On This Page

Security Automation for DevOps Environments

Sense of Security Pty Ltd | March 20 - 21



Overview

With the rise of DevOps (agile development and deployment environments) a chasm has emerged as it becomes evident that superfast and continuous software development is marginalising "traditional" security teams. Security teams need to catch-up with this disruption, and fast.

This two day learning lab is designed to cover several topics in detail relevant to the implementation of security in a DevOps environment, and with a focus on the role that automation can play.

The interactive nature of this learning lab means it is designed to encourage active participation and feedback from the audience so that the discussion is productive, inventive and enjoyable.

The outcome for attendees will be an ability to better understand, articulate and implement solutions to address the issues of security in DevOps environment that can be solved through automation.

This lab will include an overview of a DevSecOps stack (that we have used in a lab environment as a typical understanding of a generic model), and we will define a common understanding of the modern Service Delivery Life-Cycle (SDLC).

We cover an understanding of why DevSecOps matters, and how automation is a central theme to its' success. Lab attendees will gain an understanding of key concepts such as the need to need to "shift left" and identify issues and defects earlier in the SDLC cycle.

Technical Hands-Ons Demo's and Tasks relating to the practical solutions available will cover achieving automation with continuous scanning, static and dynamic code analysis as well as security-as-code for infrastructure security deployments (including docker security) and automation through the CI/CD layer for on-demand applications.

We will go through an end to end DevOps Kill Chain to demonstrate the countermeasures for every attack that occurs in the example.

We will round out the lab with a discussion about emerging technologies such as run-time application self-protection techniques (RASP) and behaviour driven development (BDD).

This learning lab has been prepared based on real-world consulting assignments working with the development teams at some of Australia's best known brands. We bring our detailed experience as consultants, successfully executing DevSecOps assessments, to provide a tutorial that is both relevant and timely in the current IT environment.

Who Should Take this Course

This course is aimed at anyone who is looking to achieve end to end security for agile/cloud environment including anyone involved in the DevOps lifecycle which would include: Agile Developers, Operations Engineers, Cloud Infrastructure Engineers, Project Managers, Scrum Leaders, Security, Risk and Compliance personnel/consultants.

Student Requirements

  • The InfoSec fundamentals of Confidentiality, Integrity and Availability should be understood at a high level.
  • For the development side of the training, some knowledge pof waterfall v agile would be ideal.
  • For the Infrastructure side of the training, knowledge on virtualization, orchestration, server-less computing and general cloud security would be ideal.

What Students Should Bring

Students should bring a laptop that is capable of running Ubuntu, booting from a USB device, access to BIOS settings, has a Ethernet port available (or a USB Ethernet adapter) and a user that has administrator rights.
Students can also bring laptops that run a Windows Desktop - such as Windows 10.
DO NOT bring any devices that contain company information.

What Students Will Be Provided With

We will provide you with:
  • All the training slides
  • Sample scripts/test cases for automation
  • All OpenSource Tools
  • Options for Commercial Tools
  • All lab configurations will be provided prior to the event so you can setup in advance.

Trainers

Murray Goldschmidt is an industry recognised expert for achieving security in a DevOps environment (putting the "sec" into DevSecOps), having developed, enhanced and presented on this topic at several events with the objective of rapidly enhancing the capability within the APAC region. Murray Goldschmidt is an information security specialist with over 17 years commercial IT experience and co-founder and Chief Operating Officer at Sense of Security. Frequently invited to present at conferences, workgroups and seminars and asked to provide expert comment for editorials and publications. Murray has presented on security topics to many audiences at conferences including AusCERT, the Australian Cyber Security Centre (ACSC), RSA Conference, AllDayDevOps, and the Australian Information Security Association (AISA). Along with a degree in Electrical Engineering, Murray is a Certified Information Systems Security Professional (CISSP), IRAP Assessor and a Payment Card Industry Qualified Security Assessor (PCI QSA) and an active member of the Australian Information Security Association (AISA).