OWASP NZ Day 2020-Training-DevSecOps
DevSecOps: Automating Security in DevOps
One-Day Interactive Training -- OWASP New Zealand Day 2020
Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology. DevSecOps extends DevOps, by introducing security early into the SDLC process, thereby minimizing the security vulnerabilities and enhancing the software security posture.
Course attendees will learn how to:
- Create a security culture/mindset among the already integrated "DevOps" team
- Find and fix security bugs as early in SDLC as possible
- The culture promotes the philosophy "Security is everyone's problem"
- Integrate all security software centrally and utilize the results more effectively
- Measure and reduce applications' attack surface
DevOps engineers, security and solutions architects. System administrators will also strongly benefit from this course as it will give them a holistic approach towards application security.
Anybody with a background in IT or related to software development whether a developer or a manager can attend this course to get an insight into DevOps and DevSecOps.
Dates: Thursday, 20 February 2020
Time: 8:45 a.m. to 5:30 pm.
Course Fee: NZ $625.00 (plus EventBrite fees)
Registration Site: https://owaspnz2020-training.eventbrite.com
Attendees Should Bring:
Students will be provided with a DevSecOps-Lab VM which is completely optional to download and use for the course. If you are intending to use it then the Laptop requires a minimum of 16GB of RAM and 40 GB of extra space.
Attendees Will Be Provided:
The attendees will receive a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.
Instructors: Anand Tiwari and Rohit Salecha
Instructors' Organization: NotSoSecure
Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology. DevSecOps extends DevOps by introducing security early into the SDLC process, the security vulnerabilities and enhancing the software security posture. In this workshop, we will show how this can be achieved through a series of live demonstrations and practical examples.
As part of this workshop attendees will receive a state-of-the-art DevSecOps tool-chest comprising of various open-source tools and scripts to help the DevOps engineers in automating security within the CI/CD pipeline. While the workshop uses Java/J2EE technology stack, the workshop is language agnostic and similar tools can be used against other application development frameworks.
A Short preview of our course is available on YouTube.
- Introduction and overview of DevOps
- What and Why of DevSecOps?
- Integrating Security in CI/CD
- Vulnerability Management using Archerysec
- Secret Management using Vault, Jenkins and Docker Secrets
- Security in Developer Workstations: Pre-Commit Hooks using Talisman
- Software Composition Analysis using Dependency-Checker
- SAST – Static Application Security Testing using FindSecBugs
- DAST – Dynamic Application Security Testing using ZAP and OpenVAS
- Compliance as Code using Inspec
- Security in Infrastructure as a Code using Clair
- Production Real-Time Alerting and Monitoring using ModSecurity WAF
- DevSecOps in AWS
- Challenges in DevSecOps
- DevSecOps Enablers
Anand Tiwari - Anand is an information security professional with nearly 6+ years of experience in offensive security, with expertise in Mobile and Web Application Security. He has authored Archery—open-source tool and has presented at BlackHat, DEF CON USA, and HITB conferences. In his free time, he enjoys coding and experimenting with various open-source security tools. Follow Anand on Twitter: @anandtiwarics
Rohit Salecha - Rohit is a Principal Security Consultant for NotSoSecure, a Claranet Group company. He is a technology enthusiast with over eight years of experience in hacking anything that runs on binaries and is on the ground. He also delivers best-selling classes by NotSoSecure, including "Application Security for Developers" and "DevSecOps." He has also trained and spoken at premier security conferences like Blackhat and Nullcon. Rohit loves to reverse engineer binaries and mobile applications and find and exploit vulnerabilities in them. He spends his free time learning new technologies, programming languages, or maybe even tinkering with open-source tools.