DevSecOps Master Class - 2024

DevOps has changed the way we deliver apps. However, security remains a serious bottleneck, especially Application Security. This is largely due to the speed of innovation in DevOps, contrasted with the escalating attacks against Applications.

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is based on our 4.9/5 Rated DevSecOps Masterclass at Blackhat.

The training is a hardcore hands-on journey into: - Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse! - Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques - Assurance and Provenance for artifacts. Mastery over Cosign and SLSA for Supply-Chain Provenance - DAST Automation and Security Regressions with ZAP and Nuclei. - Policy-As-Code: Leverage Open Policy Agent (OPA) with use-cases from API Access Control to OS Policy Controls.

Participants get a 2 month access to our online lab environment for DevSecOps training

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to:

Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques.
Supply-Chain Assurance and Provenance for artifacts.
Secret Management
DAST Automation with OWASP ZAP and Nuclei.
Policy-As-Code with Open Policy-Agent (OPA)
Integrating Security Automation with CI/CD tooling

Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning.

Detailed Overview

Day 1

The Problem with the old models of Application Delivery
- A Quick History of Agile and DevOps
- The Coming of DevOps
- The Need for Security in DevOps
- Security in Continuous Integration and Continuous Deployment
Introduction to Static Application Security Testing (SAST) for Continuous Integration
- Static Analysis Types
  - Hands-on:
    - RegEx Tools
    - Abstract Syntax Trees
    - QL/Semantic Grep Tools => CodeQL and Semgrep
  - Semgrep Deep-Dive
    - Rules Syntax
    - Taint Analysis
    - Metavariables, Metafunctions, and MetaClasses
    - Semgrep against multiple languages:
      - Python
      - JavaScript
      - Go(lang)
      - Java
      - Ruby
  - CodeQL Deep-Dive
    - Rule Syntax
    - CodeQL VSCode Composition Tools
    - CodeQL for multiple languages:
      - C#
      - Python
      - Java
      - JavaScript
- Challenge Segment - Finding security bugs with Semgrep and CodeQL
- Static Analysis Automation Strategies
  - Hands-on:
    - Automation in IDE
    - Automation - Part of Git hooks
    - Automation - PR and MR Static Analysis Tooling (Github Actions, etc)
    - Automation - Build Pipeline and Pre-Deployment
- Static Analysis for Infrastructure-as-Code
  - Hands-on:
    - Kube-Linter
    - Checkov
    - Integrating Infrastructure-as-Code Scanning with GitHub Actions and Deploy Pipelines
Source Composition Analysis and Software Bill of Materials in DevSecOps
Concept Overview:
- Artifact Lifecycle
- SBOM
- Package Provenance
- SLSA - Supply-Chain Levels for Software Artifacts
- Source Composition Analysis
Package Provenance and Assurance Deep-Dive
- Cosign Deep-Dive - Keyed and Keyless
- SLSA Provenance Generator for GitHub Actions and Levels
SBOM Deep-dive:
- Hands-on:
  - CycloneDX
  - SPDX, SWID
  - VEX - Vulnerability Exploitability eXchange
SCA Deep-dive and Automation Strategies:
- Hands-on:
  - Incremental SCA with GitHub Actions => Pull Requests and Merge Requests
  - Package Manager integrated SCA with NPM, Poetry, Dependabot
  - OWASP Dependency Track and Dependency Check

Day 2

Dynamic Application Security Testing with Continuous Integration
Concepts of DAST with Security Testing
- Security Automation Testing using OWASP ZAP, Selenium, OpenAPI (Swagger)
- Security Regression Tests - How to design and write them
Nuclei Deep-Dive
- Hands-on:
  - Nuclei Templates
  - Integrating Nuclei into Pipelines
  - Using Nuclei for Security Regression
  - Using Nuclei for Security Scanning
Application Security Automation and Test Orchestration – Deep-Dive:
- Hands-on:
  - OWASP ZAP Deep-Dive
    - Scan Policy
    - Extensions
  - OWASP ZAP API Deep-Dive
    - Leveraging OWASP ZAP API with Selenium for testing browser-based applications
    - Leveraging OWASP ZAP API and (Tavern/RESTInstance/Chai) to test web services and microservices
    - OWASP ZAP API Testing with OpenAPI Specification
  - OWASP ZAP Scripting Workshop
    - Create Active Scan Scripts for Custom Application Vulnerabilities
Policy-as-code with Open Policy Agent
- Open Policy Agent Basics and Framework Overview
- Hands-on: Rego Basics - Language essentials and composition rules
- Hands-on:
  - Using OPA and Rego for API RBAC and AuthZ Implementation with API Gateways
  - Using OPA for Advanced Input Validation for APIs
  - Using OPA for Terraform Policy Definition and Enforcement
Secrets Management
- Intro to Secrets Management - A Case for a structured approach to managing secrets
- Secrets vs Sensitive Information - A Distinction and Varied Threat Model
- Secret Management Fails:
  - Secret Management in GitOps fails
  - Real-world incidents that were caused extensively by bad secrets management
Secrets Management with Hashicorp Vault (Hands-on):
- Introduction to HashiCorp Vault and its API
- Deploying Vault in Production
- Managing Secrets with Vault => Static Secrets
- Encryption, Key Rotation, and Rewrapping with Vault Transit Secrets Engine
- Dynamic Secrets with Vault => Utilizing Dynamic Secrets for short-term leases for databases
Pipelnies and Tooling
- Overview of Tooling:
  - Github Actions
  - Gitlab
  - Jenkins
  - Data Flow Automation Tools: Prefect, Gaia, Apache Airflow -Hand-on:
  - DevSecOps Pipelines with Github Actions
  - DevSecOps Pipelines with Gitlab
  - DevSecOps with Jenkins
  - DevSecOps with Gaia and Prefect

About the Speaker

Vishnu Prasad

Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies.

Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He’s a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly.

His experience extends even beyond DevSecOps: he designs and develops Web Application Security tools, performs vulnerability management and orchestration, and consults on security assessments for major companies. He’s proficient in languages like Python, Java, Javascript, Angular, and more. He regularly trains major companies and team members on application security automation, DevSecOps, and AppSec Essentials as well.