Ganga Sumanth, Vishnu Prasad - DevSecOps Masterclass: AppSec Automation Edition $2,800 (early $2,600)
$2,600.00
**Trainer bio:**
**Trainer 1: Vishnu Prasad**
Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies.
Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He's a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly.
His experience extends even beyond DevSecOps: he designs and develops Web Application Security tools, performs vulnerability management and orchestration, and consults on security assessments for major companies. He's proficient in languages like Python, Java, Javascript, Angular, and more. He regularly trains major companies and team members on application security automation, DevSecOps, and AppSec Essentials as well.
**Trainer 2: Ganga Sumanth**
Ganga Sumanth is a Cloud Security Engineer at AppSecEngineer. His natural curiosity finds him diving into various rabbit holes which he then turns into playgrounds and challenges at AppSecEngineer.
A passionate speaker and a ready teacher, he takes to various platforms to speak about security vulnerabilities and hardening practices. He has also trained at BlackHat USA, Asia, Eu and several corporate engagements on topics ranging from DevSecOps, Application Security, and Google Cloud Security.
These days he can be found messing about with the likes of Go and Rust and their applicability in cloud settings. He also is a huge semgrep buff and is constantly seen tinkering with it. When not researching the latest security exploits and patches, he's probably raving about the latest addition to his ever-growing collection of hobbies.
**Full description of the training:**
This training program presents a comprehensive and hands-on approach to implementing DevSecOps practices, with a primary focus on Application Security Automation. Participants will embark on an immersive journey, closely connected to their keyboards, as they engage in labs enriched with real-world examples of DevSecOps and AppSec Automation.
Initiating with a deep dive into DevSecOps, the training emphasizes the seamless integration of security measures across various stages of the Software Development Lifecycle. It then explores specific Application Security Automation techniques, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Supply-Chain Security, and Dynamic Application Security Testing (DAST), illustrating how these tools seamlessly integrate into CI/CD pipelines.
This edition represents a complete overhaul of our existing DevSecOps content, showcasing the forefront of Application Security Automation and DevSecOps strategies. Highlights include:
- Hands-on SAST Mastery: Participants gain expertise in SAST for both Applications and Infrastructure-as-Code, focusing on advanced tools like Semgrep and CodeQL. The training emphasizes the creation of custom SAST rules with finesse.
- Elevated Supply-Chain Security Automation: Navigation through Software Bill of Materials (SBOMs), Source Composition Analysis, and Security Engineering techniques. This segment covers diverse methods for constructing secure base images for containers.
- Robust Supply-Chain Assurance and Provenance: A deep dive into the SLSA (Supply-Chain Levels for Software Artifacts) Standard, illustrating how automation aligns with compliance levels. Additionally, comprehensive exploration of Cosign from Project Sigstore reveals its utility in generating keyed/keyless signatures for various artifacts.
- Secrets Management Unveiled: Detailed exploration of Secrets Management and Encryption tools, such as HashiCorp Vault, offering insights into advanced Encryption, Key Management, and Dynamic Secrets implementation.
- Dynamic Application Security Testing (DAST) Autonomy: Exploration of DAST Automation with prominent tools like OWASP ZAP and Nuclei. This includes API-based scanning with OWASP ZAP and crafting custom DAST automation using Nuclei, addressing intricate vulnerabilities through Security Regressions.
- Policy-As-Code Prowess: In-depth exploration of Open Policy-Agent (OPA), a potent framework for crafting and enforcing policies across diverse deployment scenarios. OPA's Domain Specific Language, rego, will be demystified, empowering participants to grasp the nuances of policy-as-code frameworks.
- Seamless Integration with CI/CD: Navigation through integrating Security Automation with pivotal CI/CD tools like GitHub Actions, GitLab, and Jenkins. Furthermore, leveraging Data Flow Automation tools like Robot Framework, Gaia, and Prefect offers alternative avenues for AppSec Automation beyond conventional CI/CD tools.
For 2024, we've re-framed this training with a cookbook-style approach that captures the multiple styles of deployments and DevSecOps practices that provide validation and assurance for a variety of use-cases. While building effective and transparent pipelines is the primary goal, we've focused on a building-block style approach to showcase the huge variety of options that are available in each domain of security testing.
At the end of the training, participants will have immediate takeaways and practical techniques that they can use for their implementations of DevSecOps, within their organization. The tools and frameworks detailed in the program are largely open-source or freely available, thereby ensuring that participants can implement these scalable DevSecOps programs without having to additionally invest in tooling. Several frameworks and tools have been developed by the authors of the program, as part of their extensive implementation expertise of DevSecOps, ranging from Threat Modeling to Cloud Security to Application Security Automation. Frameworks like ThreatPlaybook (open-source) and Orchestron (open-source Vulnerability Management and Correlation tool), which can simplify Application Security Automation, have been developed from extensive experience with real-world DevSecOps implementations.
Another brand new addition comes in the form of engaging challenges that are sprinkled throughout each training section, empowering both trainers and trainees to gauge levels of student comprehension and growth.
**Outline of the class:**
# Day 1
- The Problem with the old models of Application Delivery
- A Quick History of Agile and DevOps
- The Need for Security in DevOps
- Security in Continuous Integration and Continuous Deployment
- Introduction to Static Application Security Testing (SAST) for Continuous Integration
- Static Analysis Types
- Hands-on:
- RegEx Tools
- Abstract Syntax Trees
- QL/Semantic Grep Tools => CodeQL and Semgrep
- Semgrep Deep-Dive
- Rules Syntax
- Taint Analysis
- Metavariables, Metafunctions, and MetaClasses
- Semgrep against multiple languages:
- Python
- JavaScript
- Go(lang)
- Java
- Ruby
- Writing security rules against your codebase
- CodeQL Deep-Dive
- Rule Syntax
- CodeQL VSCode Composition Tools
- CodeQL for multiple languages:
- C#
- Python
- Java
- JavaScript
- Using CodeQL to query your codebase
- Challenge Segment - Finding security bugs with Semgrep and CodeQL
- Static Analysis Automation Strategies
- Hands-on:
- Automation in IDE
- Automation - Part of Git hooks
- Automation - PR and MR Static Analysis Tooling (Github Actions, etc)
- Automation - Build Pipeline and Pre-Deployment
- Static Analysis for Infrastructure-as-Code
- Hands-on:
- Kube-Linter
- Checkov
- Integrating Infrastructure-as-Code Scanning with GitHub Actions and Deploy Pipelines
- Bringing SAST Tools into your pipeline
- Integrating Semgrep into your GitLab CI
- Leveraging CodeQL in your GitHub Actions Workflow
- Source Composition Analysis and Software Bill of Materials in DevSecOps
- Concept Overview:
- Artifact Lifecycle
- SBOM
- Package Provenance
- SLSA - Supply-Chain Levels for Software Artifacts
- Source Composition Analysis
- Package Provenance and Assurance Deep-Dive
- Cosign Deep-Dive - Keyed and Keyless
- SLSA Provenance Generator for GitHub Actions and Levels
- SBOM Deep-dive:
- Hands-on:
- CycloneDX
- SPDX, SWID
- VEX - Vulnerability Exploitability eXchange
- SCA Deep-dive and Automation Strategies:
- Hands-on:
- Incremental SCA with GitHub Actions => Pull Requests and Merge Requests
- Package Manager integrated SCA with NPM, Poetry, Dependabot
- Automating SBOM scanning with Dependency Track
- Challenge Segment - Deploying and using SCA tools
- Bringing SAST and SCA tools into your pipeline
- Building a GitHub Actions workflow for using CodeQL and Dependabot
- Dynamic Application Security Testing with Continuous Integration
- Concepts of DAST with Security Testing
- Security Automation Testing using OWASP ZAP, Selenium, OpenAPI (Swagger)
- Security Regression Tests - How to design and write them
- Nuclei Deep-Dive
- Hands-on:
- Writing your own Nuclei Templates
- Integrating Nuclei into Pipelines
- Using Nuclei for Security Regression
- Using Nuclei for Security Scanning
- Application Security Automation and Test Orchestration – Deep-Dive:
- OWASP ZAP Deep-Dive
- Scan Policy
- Extensions
- OWASP ZAP API Deep-Dive
- Leveraging OWASP ZAP API and (Tavern/RESTInstance/Chai) to test web services and microservices
- OWASP ZAP API Testing with OpenAPI Specification
- OWASP ZAP Scripting Workshop
- Create Active Scan Scripts for Custom Application Vulnerabilities
- Challenge Segment - Finding security bugs with Nuclei
# Day 2
- Supply Chain Security Provenance and Automation
- Understanding and using SLSA (Supply-Chain Levels for Software Artifacts Standard) to measure your security maturity
- SLSA and Artifact Provenance
- Authenticated Provenance with Keyless Cosign
- Best Practices for SLSA with Provenance Generation
- Advanced Supply-Chain Security Assurance with Hermetic Builds
- Challenges
- Signing container artifacts using keyless cosign
- Assessing library/package using Continuous SBOM Analysis platforms
- Policy-as-code with Open Policy Agent
- Open Policy Agent Basics and Framework Overview
- Hands-on: Rego Basics - Language essentials and composition rules
- Hands-on:
- Using OPA and Rego for API RBAC and AuthZ Implementation with API Gateways
- Using OPA for Advanced Input Validation for APIs
- Using OPA for Terraform Policy Definition and Enforcement
- Secrets Management
- Intro to Secrets Management - A Case for a structured approach to managing secrets
- Secrets vs Sensitive Information - A Distinction and Varied Threat Model
- Secret Management Fails:
- Secret Management in GitOps fails
- Real-world incidents that were caused extensively by bad secrets management
- Secrets Management with Hashicorp Vault (Hands-on):
- Introduction to HashiCorp Vault and its API
- Deploying Vault in Production
- Managing Secrets with Vault => Static Secrets
- Encryption, Key Rotation, and Rewrapping with Vault Transit Secrets Engine
- Dynamic Secrets with Vault => Utilizing Dynamic Secrets for short-term leases for databases
- Challenge Segment - Configuring your secrets manager correctly
- Building a Jenkins pipeline that includes SAST, SCA, and DAST, and leverages appropriate Secrets Management to ensure that your deployments are continuous and secure.
- Securing Containerized Deployments
- Introduction to Container Technology and Security Considerations
- Docker Introduction
- Hands-on: Docker basics and Basic Orchestration
- Identifying and Exploiting Container Security Vulnerabilities and Exploits
- Hands-on: Container Breakout
- Hands-on: Container Daemon Compromise
- Hands-on: Common Container Network Security Flaws and Exploits
- Hands-on: Leveraging BotB to Automate Container Security Vulnerability Assessment and Exploitation in CI/CD Pipelines
- Automating Container Security
- Automating Container and Host Vulnerability Assessment:
- Hands-on: Docker Bench
- Hands-on: Static Analysis with Clair and Dagda
- Securing Container Runtime;
- Hands-on: Syscall Profiling and applying:
- AppArmor
- SECCOMP Profiles
- Container Capabilities and Restrictions
- Monitoring Containerized Environments for Security:
- Monitoring Success Factors for Containers
- Use of tools like Sysdig Falco to identify security exceptions/attacks against containers
- Challenge Segment - Container security challenges
-
**Technical difficulty of the class (Beginner, Intermediate, Advanced):**
Beginner to Intermediate
**Suggested prerequisites for the class:**
- Working knowledge of Application Security Vulnerabilities and Defenses
- Knowledge of coding, specifically in Python is a big plus
**Items students will need to provide:**
- Laptop or Tablet computing devices with browser that can connect to the internet with Wifi
- Please ensure that you use devices that are not bound with an extremely strict Web Proxy/DLP
**Trainer 1: Vishnu Prasad**
Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies.
Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He's a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly.
His experience extends even beyond DevSecOps: he designs and develops Web Application Security tools, performs vulnerability management and orchestration, and consults on security assessments for major companies. He's proficient in languages like Python, Java, Javascript, Angular, and more. He regularly trains major companies and team members on application security automation, DevSecOps, and AppSec Essentials as well.
**Trainer 2: Ganga Sumanth**
Ganga Sumanth is a Cloud Security Engineer at AppSecEngineer. His natural curiosity finds him diving into various rabbit holes which he then turns into playgrounds and challenges at AppSecEngineer.
A passionate speaker and a ready teacher, he takes to various platforms to speak about security vulnerabilities and hardening practices. He has also trained at BlackHat USA, Asia, Eu and several corporate engagements on topics ranging from DevSecOps, Application Security, and Google Cloud Security.
These days he can be found messing about with the likes of Go and Rust and their applicability in cloud settings. He also is a huge semgrep buff and is constantly seen tinkering with it. When not researching the latest security exploits and patches, he's probably raving about the latest addition to his ever-growing collection of hobbies.
**Full description of the training:**
This training program presents a comprehensive and hands-on approach to implementing DevSecOps practices, with a primary focus on Application Security Automation. Participants will embark on an immersive journey, closely connected to their keyboards, as they engage in labs enriched with real-world examples of DevSecOps and AppSec Automation.
Initiating with a deep dive into DevSecOps, the training emphasizes the seamless integration of security measures across various stages of the Software Development Lifecycle. It then explores specific Application Security Automation techniques, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Supply-Chain Security, and Dynamic Application Security Testing (DAST), illustrating how these tools seamlessly integrate into CI/CD pipelines.
This edition represents a complete overhaul of our existing DevSecOps content, showcasing the forefront of Application Security Automation and DevSecOps strategies. Highlights include:
- Hands-on SAST Mastery: Participants gain expertise in SAST for both Applications and Infrastructure-as-Code, focusing on advanced tools like Semgrep and CodeQL. The training emphasizes the creation of custom SAST rules with finesse.
- Elevated Supply-Chain Security Automation: Navigation through Software Bill of Materials (SBOMs), Source Composition Analysis, and Security Engineering techniques. This segment covers diverse methods for constructing secure base images for containers.
- Robust Supply-Chain Assurance and Provenance: A deep dive into the SLSA (Supply-Chain Levels for Software Artifacts) Standard, illustrating how automation aligns with compliance levels. Additionally, comprehensive exploration of Cosign from Project Sigstore reveals its utility in generating keyed/keyless signatures for various artifacts.
- Secrets Management Unveiled: Detailed exploration of Secrets Management and Encryption tools, such as HashiCorp Vault, offering insights into advanced Encryption, Key Management, and Dynamic Secrets implementation.
- Dynamic Application Security Testing (DAST) Autonomy: Exploration of DAST Automation with prominent tools like OWASP ZAP and Nuclei. This includes API-based scanning with OWASP ZAP and crafting custom DAST automation using Nuclei, addressing intricate vulnerabilities through Security Regressions.
- Policy-As-Code Prowess: In-depth exploration of Open Policy-Agent (OPA), a potent framework for crafting and enforcing policies across diverse deployment scenarios. OPA's Domain Specific Language, rego, will be demystified, empowering participants to grasp the nuances of policy-as-code frameworks.
- Seamless Integration with CI/CD: Navigation through integrating Security Automation with pivotal CI/CD tools like GitHub Actions, GitLab, and Jenkins. Furthermore, leveraging Data Flow Automation tools like Robot Framework, Gaia, and Prefect offers alternative avenues for AppSec Automation beyond conventional CI/CD tools.
For 2024, we've re-framed this training with a cookbook-style approach that captures the multiple styles of deployments and DevSecOps practices that provide validation and assurance for a variety of use-cases. While building effective and transparent pipelines is the primary goal, we've focused on a building-block style approach to showcase the huge variety of options that are available in each domain of security testing.
At the end of the training, participants will have immediate takeaways and practical techniques that they can use for their implementations of DevSecOps, within their organization. The tools and frameworks detailed in the program are largely open-source or freely available, thereby ensuring that participants can implement these scalable DevSecOps programs without having to additionally invest in tooling. Several frameworks and tools have been developed by the authors of the program, as part of their extensive implementation expertise of DevSecOps, ranging from Threat Modeling to Cloud Security to Application Security Automation. Frameworks like ThreatPlaybook (open-source) and Orchestron (open-source Vulnerability Management and Correlation tool), which can simplify Application Security Automation, have been developed from extensive experience with real-world DevSecOps implementations.
Another brand new addition comes in the form of engaging challenges that are sprinkled throughout each training section, empowering both trainers and trainees to gauge levels of student comprehension and growth.
**Outline of the class:**
# Day 1
- The Problem with the old models of Application Delivery
- A Quick History of Agile and DevOps
- The Need for Security in DevOps
- Security in Continuous Integration and Continuous Deployment
- Introduction to Static Application Security Testing (SAST) for Continuous Integration
- Static Analysis Types
- Hands-on:
- RegEx Tools
- Abstract Syntax Trees
- QL/Semantic Grep Tools => CodeQL and Semgrep
- Semgrep Deep-Dive
- Rules Syntax
- Taint Analysis
- Metavariables, Metafunctions, and MetaClasses
- Semgrep against multiple languages:
- Python
- JavaScript
- Go(lang)
- Java
- Ruby
- Writing security rules against your codebase
- CodeQL Deep-Dive
- Rule Syntax
- CodeQL VSCode Composition Tools
- CodeQL for multiple languages:
- C#
- Python
- Java
- JavaScript
- Using CodeQL to query your codebase
- Challenge Segment - Finding security bugs with Semgrep and CodeQL
- Static Analysis Automation Strategies
- Hands-on:
- Automation in IDE
- Automation - Part of Git hooks
- Automation - PR and MR Static Analysis Tooling (Github Actions, etc)
- Automation - Build Pipeline and Pre-Deployment
- Static Analysis for Infrastructure-as-Code
- Hands-on:
- Kube-Linter
- Checkov
- Integrating Infrastructure-as-Code Scanning with GitHub Actions and Deploy Pipelines
- Bringing SAST Tools into your pipeline
- Integrating Semgrep into your GitLab CI
- Leveraging CodeQL in your GitHub Actions Workflow
- Source Composition Analysis and Software Bill of Materials in DevSecOps
- Concept Overview:
- Artifact Lifecycle
- SBOM
- Package Provenance
- SLSA - Supply-Chain Levels for Software Artifacts
- Source Composition Analysis
- Package Provenance and Assurance Deep-Dive
- Cosign Deep-Dive - Keyed and Keyless
- SLSA Provenance Generator for GitHub Actions and Levels
- SBOM Deep-dive:
- Hands-on:
- CycloneDX
- SPDX, SWID
- VEX - Vulnerability Exploitability eXchange
- SCA Deep-dive and Automation Strategies:
- Hands-on:
- Incremental SCA with GitHub Actions => Pull Requests and Merge Requests
- Package Manager integrated SCA with NPM, Poetry, Dependabot
- Automating SBOM scanning with Dependency Track
- Challenge Segment - Deploying and using SCA tools
- Bringing SAST and SCA tools into your pipeline
- Building a GitHub Actions workflow for using CodeQL and Dependabot
- Dynamic Application Security Testing with Continuous Integration
- Concepts of DAST with Security Testing
- Security Automation Testing using OWASP ZAP, Selenium, OpenAPI (Swagger)
- Security Regression Tests - How to design and write them
- Nuclei Deep-Dive
- Hands-on:
- Writing your own Nuclei Templates
- Integrating Nuclei into Pipelines
- Using Nuclei for Security Regression
- Using Nuclei for Security Scanning
- Application Security Automation and Test Orchestration – Deep-Dive:
- OWASP ZAP Deep-Dive
