DevSecOps is the integration of security practices and principles into the DevOps process, with the aim of creating a more secure software development lifecycle.
In this 2-day workshop, we will cover tips and tricks on how to increase security of software delivery supply chains and existing infrastructure.
Course outline: Integrated DevSecOps
Introduction to DevSecOps
- Definition of DevSecOps; the role of security in DevOps
- Introduction into threat modeling, attack surface, vulnerability and risk management
- Overview of DevSecOps tools and practices
Software supply chain security
- Definition and importance of supply chain security
- Supply chain elements: software packages/updates, CI/CD pipelines, external vendors, SaaS vendors
- Software vendor management, compliance and regulatory requirements, incident response and recovery
- Threats and risk management to supply chain security
- Practical exercise: Conduct a supply chain risk assessment for a sample software product and develop a risk mitigation plan
- Practical exercise: Develop an incident response plan for a supply chain security incident
Software Bill of Materials (SBOM)
- Definition and purpose of SBOM in supply chain security
- Overview of SBOM formats (e.g. SPDX, CycloneDX)
- SBOM generation tools (e.g. OWASP Dependency-Track)
- Practical exercise: Generate an SBOM for a sample software product using a SBOM generation tool and analyze it to identify potential security risks.
SIEM and log management
- Introduction to security information and event management (SIEM)
- SIEM components and architecture
- Types of logs and log management
- Log analysis and correlation
- Real-time monitoring and alerting
- Overview of popular SIEM tools (e.g. Splunk, ELK, LogRhythm)
- Practical exercise: Install and configure a SIEM tool (ELK) and perform log analysis and correlation to identify potential security incidents.
Container and Orchestrator Security
- Overview of containers and containerization
- Container security risks
- Secure container deployment
- Container orchestration security
- Popular container security tools (e.g. Aqua, Sysdig, Twistlock)
- Practical exercise: Build and deploy a containerized application using a secure container platform (e.g. Docker , Kubernetes) and apply container security best practices.
- Definition of secrets and their importance in security
- Types of secrets (e.g. passwords, API keys, certificates)
- Best practices for secret management (e.g. encryption, rotation, access control)
- Secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager)
- Integration of secret management in CI/CD pipelines
- Practical exercise: Implement a simple secret management solution using a tool like HashiCorp Vault and integrate it into a CI/CD pipeline.
Secure software development
- Secure coding practices, secure software development lifecycle (SSDL) and threat modeling
- Code scanners for security problems, integration of security scanners into CI/CD pipelines
- Practical exercise: Develop a sample application and apply secure coding practices, perform threat modeling, and integrate security testing in a CI/CD pipeline.
- Overview of the OWASP Top Ten security threats
- A1: Injection flaws
- A2: Broken authentication and session management
- A3: Cross-site scripting (XSS)
- A4: Security misconfigurations
- A5: Insecure direct object references
- A6: Cross-site request forgery (CSRF)
- A7: Using components with known vulnerabilities
- A8: Insufficient logging and monitoring
- Other security risks
- Practical exercise: Perform a hands-on assessment of a web application, identify and exploit at least one OWASP Top Ten vulnerability.
- Open-source software security risks
- Vulnerability management in open-source software
- Popular open-source security tools (e.g. OWASP Dependency-Check, SonarQube)
- Practical exercise: Perform a hands-on assessment of an open-source software package using an open-source vulnerability scanner (e.g. OWASP Dependency-Check) and integrate static code analysis using an open-source tool (e.g. SonarQube).
Version Control Security
- Git commit signing and verification
- Git permissions models
- Practical exercise: Configure Git commit signing with GPG and sign and verify Git commits.