand and appreciate why Facebook would pay $33,000 for XML Entity Injection vulnerability?).
  • Provides online labs for hands-on practice during and after the course (7 Days)
  • Create a security culture/mindset amongst the already integrated “DevOps” team.
  • Find and fix security bugs as early in SDLC as possible i.e. understand the “Shift Left” methodology.
  • The culture promotes the philosophy “Security is everyone’s problem”.
  • Integrate all security software centrally and utilize the results more effectively.
  • Measure and shrink the attack surface.

Course Outline

DAY 1

  • Application Security Basics
  • Understanding the HTTP Protocol
  • Security Misconfigurations
  • Insufficient Logging and Monitoring
  • Authentication Flaws
  • Authorization Bypass Techniques
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery Scripting

DAY 2

  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • XML External Entity (XXE) Attacks
  • Unrestricted File Uploads
  • Deserialization Vulnerabilities
  • Client-Side Security Concerns
  • Source Code Review
  • DevSecOps

DAY 3

  • Introduction and overview of DevOps
  • What and Why of DevSecOps?
  • Integrating Security in CI/CD
  • Vulnerability Management using Archerysec
  • Secret Management using Vault, Jenkins and
  • Docker Secrets
  • Security in Developer Workstations:
  • Pre-Commit Hooks using Talisman
  • Software Composition Analysis using
  • Dependency-Checker
  • SAST – Static Application Security Testing
  • using FindSecBugs
  • DAST – Dynamic Application Security Testing
  • using ZAP and OpenVAS
  • Compliance as Code using Inspec
  • Security in Infrastructure as a Code using Clair
  • Production Real-Time Alerting and Monitoring
  • using ModSecurity WAF
  • DevSecOps in AWS
  • Challenges in DevSecOps
  • DevSecOps Enablers

Key Takeaways

  • Understand OWASP Top 10 2017 with practical demonstrations and deeper insight.
  • Understand the financial repercussions of different vulnerabilities.
  • Get on the same page with the security team while discussing vulnerabilities.
  • Inject security in an automated DevOps pipeline by utilising various tools and techniques discussed during the course to find and fix bugs as early as possible.
  • Develop a “Secure by default” culture by making security everybody’s responsibility.
  • Centralize vulnerability management to provide a better picture of the state of security in the organisation.
  • Understand the benefits of DevSecOps and how it can be achieved.

Who Should Take this Course?

This class is ideal for Web/API developers who work day-in-day out building full-stack web applications or web APIs. Anyone who is looking to develop a skill-set into web application security and identify web application flaws can also benefit from this course.

DevOps engineers, security and solutions architects, system administrators will also strongly benefit from this course as it’ll give them a holistic approach towards application security.

Audience Skill Level

Intermediate

Student Requirements

Anybody with a background in IT or related to software development whether a developer or a manager can attend this course to get an insight about Web Application Security vulnerabilities, DevOps and DevSecOps

What Students Should Bring

A Laptop with minimum 4 GB RAM and 1 GB of extra space. Currently the tools provided by us support only Windows and MacOS operating systems.

Students will also be provided with a DevSecOps-Lab VM which is completely optional to download and use for the course. Attendees can download the VM and perform all the steps of building the pipeline along with the trainer. Requirement for the VM is minimum of 8GB of RAM and 40 GB of extra space to run through all 3 days of the course.

What Students Will Be Provided With

Apart from the various tools and content around the training Students will be provided with a 7-day lab access where they can practice all the exercises/demos shown during the training.

They shall also be provided with our custom built DevSecOps-Lab VM containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.

About Trainers

Rohit Salecha

Rohit Salecha is a technology enthusiast who loves to dive deep into the world of technology. His current expertise revolves around finding interesting bugs in Web Applications and also loves doing Android and iOS app security assessments. Through his learning, he also loves to deliver talks and training on various subjects related to Web and Mobile Applications. He delivered training on Basic Web Hacking and Basic Infrastructure Hacking at Blackhat USA 2017 and 2018 to more than 80 students. He is also passionate about architecting IT solutions with focus on Information security.

Abhijay Singh

Abhijay Singh is an information security professional working as a Senior Security Consultant at NotSoSecure. Having 7+ years of corporate experience, his area of expertise is in application and network security assessments. Abhijay currently holds industry recognised accreditations including OSCP. His current focus revolves around finding interesting bugs in Web Applications and also loves doing Android and iOS app security assessments in his spare time, he is an inveterate bug bounty hunter and like to read/learn new technologies.

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved