OpenHack – DevSecOps (OHDVSCO)

 

Course Overview

Please note attendees work together in teams of 5 as a minimum and the pricing advertised is per team of 5.

Course Content

This OpenHack enables attendees to add security-oriented tooling into their workflow and CI/CD tasks. This OpenHack simulates a real-world scenario where a development team is concerned, they might have leaked information in their web app that could expose their site to being hacked. This discovery has led the team to leverage DevSecOps practices to increase their security posture and catch issues early in the development process.

Technologies:

Microsoft Azure DevOps, Azure Key Vault, Azure Automation, Microsoft Security Code Analysis, Azure Kubernetes Service, Azure Container Registry, Azure Active Directory, Third Party Sonar Cloud, Aqua, Fossa, White Source,

Prerequisites

To be successful and get the most out of this OpenHack and to avoid any delays with downloading or installing tooling, you are encouraged to have the following ready to go.

Course Objectives

During the “hacking” attendees will focus on leveraging available tools/tasks in Azure DevOps to enable best-practice oriented scenarios such as:

  • Managing Secrets
  • Enabling static analysis/ dependency/ container scanning
  • Dynamic Application Security Testing
  • Workflow and organization policy enforcement

By the end of the OpenHack, attendees will have built out a technical solution that enables secure development workflow taking into account recommended best practices, all found through real world engagements with S500 and Hi-Po partners.

Outline: OpenHack – DevSecOps (OHDVSCO)

Challenge 1: Managing Secrets

  • Identify the tools and technologies that can help to protect from leaking credentials and secrets while in development
  • Create a custom search pattern for secrets in your source code

Challenge 2: Secret Rotation

  • Manage/Rotate secrets in dev/test/production environments

Challenge 3: Keep your code clean and vulnerability free

  • Identify the tools and technologies that you will use find security issues early in your development process
  • Design/implement a workflow that eliminates many issues and false positives using static code analysis and dependency scanning
  • Analyze dependencies in code and scan containers for known vulnerabilities

Challenge 4: Automate penetration testing

  • Scan for OWASP top 10 vulnerabilities
  • Incorporate pen testing into UI Automation testing
  • Adjust scoring algorithm based on your threat model (SMACD)

Challenge 5: Streamline and integrate workflow

  • Learn techniques/ trade-offs to speed up execution and minimize impact to developer productivity.
  • Integrate into PR based workflow to provide effective and timeline feedback from automation
  • Enable bot automation to streamline false positive resolution in external systems such as sonarcloud

Challenge 6: Apply security policy to your organization

  • Make DevSecOps mandatory for all PR merges to master branches for your organization
  • Reject a push to repository that contains secrets

Challenge 7: Enable quality gates and resolve issues

  • Implement quality gates
  • Resolve some of the discovered issues

At the end of the event, we will provide content and a recommended set of task that can be incorporated into a dev crew engagement to enable some of the practices that are covered during the event.

Prices & Delivery methods

Online Training

Duration
3 days

Price
  • Online Training: CAD 13,500
  • Online Training: US $ 10,000
Classroom Training

Duration
3 days

Price
  • Canada: CAD 13,500

Schedule

Currently there are no training dates scheduled for this course.