Fundamentals of DevSecOps

Materials

All DevSecOps training attendees receive comprehensive courseware.

Software Needed on Each Student PC

Attendees will not need to install any software on their computers for this class. The class will be conducted in a remote environment that Ascendient Learning will provide; students will only need a local computer with a web browser and a stable Internet connection. Any recent version of Microsoft Edge, Mozilla Firefox, or Google Chrome will work well.

Introduction to DevSecOps

Understanding DevSecOps Principles and Culture

• DevOps vs. DevSecOps: Shifting Security Left
• Integrating Security into CI/CD pipelines
• The DevSecOps toolchain and ecosystem

Overview of Key DevSecOps Tools and Frameworks

• Introduction to OWASP and Top 10 vulnerabilities
• Overview of Snyk, SonarQube, ZAP, and other essential tools

Static Application Security Testing (SAST)

What is SAST?

• Difference between SAST, DAST, and IAST
• Integrating SAST into CI/CD pipelines

SAST Tools

• Setting up and configuring SonarQube for code quality and security
• Using Snyk for static analysis of open-source vulnerabilities

Coding for Security

Secure Coding Best Practices

• Common coding vulnerabilities and how to avoid them
• OWASP Top 10 and real-world examples
• Introduction to OWASP Secure Coding Practices

Dynamic Application Security Testing (DAST)

What is DAST?

• Overview of Dynamic Analysis and how it complements SAST
• Introduction to OWASP ZAP as a DAST tool

ZAP

• Setting up ZAP for automated scans
• Exploring ZAP’s Spidering, Active Scanning, and Fuzzing functionalities

Vulnerability Scanning and Software Composition Analysis (SCA)

What is SCA and its Role in DevSecOps?

• Introduction to software composition analysis (SCA) for open-source dependencies
• Snyk for SCA

Snyk for Vulnerability Scanning

• Identifying and remediating vulnerabilities in dependencies
• Integrating Snyk with CI/CD and setting up real-time monitoring

Security Policy and Compliance

Creating Security Policies and Compliance Checks

• Defining security policies based on OWASP and NIST guidelines
• Configuring SonarQube quality gates for compliance enforcement

Interactive Application Security Testing (IAST)

Introduction to IAST

• How IAST differs from SAST and DAST, benefits in a DevSecOps context
• IAST tools overview (e.g., Contrast Security, Veracode, or AppScan)

IAST Tools

• Setting up an IAST environment and testing applications
• Integrating IAST into CI/CD pipelines for continuous monitoring

Security Orchestration and Automation

Security Automation in DevSecOps

• Using Jenkins, GitHub Actions, or GitLab CI for automated security testing
• Orchestrating SAST, DAST, SCA, and IAST in a unified pipeline

Automating Response and Reporting

• Creating alerts and reports for vulnerabilities
• Using security orchestration tools (e.g., XSOAR)

Threat Modeling and Continuous Improvement

Introduction to Threat Modeling

• Overview of threat modeling and its role in DevSecOps
• Using OWASP Threat Dragon

Implementing SAST in a CI/CD Pipeline

• Integrating SonarQube and Snyk with GitHub or GitLab CI/CD
• Analyzing and interpreting results: Remediation strategies for common vulnerabilities

Refactoring Code for Security

• Identifying vulnerabilities using SAST results
• Hands-on refactoring exercises to remediate security issues

Integrating ZAP into CI/CD Pipelines

• Configuring automated ZAP scans within a CI/CD pipeline
• Reviewing ZAP reports and interpreting scan results

Analyzing Open-Source Dependencies

• Reviewing and resolving dependency vulnerabilities using Snyk

Compliance Automation

• Setting up SonarQube quality gates and Snyk policies in the pipeline
• Using compliance results to enforce security requirements

Running and Interpreting IAST Results

• Reviewing vulnerabilities identified by IAST
• Discussion on remediation approaches and CI/CD integration

Building an Automated Security Pipeline

• Designing a pipeline with integrated SAST, DAST, SCA, and IAST scans
• Generating automated reports and triggering notifications on findings

Threat Modeling

• Identifying potential threats and mitigations for a sample application
• Incorporating threat modeling insights into DevSecOps practices

Conclusion