SEC DEVOPS: INJECTING SECURITY INTO DEVOPS

This course is not a course on writing secure code, but more about how developers and those involved in the development process, can help create more secure applications by utilising numerous tools and standards. The aim of the course is to enable those involved in an agile-like development process to add security testing into an already pressured short iteration cycle. It also aims to help with the lack of information security knowledge and awareness of how modern applications are targeted, attacked and breached.

Who should enrol for this course

This course introduces security at speed for those responsible for developing apps. The goal is to automate secure development and introduce security tests and fixes within the workflow, making secure software an inherent outcome of the DevOps approach. Participants of the course will be exposed to multiple tools, processes and methodologies which will allow them to see how to apply the concept of SecDevOps to a greenfield or brownfield SDLC.

Purpose

This is not a course focused around writing secure code, but more about how developers and those involved in the development process, can help create more secure artefacts by utilising numerous tools and standards.

The aim of the course is to enable those involved in an agile-like development process to add security testing into an already pressured short iteration cycle. The course also aims to help with the lack of information security knowledge and awareness of how modern applications are targeted, attacked and breached by hackers.

Course Outline

Participants of the course will be introduced to past, present and future approaches regarding secure application development while utilising multiple tools and technologies. Each student gets access to their own cloud based environment containing multiple hosts, services and tools which are typically found in the SDLC. This includes Version Control, Continuous Integration, Continuous Deployment, Automated Deployment and of course, Continuous Security.

The course allows students to see how they can produce software artefacts such that when these artefacts are a result of a SecDevOps SDLC, they inherently exhibit qualities of secure artefacts ready for deployment.

The SecDevOps course is structured around several Labs that introduce the students to the concepts and methodologies thought throughout the course in a practical and hands-on manner, they include:

Introduction to SecDevOps

  • Principles
  • Secure SDLC and AppSec Management
  • OWASP Top 10 and OWASP ASVS
  • SQL and other Injection attacks
  • Cross-Site Scripting (XSS) and Cross-Site Request Forgery vulnerabilities and attacks.

Approaches: Automated testing; monitoring Security Culture: Integrating security into DevOps teams Risk Workflows Rugged Software Using Artificial Intelligence for proactive defense

  • Enumerating & Exploiting Vulnerabilities
  • Threat Modelling

Risk Workflow

  • Abusing Risk
  • Accepting Risk
  • Test Cases: why should you care?

Hipster Dev

  • Docker
  • JavaScript
  • Angular
  • React
  • HTML5

Docker Seccurity

  • Understand how Docker works and how security can be applied
  • Understand Docker daemon protections
  • Understand Docker image/container protections
  • Running security scanners on images.

Lab 1: MiTM Proxies

  • Understand why MiTM proxies are useful for development environments
  • Intercept and modify network traffic for applications

Lab 2: Fuzzing and Bruteforcing

  • Learn basic attacks used by attackers to break applications
  • Remediate vulnerabilities identified by these attack techniques
  • Utilise OWASP resources to exploit and remediate vulnerabilities

Lab 3: XSS

  • Identify, exploit and remediate common XSS vulnerabilities

Lab 4: SQLi

  • Identify, exploit and remediate common SQLi vulnerabilities

Lab 5: Create the PacMan Functional Spec Doc

  • Define the functional requirements for a custom OSINT tool
  • Define the user-stories for PacMan
  • Implement Secure Scrum for PacMan and it's user-stories

Lab 6: Setting up your Development Environment

  • Configure and setup your IDE to build PacMan
  • Configure your IDE to scan PacMan for local vulnerable dependencies automatically

Lab 7: Setting up your Version Control System

  • Configure and setup your version control to host PacMan's source code
  • Implement your version control in a secure manner according to best practices

Lab 8: Setting up your Continuous Integration System

  • Configure and setup your CI system to utilise your VC system
  • Implement automated builds for PacMan's code

Lab 9: Configuring Jenkins to automate dependency scanning

  • Configure Jenkins to automatically scan PacMan's code for vulnerable dependencies

Lab 10: Automating Web Application Scanning with ZAP

  • Configure and deploy ZAP locally to scan PacMan for vulnerabilities
  • Utilise OWASP resources to remediate identified vulnerabilities in PacMan

Lab 11: Automating Application Deployments

  • Configure and implement automated deployment of secure artifacts
  • Implement rule based deployments of PacMan to a production like environment

Lab 12: Implementing Security Oriented Unit Tests

  • Utilise TDD and Unit Testing frameworks to implement SOUT's

Lab 13: Implementing Telemetry into your CI Environment

  • Implement telemetry to gain insight into the security status of PacMan

Lab 14: Threat Modelling: An introduction

  • Perform basic automated threat modelling against PacMan to identify threats specific to PacMan
  • Perform risk analysis of the identified threats

Lab 15: Playing with Behavioural Driven Development

  • Configure and implement BDD Automated Security Tests for Web Applications

WHAT STUDENTS WILL BE PROVIDED WITH

  • A training portal will be made available to all students before they attend the training
  • Via the training portal you gain access to the slides used and any prerequisite information
  • All content for the course, including tools required and instructions to configure your environment, will be made available via the training portal

INSTRUCTOR: Daniel Cuthbert

Daniel Cuthbert is the Chief Operating Officer at SensePost. With a career spanning over 20 years on both the offensive and defensive side, he's seen the evolution of hacking from small groups of curious minds to organized criminal networks and nation-state we see today.

Daniel Cuthbert has presented all over the planet and since 2001 he has been involved with OWASP. He started the OWASP Testing Project with Mark Curphey and helped the project grow to what it is today. Through security roles in investment banks, technology firms, global media organisations and security consultancies he has been researching, and involved with, web application security for a decade. Daniel has worked on a wide range of projects to ensure that the development life cycle is secure and the resulting applications are robust and can withstand today's attacks. He is now the original author of the OWASP Testing guide, released in 2003 and the co-author of the OWASP Application Security Verification Standard (ASVS), and sits on both the Black Hat Review Board and the Black Hat Training Board.

Outside of security, he is a published Fashion and Documentary Photographer.

Contact us for more information