DevSecOps - Automating Security in DevOps


As part of this workshop attendees will receive a state-of-the-art DevSecOps tool-chest comprising of various open-source tools and scripts to help the DevOps engineers in automating security within the CI/CD pipeline. While the workshop uses Java/J2EE framework, the workshop is language agnostic and similar tools can be used against other application development frameworks.

The workshop will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach. Why DevSecOps ? The DevSecOps process will help in

  • Create a security culture/mindset amongst the already integrated “DevOps” team.
  • Find and fix security bugs as early in SDLC as possible.
  • The culture promotes the philosophy “security is everyone’s problem”.
  • Integrate all security software centrally and utilize the results more effectively.
  • Measure and shrink the attack surface

Course Outline

The following topics will be covered encompassing the entire Secure DevOps pipeline

  • Introduction and overview of DevOps
  • What and Why of DevSecOps ?
  • Integrating Security in CI/CD
  • Vulnerability Management using Archerysec
  • Secret Management using Vault, Jenkins and Docker Secrets
  • Security in Developer Workstations: Pre-Commit Hooks using Talisman
  • Software Composition Analysis using Dependency-Checker
  • SAST - Static Application Security Testing using FindSecBugs
  • DAST - Dynamic Application Security Testing using ZAP and OpenVAS
  • Compliance as Code using Inspec
  • Security in Infrastructure as a Code using Clair
  • Production Real-Time Alerting and Monitoring using Modsecurity WAF
  • Challenges in DevSecOps

Speaker

anand-tiwari

Anand Tiwari

    
Anand Tiwari is an information security professional with nearly 6 years of experience in offensive security, with expertise in Mobile and Web Application Security. He has authored Archery—open source ...