THE DEVSECOPS MASTERCLASS
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.
This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.
The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations.
In addition, students will walk away with a powerful DevSecOps toolkit that can be used to integrate and orchestrate security tools This training has been very popular as a sold-out program in BlackHat USA 2019, CodeBlue Japan, as well as several OWASP events in the past.
Practical and Scalable Application Security Automation Techniques that work across different segments of the Agile SDL or DevOps pipeline
Integration of AppSec test activities in the CI/CD pipeline
Leverage open-source tools and test automation frameworks to integrate SAST, DAST, SCA, IAST in the CI/CD Pipeline
Leverage Automation Techniques to implement Security practices for Cloud Deploy
After this training, attendees will know:
A plethora of Implementation techniques and ideas with hands-on experience to be able to implement a full-fledged Application Security Pipeline
Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate
Detailed Cloud Security Automation coverage with Terraform and boto3. Tools that are extensively used to provision cloud environments. Gives participants immediate approaches to implement scalable cloud security
The trainer will provide:
Instructions for the Labs
Slides for the entire session + Speaker notes
Access to we45 cloud labs
Code snippets used and the setup files to configure lab environment post-training
Attendees should bring:
A Laptop with an SSH client and ability to connect to WiFi networks in class (Optional) BurpSuite License for 1 Lab around BurpSuite Automation.
=> However, code will be provided for practice offline as well
AWS Account with Administrative Access to the account. We will be using free-tier resources to provision and quickly deprovision resources through Terraform/boto3. Recommend to NOT bring work AWS accounts.
** Note on the Lab Environment **
The participants will be using our state-of-the-art lab management system that has evolved over the years based on the feedback received from our trainings across the world. This eliminates the need for participants to bring high-compute machines with third-party applications installed, that is typically required for most trainings. The lab management system provisions on-demand lab servers that can be accessed via. any browser providing a terminal interface, code-editor and all other dependencies that are necessary to run the labs.
This enables the participants to essentially walk into our trainings with any device that has a browser installed and they will be able to participate in all hands-on labs. All artifacts such as code snippets, slides and setup scripts used in the training will be available for the participants to download and use even after the training concludes
Pre-requisites for attendees:
Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
Basic knowledge of Linux command line
Basic knowledge of some (any) programming language
Basic/Rudimentary understanding of Cloud concepts and services
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of "Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world's first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to his work in Application Security Automation, he has created "ThreatPlaybook", a unique open-source framework that marries Threat-Modeling (as-Code) with Application Security Automation.
ThreatPlaybook has been featured in several industry events and been recently featured in BlackHat USA 2018's Arsenal event. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan) and so on.
He's also an author and trainer on Pluralsight. He writes on IT and IT Security-focused areas in his blog. Abhay is the author of two international publications "Secure Java: For Web Application Development" and "PCI Compliance: A Definitive Guide"