SecDevOps: Injecting Security into DevOps

SensePost | July 22-23 & July 24-25



Overview

This course is not a course on writing secure code, but more about how developers and those involved in the development process, can help create more secure applications by utilising numerous tools and standards. The aim of the course is to enable those involved in an agile-like development process to add security testing into an already pressured short iteration cycle. It also aims to help with the lack of information security knowledge and awareness of how modern applications are targeted, attacked and breached.

Course Outline

Introduction to SecDevOps
  • Principles
  • Secure SDLC and AppSec Management
  • OWASP Top 10 and OWASP ASVS
  • SQL and other Injection attacks
  • Cross-Site Scripting (XSS) and Cross-Site Request Forgery vulnerabilities and attacks.

Approaches: Automated testing; monitoring Security Culture: Integrating security into DevOps teams Risk Workflows Rugged Software Using Artificial Intelligence for proactive defense
  • Enumerating & Exploiting Vulnerabilities
  • Threat Modelling

Risk Workflow
  • Abusing Risk
  • Accepting Risk
  • Test Cases: why should you care?

Hipster Dev
  • Docker
  • JavaScript
  • Angular
  • React
  • HTML5

Docker Seccurity
  • Understand how Docker works and how security can be applied
  • Understand Docker daemon protections
  • Understand Docker image/container protections
  • Running security scanners on images.

Lab One: Overview of automated testing approaches Integrating OWASP ZAP with Jenkins
  • Description of the setup
  • Lab: Delegates start with a semi-configured jenkins instance and have to complete the configuration and get ZAP running against your vulnerable application
  • Challenges and limitations


Lab Two: Scanning with ZAP + Selenium + JUnit
  • Description of the setup
  • Lab 1:
    • Record selenium steps to login and navigate application with Selenium IDE
    • Modify JUnit test template to navigate app, then run zap scan

Lab Three: Understanding False Positives


Lab Four: Scanning with BDD-Security
  • Introduction and concepts
  • Lab 1: Automated ZAP scanning with selenium steps
  • Lab 2: Functional tests around authentication and session management
  • Lab 3: Infrastructure tests on SSL and open ports
  • Lab 4: Testing access control
  • Lab 5: Building robust tests





Who Should Take this Course

This course is aimed at those responsible for slinging code, DevOps lovers, those involved in Agile dev and the mildly curious about if it's possible to produce secure apps.

Student Requirements

Ideally some development knowledge, waterfall or agile, should be had. This is about how your write secure code so an understanding of the process would help.

What Students Should Bring

Students should bring a laptop that is capable of running Ubuntu, booting from a USB device, access to BIOS settings, has a Ethernet port available (or a USB Ethernet adapter) and a user that has administrator rights. Please do not bring any devices that contain "Corporate" information. If you wish, bring your own mobile devices for testing.

What Students Will Be Provided With

We have developed a training portal that will be made available to all students before they attend Blackhat. This portal allows you to register an account and gain access to the slides used and any prerequisite information we feel would help you get the best out of this course. All content for the course, including tools required and instructions to configure your environment, will be made available via the training portal before you start, which means less time setting up and more time for learning.

Access to this portal will not stop once the course has finished, allowing you to continue learning in the weeks/months after Blackhat.

Trainers

SensePost has been training at Blackhat since 2001. We pride ourselves on ensuring our content, our training environment and trainers are all epic in every way possible. From working penetration testers, responsible for numerous tools and vulnerablities, to environments tailored for learning, training is at the core of what we do.