- Scan Policy
- Extensions
- OWASP ZAP API Deep-Dive
- Leveraging OWASP ZAP API and (Tavern/RESTInstance/Chai) to test web services and microservices
- OWASP ZAP API Testing with OpenAPI Specification
- OWASP ZAP Scripting Workshop
- Create Active Scan Scripts for Custom Application Vulnerabilities
- Challenge Segment - Finding security bugs with Nuclei
# Day 2
- Supply Chain Security Provenance and Automation
- Understanding and using SLSA (Supply-Chain Levels for Software Artifacts Standard) to measure your security maturity
- SLSA and Artifact Provenance
- Authenticated Provenance with Keyless Cosign
- Best Practices for SLSA with Provenance Generation
- Advanced Supply-Chain Security Assurance with Hermetic Builds
- Challenges
- Signing container artifacts using keyless cosign
- Assessing library/package using Continuous SBOM Analysis platforms
- Policy-as-code with Open Policy Agent
- Open Policy Agent Basics and Framework Overview
- Hands-on: Rego Basics - Language essentials and composition rules
- Hands-on:
- Using OPA and Rego for API RBAC and AuthZ Implementation with API Gateways
- Using OPA for Advanced Input Validation for APIs
- Using OPA for Terraform Policy Definition and Enforcement
- Secrets Management
- Intro to Secrets Management - A Case for a structured approach to managing secrets
- Secrets vs Sensitive Information - A Distinction and Varied Threat Model
- Secret Management Fails:
- Secret Management in GitOps fails
- Real-world incidents that were caused extensively by bad secrets management
- Secrets Management with Hashicorp Vault (Hands-on):
- Introduction to HashiCorp Vault and its API
- Deploying Vault in Production
- Managing Secrets with Vault => Static Secrets
- Encryption, Key Rotation, and Rewrapping with Vault Transit Secrets Engine
- Dynamic Secrets with Vault => Utilizing Dynamic Secrets for short-term leases for databases
- Challenge Segment - Configuring your secrets manager correctly
- Building a Jenkins pipeline that includes SAST, SCA, and DAST, and leverages appropriate Secrets Management to ensure that your deployments are continuous and secure.
- Securing Containerized Deployments
- Introduction to Container Technology and Security Considerations
- Docker Introduction
- Hands-on: Docker basics and Basic Orchestration
- Identifying and Exploiting Container Security Vulnerabilities and Exploits
- Hands-on: Container Breakout
- Hands-on: Container Daemon Compromise
- Hands-on: Common Container Network Security Flaws and Exploits
- Hands-on: Leveraging BotB to Automate Container Security Vulnerability Assessment and Exploitation in CI/CD Pipelines
- Automating Container Security
- Automating Container and Host Vulnerability Assessment:
- Hands-on: Docker Bench
- Hands-on: Static Analysis with Clair and Dagda
- Securing Container Runtime;
- Hands-on: Syscall Profiling and applying:
- AppArmor
- SECCOMP Profiles
- Container Capabilities and Restrictions
- Monitoring Containerized Environments for Security:
- Monitoring Success Factors for Containers
- Use of tools like Sysdig Falco to identify security exceptions/attacks against containers
- Challenge Segment - Container security challenges
-
**Technical difficulty of the class (Beginner, Intermediate, Advanced):**
Beginner to Intermediate
**Suggested prerequisites for the class:**
- Working knowledge of Application Security Vulnerabilities and Defenses
- Knowledge of coding, specifically in Python is a big plus
**Items students will need to provide:**
- Laptop or Tablet computing devices with browser that can connect to the internet with Wifi
- Please ensure that you use devices that are not bound with an extremely strict Web Proxy/DLP
DATE: August 12th-13th, 2024
TIME: 8am to 5pm PDT
VENUE: Sahara Las Vegas
TRAINER: Ganga Sumanth, Vishnu Prasad
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2024.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.