Kursbeskrivning
DevSecOps is the integration of security practices and principles into the DevOps process, with the aim of creating a more secure software development lifecycle.
In this 2-day workshop, we will cover tips and tricks on how to increase security of software delivery supply chains and existing infrastructure.
Day 1
Introduction to DevSecOps
Definition of DevSecOps; the role of security in DevOps
Introduction into threat modeling, attack surface, vulnerability and risk management
Overview of DevSecOps tools and practices
Software supply chain security
Definition and importance of supply chain security
Supply chain elements: software packages/updates, CI/CD pipelines, external vendors, SaaS vendors
Software vendor management, compliance and regulatory requirements, incident response and recovery
Threats and risk management to supply chain security
Practical exercise: Conduct a supply chain risk assessment for a sample software product and develop a risk mitigation plan
Practical exercise: Develop an incident response plan for a supply chain security incident
Software Bill of Materials (SBOM)
Definition and purpose of SBOM in supply chain security
Overview of SBOM formats (e.g. SPDX, CycloneDX)
SBOM generation tools (e.g. OWASP Dependency-Track)
Practical exercise: Generate an SBOM for a sample software product using a SBOM generation tool and analyze it to identify potential security risks.
SIEM and log management
Introduction to security information and event management (SIEM)
SIEM components and architecture
Types of logs and log management
Log analysis and correlation
Real-time monitoring and alerting
Overview of popular SIEM tools (e.g. Splunk, ELK, LogRhythm)
Practical exercise: Install and configure a SIEM tool (ELK) and perform log analysis and correlation to identify potential security incidents.
Container and Orchestrator Security
Overview of containers and containerization
Container security risks
Secure container deployment
Container orchestration security
Popular container security tools (e.g. Aqua, Sysdig, Twistlock)
Practical exercise: Build and deploy a containerized application using a secure container platform (e.g. Docker , Kubernetes) and apply container security best practices.
Day 2
Secret Management
Definition of secrets and their importance in security
Types of secrets (e.g. passwords, API keys, certificates)
Best practices for secret management (e.g. encryption, rotation, access control)
Secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager)
Integration of secret management in CI/CD pipelines
Practical exercise: Implement a simple secret management solution using a tool like HashiCorp Vault and integrate it into a CI/CD pipeline.
Secure software development
Secure coding practices, secure software development lifecycle (SSDL) and threat modeling
Code scanners for security problems, integration of security scanners into CI/CD pipelines
Practical exercise: Develop a sample application and apply secure coding practices, perform threat modeling, and integrate security testing in a CI/CD pipeline.
OWASP
Overview of the OWASP Top Ten security threats
A1: Injection flaws
A2: Broken authentication and session management
A3: Cross-site scripting (XSS)
A4: Security misconfigurations
A5: Insecure direct object references
A6: Cross-site request forgery (CSRF)
A7: Using components with known vulnerabilities
A8: Insufficient logging and monitoring
Other security risks
Practical exercise: Perform a hands-on assessment of a web application, identify and exploit at least one OWASP Top Ten vulnerability.
Open-Source Security
Open-source software security risks
Vulnerability management in open-source software
Popular open-source security tools (e.g. OWASP Dependency-Check, SonarQube)
Practical exercise: Perform a hands-on assessment of an open-source software package using an open-source vulnerability scanner (e.g. OWASP Dependency-Check) and integrate static code analysis using an open-source tool (e.g. SonarQube).
Version Control Security
Git commit signing and verification
Git permissions models
Practical exercise: Configure Git commit signing with GPG and sign and verify Git commits.
Intresseanmälan
Informator är utbildningsföretaget som stärker din konkurrenskraft genom att underhålla, uppdatera och tillföra relevant kunskap inom IT och management där och när du behöver det. Vi har vuxit tillsammans med svensk mjukvaruindustris ledande företag och utbildat utvecklare, tekniker, projektledare och chefer sedan...