DevSecOps Foundation

The purpose and intent of DevSecOps is to build on the mindset that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.

With business demand for DevOps, Agile and Public Cloud Services, traditional security processes have become a major roadblock targeted for elimination. And sadly, sometimes the easiest to bypass all together. Traditional security operates from the position that once a system has been designed, its security defects can then be determined by security staff and corrected by business operators before the system is released.

Prerequisite:

  • Understanding of DevOps Principles and Best Practices. 
  • Understanding of Security principles

Understanding DevSecOps

  • DevOps Building Blocks- People, Process and Technology.
  • DevOps Principles – Culture, Automation, Measurement and Sharing (CAMS)
  • Benefits of DevOps – Speed, Reliability, Availability, Scalability, Automation, Cost and Visibility.
  • Overview of the DevSecOps critical toolchain.
  • Repository management tools.
  • Continuous Integration and Continuous Deployment tools.
  • Infrastructure as Code (IaC) tools.
  • Communication and sharing tools.
  • Security as Code (SaC) tools.

Security needs and Threat Modeling

  • What is Threat Modeling?
  • STRIDE vs DREAD approaches
  • Threat modeling and its challenges. 
  • Classical Threat modeling tools and how they fit in CI/CD pipeline

Securing Applications

  • Static Application Security Test (SAST) in CI/CD
    • Why pre-commit hooks are not a good fit in DevSecOps.
    • Writing custom rules to weed out false positives and improve the quality of the results.
    • Various approaches to write custom rules in free and paid tools.
    • Regular expressions
    • Abstract Syntax Trees
    • Graphs ( Data and Control Flow analysis)

Dynamic Application Security Test (DAST) in CI/CD

  • Embedding DAST tools into the pipeline.
  • Leveraging QA/Performance automation to drive DAST scans.
  • Using Swagger (OpenAPI) and ZAP to scan APIs iteratively.
  • Ways to handle custom authentications for ZAP Scanner.
  • Using Zest Language to provide better coverage for DAST scans. 

Runtime Analysis (RASP/IAST) in CI/CD

  • What is Runtime Analysis Application Security Testing?.
  • Differences between RASP and IAST.
  • Runtime Analysis and challenges.
  • RASP/IAST and its suitability in CI/CD pipeline.

Securing Infrastructure as Code

  • IaC Template
  • Managing Secrets
  • Communication channel
  • User Access Management
  • Drift in Configuration
  • Ghost Resources
  • Risks in Data transmission
  • Audit Logs

Vulnerability Management

  • Approaches to manage the vulnerabilities in the organization. 
  • False positives and False Negatives.
  • Culture and Vulnerability Management.
  • Creating different metrics for CXOs, devs and security teams.

Securing Containers

  • Docker security
  • Kubernetes security

Securing Cloud

  • Security for Cloud Services
  • Identifying Personally Identifiable Information
  • Better Security on the Road
  • Brief Overview of Cloud Computing
  • Cloud Security Considerations
  • Security Best Practices for Clouds
  • Other Cloud Security Considerations
  • Conclusion