Organizations are moving to the cloud to enable digital transformation and reap the benefits of cloud computing. However, security teams struggle to understand the DevOps toolchain and how to introduce security controls into their automated pipelines responsible for delivering changes to cloud-based systems. Without effective pipeline security controls, security teams lose visibility into the changes released into production environments.
SEC540: Cloud Security and DevSecOps Automation has just had a major update that will help you in your efforts to “shift left” by expanding the hands-on exercises that teach you why and how to shift left – and to do it well. Doing so will make your security team faster and more efficient, while reducing the window of exposure to potential security issues. This new iteration of SEC540 will teach you how to inject security within the flow of the DevOps team, creating a stronger security engineering culture that uses best practices and improves the bottom line and reputation of your organization.
The New SEC540 has been updated to reflect up-to-the-moment modern DevSecOps practices going beyond the pipeline and CI/CD, and using tools such as Jenkins, Infrastructure as Code (IaC), and GitOps best practices. The entire lab environment has been enhanced with modern tools, starting with Day 1’s focus on GitOps and how to glue together cloud DevOps and IaC.
SEC540 Lab Infrastructure
Read more details below on the section-by-section updates.
SEC540: Cloud Security and DevSecOps Automation
SEC540.1: DevOps Security Automation
- Streamline the introduction to DevOps material to make room for new content
- New content introducing GitFlow, GitHub Actions, GitLab CI / CD, and Azure DevOps tooling
- Pre-Commit: Exploring Rapid Risk Assessments (RRA) as code, gathering code inventory with scc, Pre-Commit Framework, Branch Protections for GitHub, GitLab, Azure DevOps, CodeOwners for GitHub, GitLab, and Azure DevOps
- Commit: Learning to use Semgrep and Dependency Check pipeline security controls, and how to parse machine-readable report formats.
- Secrets management: Integrating Jenkins with HashiCorp Vault, AWS secrets manager, and Azure Key Vault
SEC540.2: Cloud Infrastructure Security
- Cloud IaC: New examples comparing Terraform and AWS CloudFormation
- Configuration Management as Code: Learning how to use Ansible, Packer, and InSpec to build hardened gold images.
SEC540.3: Cloud Security Operations
- Cloud Deployment & Orchestration
- Deploying workloads to Kubernetes using Azure DevOps pipeline configuration
- Building CloudWatch Dashboards as Code
- Integrating CloudWatch Alerts, Lambda, and Slack notifications
SEC540.4: Cloud Security as a Service
- Blue / Green deployments with AWS Application Load Balancer weighted target groups
- Building Azure CDN with Terraform
- Configuring AWS CloudFront key pair groups
- Exploring microservice service mesh projects and capabilities
SEC540.5: Compliance as Code
- Updated the AWS WAF to V2
- Learning to build custom AWS WAF v2 rules
DevOps is the set of cultural and technical practices that enable teams to deliver value to their stakeholders quickly, securely and reliably. Take SEC540: Cloud Security and DevSecOps Automation and let us teach you how. Read the full course description here.
3-part Webcast Series
- Locking Down GitFlow with GitHub, GitLab, and Azure DevOps, with Eric Johnson,
- Setting the Gold Standard - Using CI Pipelines to Create Validated OS Images, with Ben Allen
- Cloud Static Analysis Showdown, with Frank Kim
ABOUT THE COURSE AUTHORS
Eric Johnson
Eric is a Co-founder and Principal Security Engineer at Puma Security and a Senior Instructor with the SANS Institute. His experience includes cloud security assessments, cloud infrastructure automation, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is the lead author and an instructor for SEC540: Cloud Security and DevSecOps Automation, a co-author and instructor for both the brand new SEC510: Public Cloud Security: AWS, Azure, and GCP, and the upcoming SEC584: Cloud Native Security: Defending Containers & Kubernetes. Additionally, Eric is a SANS Security Awareness Developer Training Advisory Board Member and SANS Analyst for Application Security and DevSecOps Surveys. More About Eric
Frank Kim
Frank is the Founder of ThinkSec, a security consulting and CISO advisory firm, as well as a SANS Fellow and lead for both the SANS Cybersecurity Leadership and SANS Cloud Security curricula, overseeing two dozen SANS courses in the two fastest growing curricula. Previously, as CISO at the SANS Institute, Frank led the information risk function for the most trusted source of computer security training and certification in the world. Frank is also the author and instructor of MGT512: Security Leadership Essentials for Managers, MGT514: Security Strategic Planning, Policy, and Leadership, and co-author of SEC540: Cloud Security and DevSecOps Automation. More About Frank
Ben Allen
Ben Allen is the author of SANS course SEC534: Secure DevOps: A Practical Introduction, co-author of SEC540: Cloud Security and DevSecOps Automation, and a senior member of the SANS information technology team. He applies knowledge gained over a decade of information security experience to problem domains ranging from packet analysis to policy development on an ongoing basis. Ben has contributed to security best practices for DevSecOps and operationalized DevOps techniques for security teams leading to improvements in release time and stability.
