On This Page

SecDevOps: Injecting Security Into DevOps

SensePost | August 4-5 & August 6-7



Overview

"To defeat your enemy you have to know your enemy." paraphrasing a renown quote from military general Sun Tzu, this also applies to the DevOps team that want to develop more secure code. This course aims to teach developers basic hacking techniques tightly coupled with a secure development process. The goal is to automate secure development and introduce security tests and fixes within the workflow, making secure software an inherent outcome of the DevOps approach.

This course is not limited to writing secure code; it focuses on how developers and those involved in the development process, can help create more secure applications by utilising numerous tools and standards. The aim of the course is to enable those involved in an agile-like development process to add security testing into an already pressured short iteration cycle. It also illustrates information security concepts, risks and creates awareness of how modern applications are targeted, attacked and breached.

COURSE OUTLINE
1) Core Principles of SecDevOps

  • Secure SDLC and AppSec Management
  • OWASP Top 10 and OWASP ASVS

2) Automated Testing

  • Monitoring Security Culture: Integrating security into DevOps teams risk workflow
  • Enumerating & Exploiting Vulnerabilities
  • Threat Modelling

3) Risk Workflow

  • Abusing Risk
  • Accepting Risk
  • Test Cases: why should you care?

4) Static Code Analysis and Dependency Checking

  • Github
  • Android Studio
  • Visual Studio

5) Docker security

  • Understand how Docker works and how security can be applied
  • Understand Docker daemon protections
  • Understand Docker image/container protections
  • Running security scanners on images

We moved our entire lab environment to AWS, which means that each student signing up to our courses gets access to their own dedicated training environment, allowing for as much haxory and experimentation.

PRACTICAL EXERCISES INCLUDE

  • Using MiTM proxies
  • Basics of web application hacking
  • Configuring a development enviroment, version control and Continuous Integration System
  • Automated Dependancy scanning
  • Automated deployments
  • OWASP ZAP and Jenkins integration
  • Scanning with ZAP + Selenium + Junit
  • Dealing with False Positives
  • Scanning with BDD-Security
  • Functional tests around authentication & session management
  • Infrastructure test on SSL and open ports
  • UtiliseTest-Driven Devlopmentand Unit Testing frameworks to implement Security Oriented Unit Tests
  • Automated threat modeling and performing risk analysis

Who Should Take this Course

This course is aimed at those responsible for slinging code, DevOps lovers, those involved in Agile dev and the mildly curious about if it's possible to produce secure applications.

Student Requirements

Students should bring a laptop that is capable of running remote desktop software and has WiFi connectivity. As always, please do not bring any devices that contain "Corporate" information, the networks there can be a tad dirty ;)

What Students Should Bring

Students should bring a laptop that is capable of running Ubuntu, booting from a USB device, access to BIOS settings, has a Ethernet port available (or a USB Ethernet adapter) and a user that has administrator rights. Please do not bring any devices that contain "Corporate" information. If you wish, bring your own mobile devices for testing.

What Students Will Be Provided With

We have developed a training portal that will be made available to all students before they attend Blackhat. This portal allows you to register an account and gain access to the slides used and any prerequisite information we feel would help you get the best out of this course. All content for the course, including tools required and instructions to configure your environment, will be made available via the training portal before you start, which means less time setting up and more time for learning.

Access to this portal will not stop once the course has finished, allowing you to continue learning in the months after Blackhat.

Trainers

SensePost has been training at Black Hat since 2001. We pride ourselves on ensuring our content, our training environment and trainers are all epic in every way possible. From working penetration testers, responsible for numerous tools, talks and 0day releases. We have years of experience building environments tailored for learning, training is at the core of what we do.