Integrated DevSecOps

Day 1

Introduction to DevSecOps

• Definition of DevSecOps; the role of security in DevOps
• Introduction into threat modeling, attack surface, vulnerability and risk management
• Overview of DevSecOps tools and practices

Software supply chain security

• Definition and importance of supply chain security
• Supply chain elements: software packages/updates, CI/CD pipelines, external vendors, SaaS vendors
• Software vendor management, compliance and regulatory requirements, incident response and recovery
• Threats and risk management to supply chain security
• Practical exercise: Conduct a supply chain risk assessment for a sample software product and develop a risk mitigation plan
• Practical exercise: Develop an incident response plan for a supply chain security incident

Software Bill of Materials (SBOM)

• Definition and purpose of SBOM in supply chain security
• Overview of SBOM formats (e.g. SPDX, CycloneDX)
• SBOM generation tools (e.g. OWASP Dependency-Track)
• Practical exercise: Generate an SBOM for a sample software product using a SBOM generation tool and analyze it to identify potential security risks.

SIEM and log management

• Introduction to security information and event management (SIEM)
• SIEM components and architecture
• Types of logs and log management
• Log analysis and correlation
• Real-time monitoring and alerting
• Overview of popular SIEM tools (e.g. Splunk, ELK, LogRhythm)
• Practical exercise: Install and configure a SIEM tool (ELK) and perform log analysis and correlation to identify potential security incidents.

Container and Orchestrator Security

• Overview of containers and containerization
• Container security risks
• Secure container deployment
• Container orchestration security
• Popular container security tools (e.g. Aqua, Sysdig, Twistlock)
• Practical exercise: Build and deploy a containerized application using a secure container platform (e.g. Docker , Kubernetes) and apply container security best practices.

Day 2

Secret Management

• Definition of secrets and their importance in security
• Types of secrets (e.g. passwords, API keys, certificates)
• Best practices for secret management (e.g. encryption, rotation, access control)
• Secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager)
• Integration of secret management in CI/CD pipelines
• Practical exercise: Implement a simple secret management solution using a tool like HashiCorp Vault and integrate it into a CI/CD pipeline.

Secure software development

• Secure coding practices, secure software development lifecycle (SSDL) and threat modeling
• Code scanners for security problems, integration of security scanners into CI/CD pipelines
• Practical exercise: Develop a sample application and apply secure coding practices, perform threat modeling, and integrate security testing in a CI/CD pipeline.

OWASP

• Overview of the OWASP Top Ten security threats
• A1: Injection flaws
• A2: Broken authentication and session management
• A3: Cross-site scripting (XSS)
• A4: Security misconfigurations
• A5: Insecure direct object references
• A6: Cross-site request forgery (CSRF)
• A7: Using components with known vulnerabilities
• A8: Insufficient logging and monitoring
• Other security risks
• Practical exercise: Perform a hands-on assessment of a web application, identify and exploit at least one OWASP Top Ten vulnerability.

Open-Source Security

• Open-source software security risks
• Vulnerability management in open-source software
• Popular open-source security tools (e.g. OWASP Dependency-Check, SonarQube)
• Practical exercise: Perform a hands-on assessment of an open-source software package using an open-source vulnerability scanner (e.g. OWASP Dependency-Check) and integrate static code analysis using an open-source tool (e.g. SonarQube).

Version Control Security

• Git commit signing and verification
• Git permissions models
• Practical exercise: Configure Git commit signing with GPG and sign and verify Git commits.