Final Week to Get an iPad Mini, Chromebook Flip, or $250 Off with OnDemand and vLive Training!

SEC534: Secure DevOps: A Practical Introduction

SEC534: Secure DevOps: A Practical Introduction explains the fundamentals of DevOps and how DevOps teams can build and deliver secure software. You will learn DevOps principles, practices, and tools and how they can be leveraged to improve the reliability, integrity, and security of systems.

Using lessons from successful DevOps security programs, this course will explain how Secure DevOps can be implemented. Students will gain hands-on experience using popular open-source tools such as Puppet, Jenkins, GitLab, Vault, Grafana, and Docker to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. The lab environment starts with a CI/CD pipeline that automatically builds, tests, and deploys infrastructure and applications. Leveraging the Secure DevOps toolchain, students perform a series of labs injecting security into the CI/CD pipeline using a variety of security tools, patterns, and techniques.

You Will Learn

  • Foundations and principles of DevOps, Continuous Delivery, and Continuous Deployment
  • The security risks and challenges posed by DevOps
  • The keys to successful DevOps security programs
  • How to build security into Continuous Delivery and Continuous Deployment
  • The tools, patterns, and techniques of security automation in DevOps
  • How to secure your build and deployment environment and tool chain
  • How to leverage Infrastructure as Code for secure configuration management and provisioning
  • How manual security practices (risk assessments, audits, and pen tests) can be adapted to continuously changing environments, and the important role that they still play
  • Security risks and challenges posed by containers, and how to secure container technology
  • How to automate compliance in DevOps, using the DevOps Audit Defense Toolkit

Course Content Overlap Notice:

Please note that course material for SEC534 and SEC540 overlaps. Days 1 and 2 of SEC540 contain material that is covered in SEC534. We recommend SEC540 for those interested in DevOps and Cloud Security Automation. SEC534 only covers Secure DevOps topics.

Course Syllabus

Overview

SEC534 starts by introducing DevOps practices, principles, and tools. We will examine how DevOps works, how work is done in DevOps, and the importance of culture, collaboration, and automation.

Using case studies of DevOps "Unicorns" - the Internet tech leaders who've created the DevOps DNA - we'll consider how and why these leaders succeeded and examine the keys to their DevOps security programs.

We'll then look at Continuous Delivery, which is the DevOps automation engine. We'll explore how to build up a Continuous Delivery or Continuous Deployment pipeline, including how to fold or wire the DevSecOps security controls into the Continuous Delivery pipeline, and how to automate security checks and tests in Continuous Delivery.

Exercises
  • Exploring CI/CD Tools and Pipelines
  • Deployment Kata
  • Pre-Commit Security: Git Hooks and Security Unit Testing
  • Automating Static Analysis in CI
  • Automating Dynamic Analysis in CI/CD

CPE/CMU Credits: 6

Topics
  • Introduction to DevOps
  • Case Studies on DevOps Unicorns
  • Working in DevOps
  • Security Challenges in DevOps
  • Building a CD Pipeline
  • DevOps Deployment Data
  • Secure Continuous Delivery
  • Security in Pre-Commit
  • Security in Commit
  • Security in Acceptance
Overview

Building on the ideas and frameworks developed in Section 1 of the course, and using modern automated configuration management tools like Puppet, Chef, and Ansible, you'll learn how secure Infrastructure as Code allows you to quickly and consistently deploy new infrastructure and manage configurations.

Because the automated Continuous Delivery pipeline is so critically important to DevOps, you'll also learn to secure the pipeline, including RASP and other run-time defense technologies.

As the infrastructure and application code moves to production, we'll spend the second half of the day exploring container security issues associated with tools such as Docker and Kubernetes, as well as how to protect secrets using Vault and how to build continuous security monitoring using Grafana, Graphite, and StatsD.

Finally, we will explain how to build compliance into Continuous Delivery, using the security controls and gates that we've already built in.

Exercises
  • Configuration Management with Puppet
  • Auditing Docker's Security
  • Monitoring with Dashboards, Granfana, and Graphite
  • Protecting Secrets with Vault
  • Auditing with OpenSCAP

CPE/CMU Credits: 6

Topics
  • Secure Configuration Management Using Infrastructure as Code
  • Securing Configuration Management and the Continuous Integration/ Continuous Delivery Pipelines
  • Container Security, Hardening, and Orchestration
  • Continuous Monitoring and Feedback Loops
  • Secure Secrets Management
  • Automating Compliance as Code
  • Going Forward: Introducing Security into DevOps, and DevOps into Security
  • Quick Wins and Long-term Investments Needed to Succeed

Additional Information

Plan to arrive early on Day 1 (8:30 AM local time) for lab preparation and setup. During this time, students can ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine.

The instructor will be available to assist students with laptop prep and set-up from 8:30-9:00 AM. Class lecture begins at 9:00 AM (excludes vLive, Mentor, and OnDemand).

BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly:

Download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to the start of the class.

  • If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 14.0, VMware Fusion 10.0, or VMware Workstation Player 14.0.
  • If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Host Hardware Requirements

  • CPU: 64-bit 2.5+ GHz multi-core processor or higher
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • Hard Disk: Solid-State Drive (SSD) is REQUIRED with 50GB of free disk space minimum
  • Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT - 16GB of RAM is mandatory)
  • Working USB 2.0 or higher port
  • Wireless Ethernet 802.11 B/G/N/AC
  • You must have Local Administrator Access within your host operating system

Mandatory Host Operating System Requirements

You must bring a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

  • Windows (8 or 10)
  • Mac OS X (Sierra, High Sierra, Mojave)

Mandatory Software Requirements

Prior to class, ensure that the following software is installed on the host operating system:

  • VMware Workstation Pro 14.0, VMware Fusion 10.0, or VMware Workstation Player 14.0
  • Zip File Utility (7Zip or the built-in operating system zip utility)

In summary, before beginning the course you should:

  • Bring a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system.
  • Install VMware (Workstation, Workstation Player, or Fusion).
  • Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled.
  • Verify that the USB drive is active and capable of mounting an exFAT file system. (The course VM will be copied onto your laptop from a USB key provided by SANS.)

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Developers, software architects, operations engineers, and system admins working in a DevOps environment, or transitioning to a DevOps environment, who want to understand how and where to add security checks, testing, and other controls.
  • Security analysts, security engineers, auditors and risk managers, security consultants, and pen testers who want to understand how to adapt security practices to DevOps and Continuous Delivery.

Students should have the following:

  • A basic understanding of application security, common attacks, and vulnerabilities (e.g., the OWASP Top 10)
  • Some familiarity with Agile development and Agile project/product management practices
  • Basic familiarity with Linux command shells
  • Course Books
    • Day 1: Introduction to DevOps, Continuous Delivery and Secure DevOps
    • Day 2: Moving a System to Production Using Secure Continuous Delivery
  • Lab Workbook
  • Lab environment
  • Extensive links to resources on DevOps, Continuous Delivery/Deployment, case studies, tools, and practices
  • Understand the core principles and patterns behind DevOps, how work is done in DevOps, and what the keys to success in DevOps are
  • Map out and implement a Continuous Delivery/Deployment pipeline
    • How to do a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations
    • How Continuous Integration, Continuous Delivery, and Continuous Deployment work, including workflows, patterns, and tools
    • How to identify the security risks and issues in DevOps and Continuous Delivery
  • Map out where security controls and checks can be added in Continuous Delivery and Continuous Deployment
    • Conduct effective risk assessments and threat modeling in a rapidly changing environment
    • Design and write automated security tests and checks in CI/CD
    • Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
    • Implement self-service security services for developers
    • Inventory your software dependencies and secure them
    • Threat model and secure your build and deployment environment
  • Integrate security into production operations
    • Automate security policies
    • Leverage container technologies (such as Docker) for security
    • Automate compliance and run-time defense
    • Create continuous feedback loops from production to engineering
  • Create a plan for introducing or improving security in a DevOps environment
  • How to use DevOps to secure DevOps
  • Understanding how a Continuous Delivery/Deployment pipeline works
  • The DevOps Deployment Kata
  • How to implement static analysis testing into Continuous Delivery
  • How to write automated security tests in Continuous Delivery
  • Security in system monitoring
  • Infrastructure as Code - securing a Puppet manifest
  • Container Security - finding vulnerabilities in Docker configurations
  • Automated auditing

"A fast-paced and illustrative two days on the current state of security for DevOps. Well worth the time invested to take the class." - Michael Machado, Ring Central

"I have read a lot, and watched a lot of webinars, about DEV Sec Ops. But none of those told me how to implement security in the DEV Ops pipeline. This course provided me with a ton of concrete steps I can take to integrate the security into our company." - Matthew Theobald, Schneider Electric

"Given the substantial breadth of security topics covered, I was impressed by the incredible technical depth throughout this course, and the well-researched links to resources to facilitate further learning and practical implementation." - Brett Vasconcellos

"The material/contents of this class are excellent. They help me learn all the tools that are relevant to work." - Hoan Le, Ring Central

Author Statement

"DevOps is already radically changing the way that organizations design, build, deploy, and operate online systems. DevOps leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps is making its way from Internet √ʬ¬Unicorns√ʬ¬ and cloud providers into enterprises.

"Traditional approaches to security can't come close to keeping up with this rate of accelerated change and with engineering and operations teams that have broken down 'the walls of confusion' between their organizations and are increasingly leveraging new kinds of automation, such as Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms.

"Security must be reinvented in a DevOps world."

- Ben Allen and Jim Bird

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.


1 Training Results
Type Topic Course / Location / Instructor Date Register

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.