Hands-on DevSecOps and AppSec Automation

This training is a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline. The training is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

The training begins with a detailed view of Continuous Application Security, through Application Security Automation with SAST, DAST, SCA, IAST and RASP. We will focus on real-world tools and techniques to automate application security tooling in a CI/CD pipeline. Including a deep-dive of several popular Test Automation Frameworks like Tavern, ThreatPlaybook, Robot Framework and Selenium that can be leveraged extensively to parameterize application security tests with test automation scripts. All of this expertise will go into actually “building” security pipelines that can be integrated into the organization’s DevOps processes.

Subsequently, the training focuses on Cloud Security with a focus on Amazon Web Services (AWS), where will use Terraform and Boto3 among other tools to deploy and configure security parameters and features for various Cloud services. The Cloud Security section of the class, will also focus on integrating Cloud Vulnerability Assessment and Benchmark tools like Scout2, Prowler and CSSuite as part of the CI/CD Pipeline.

Finally the training delves into Container Security, as part of an organization’s DevSecOps initiatives. This section of the program focuses on Containerized deployments, myriad exploits and vulnerabilities with Containerized Deployments. Subsequently, we explore tools and techniques to automate and identify weaknesses and security implementations for containerized deployments. The training additionally focuses on Kubernetes, especially owing to its ubiquity in the Container Orchestration ecosystem. Participants will have a roving view of Kubernetes security, starting off with a detailed exploit of a Kubernetes cluster and exploring the various security and automation options available to identify and secure Kubernetes clusters.

At the end of the training, participants will have immediate takeaways and practical techniques that they can use for their own implementations of DevSecOps, within their organization. The tools and frameworks detailed in the program are largely open-source or freely available, thereby ensuring that participants can actually implement these scalable DevSecOps programs without having to additionally invest in tooling. Several frameworks and tools have for this program have been developed by the authors of the program, as part of their extensive implementation expertise of DevSecOps, ranging from Threat Modeling to Cloud Security to Application Security Automation. Frameworks like ThreatPlaybook (Open Source) and Orchestron (Open Source Vulnerability Management and Correlation tool), which can be used to simplify Application Security Automation have been born out of extensive experience with real-world DevSecOps implementations.

Takeaways

• Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate
• Comprehensive Container Security which is critical, as organizations typically need to use Container Orchestration and security is a key aspect of orchestrating containers.