Exploiting Continuous Integration and Automated Build Systems Defcon 25

On-Demand: DevSecOps: Beginner Edition Bootcamp

Get a hands-on introduction to DevSecOps basics with a focus on implementing Devops and DevSecOps pipelines in on-premise, hybrid and on-public cloud models.

Recordings of this bootcamp are now available as part of our annual subscription. Subscribe to enjoy:

• Access to all on-demand bootcamps and relevant labs, including this one
• 2200+ hands-on labs covering another 130+ subtopics

Write your awesome label here.

This is a 4-session beginner bootcamp that will teach you the basics of DevSecOps. You will learn how to use different tools and techniques to plan/create DevOps pipeline, integrate security to it and automate security testing, auditing, compliance and infrastructure security. You will have the opportunity to reinforce the essential concepts taught by building pipelines hands-on in our purpose-built labs.

• 10+ Hours of Live Session Recordings

• Over 25 Lab Exercises

• Bootcamp recordings for select topics, accessible anytime

Follow along with instructors as they walk you through both theory and practice! With bootcamp recordings at your fingertips, master in-demand topics at your own pace, without time zone concerns. Take your time to go through our massive content library – you'll need it!

• Access 135+ topics

Expand your horizons beyond bootcamps with 2200+ hands-on labs and 1500+ video courses! Our annual subscription grants you access to a massive content library – perfect for self-paced learning on an ongoing basis. View our entire list of topics here.

• Browser-based platform; no VPN needed

Learning with us is simple. Our labs are completely browser-based and include access to a Terminal/GUI-based Kali, Ubuntu or other operating systems, with the necessary tools and scripts pre-installed. All you need is an internet connection to get started!

• Real-world scenarios

Our lab scenarios are based on real-world circumstances as much as possible. With realistic scenarios, students are prepared for actual pentesting and Red Team engagements.

• Earn verifiable badges

Complete challenges to earn badges. Verified by Accredible, badges declare your skill in specific topics and are easily shared on social media to help your profile stand out!

Upon logging in to the AttackDefense lab platform, annual subscribers will be able to access recordings of all our on-demand bootcamps and associated labs.

Prerequisites

 1. Basic knowledge of computers and networking
2. Familiarity with the Linux Operating System
3. Familiarity with DevOps components is useful, but not essential

Module I: Introduction to DevOps

Learn the basics of DevOps and SDLC (Software Development Life Cycle) processes, components required to implement a DevOps pipeline. Plan a pipeline for a web application and implement it for an on-premise setup involving virtual machines.

• What is SDLC?

• What is DevOps?

• DevOps Building Blocks and Principles

• Need of DevOps

• What is Continuous Integration and Continuous Deployment?

• Continuous Integration to Continuous Deployment to Continuous Delivery

• Continuous Delivery vs Continuous Deployment

• General workflow of CI/CD pipeline

• Phases of DevOps Pipeline

• Code Environment (IDE)

• Version Control System (VCS)

• Basics of Git VCS

• Self Hosted VCS i.e. Gitlab, SCM

• Publicly available VCS e.g. GitLab, GitHub, BitBucket

• Building the Project

• Manual Build vs Automated Build

• Build Systems e.g. Maven, make, Dockerfile, Packer

• Testing

• Manual Testing vs Automated Testing

• Automated Unit Testing e.g. JUnit, Pytest

• Automated Functional Testing e.g. Selenium

• Deployment

• Manually creating the setup

• Infrastructure as Code e.g. Ansible, Chef

• Continuous Integration (CI)

• Benefits of CI

• CI solutions e.g. Jenkins, GitLab CI

• Lab: Continuous Integration lab for Django Webapp

• Monitoring

• Importance of Monitoring

• Monitoring with NagiOS

• Concept and explanation what to monitor

• Maintenance

• Issue Tracking

• Documentation

• Case studies on DevOps Pipelines

• Plan a DevOps Pipeline for a WebApp

• Implement DevOps Pipeline for an on-premise model

Module II: DevSecOps: Adding Security to DevOps

This module is covered in Sessions 2 and 3 of the bootcamp.

Understand the secure SDLC and concept of integrating security in DevOps process, learn to perform threat modeling, identify the security components for the DevOps pipeline, install and configure the security tools to convert DevOps pipeline into DevSecOps pipeline.

• What is Secure SDLC?

• Secure SDLC phases

• DevSecOps Maturity Model (DSOMM)

• Adding Security to DevOps

• Phases of DevSecOps Pipeline

• Threat modelling

• What is Threat Modelling?

• STRIDE vs DREAD approaches

• Using ThreatSpec and BDD Security

• Automated Code Review

• What is Automated Code Review?

• Using FindSecBugs, PMD, DevSkim tools

• Sensitive Information Scan

• What is Sensitive Information Scan?

• Using Talisman, GitSecret, Trufflehog

• Static Code Analysis (SAST)

• What is SAST?

• Using SonarQube, Graudit and Flawfinder

• Dynamic Code Analysis (DAST)

• What is DAST?

• Using OWASP Zap, Arachini

• Software Component Analysis

• What is Software Component Analysis?

• Using OWASP dependency check, Retire.js and Safety

• Vulnerability Management and Vulnerability Assessment

• What is Vulnerability Management and Vulnerability Assessment?

• Using ArcherySec, DefectDojo, OpenVAS

• Compliance as Code

• What is Compliance as Code?

• Using Inspec and Serverspec

• Secret Management

• Need for Secret Management

• Using Hashicorp Vault, Torus

• Case studies on DevSecOps Pipelines

• Identify security components for the WebApp DevOps pipeline created in last session

• Integrate the security components to form a DevSecOps pipeline

Module III: DevSecOps Pipelines on GitLab

Learn about GitLab CI fundamentals, configurations to create a DevSecOps pipeline on it. The GitLab can be hosted on-premise, in hosted service Gitlab.com and can also be installed on cloud infrastructure, making it a good choice for DevSecOps process.

• Designing a DevOps Pipeline for a Django Web Application

• Identifying the DevSecOps components to integrate

• Introduction to GitLab CI

• Writing gitlab-ci.yaml

• Configuring Environment variables

• Using secrets securely

• Configuring Runners

• Implementing Pipeline using GitLab CI

• Integrating security tools

Nishant Sharma

Nishant Sharma leads R&D at Pentester Academy and Attack Defense. He has 8+ years of experience in the information security field including 6+ years in WiFi security research and development. He has presented research and conducted workshops at Blackhat USA/Asia, DEF CON China, HITB, RootCon, Packet Hacking Village, Wireless Village, IoT village and Demo labs (DEFCON USA).

Nishant's Twitter handle is also @wifisecguy, which should tell you all you need to know about his research interests.

Nishant Sharma - Instructor

Can't attend this bootcamp? Get informed about future bootcamps!

I would like to receive news, tips and tricks, and other promotional material

• Online cybersecurity training
• Earn certifications
• Suitable for beginners
• Expert trainers
• Join a community of professionals from 130+ countries

Connect with us

ebysteaking.blogspot.com

Source: https://bootcamps.pentesteracademy.com/course/devsecops-on-demand

Share this post