Save $400 on 4-6 day Courses at SANS Cyber Defense Initiative 2017. Ends Tomorrow!

DEV540: Secure DevOps and Cloud Application Security Beta

This course covers how developers and security professionals can build and deliver secure software using DevOps and cloud services, specifically Amazon Web Services (AWS). It explains how principles, practices, and tools in DevOps and AWS can be leveraged to improve the reliability, integrity, and security of applications.

The first two days of the course cover how Secure DevOps can be implemented using lessons from successful DevOps security programs. Students build a secure DevOps CI/CD toolchain and understand how code is automatically built, tested, and deployed using popular open source tools such as git, Puppet, Jenkins, and Docker. In a series of labs you learn to inject security into your CI/CD toolchain using various security tools, patterns, and techniques.

The final three days of the course cover how developers and security professionals can utilize AWS services to build secure software in the cloud. Students leverage the CI/CD toolchain to push application code directly to the cloud instead of to local servers on their class virtual machines. Students analyze and fix applications hosted in the cloud using AWS services and features such as API Gateway, IAM, signed URLs, Security Token Service, autoscaling, KMS, encryption, WAF, and Lambda for Serverless computing.

More

The course makes extensive use of open source materials and tooling for automated configuration management ("Infrastructure as Code"), Continuous Integration, Continuous Delivery, Continuous Deployment, containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring.

This course also makes extensive use of Amazon Web Services (AWS) and associated developer tools such as CloudFormation, CodeCommit, CodeBuild, CodePipeline, and other cloud application services so students can experience how these services can be utilized in their applications.

This course will prepare you to:

Understand the core principles and patterns behind DevOps.

  • Recognize how work is done in DevOps, and identify keys to success in DevOps

Map out and implement a Continuous Delivery/Deployment pipeline

  • Create a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations.
  • Utilize Continuous Integration, Continuous Delivery and Continuous Deployment workflows, patterns and tools.
  • Identify the security risks and issues in DevOps and Continuous Delivery.

Map out where security controls and checks can be added in Continuous Delivery and Continuous Deployment

  • Conduct effective risk assessments and threat modeling in a rapidly changing environment.
  • Design and write automated security tests and checks in CI/CD. Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery.
  • Implement self-service security services for developers.
  • Inventory your software dependencies and secure them.
  • Threat model and secure your build and deployment environment.

Integrate security into production operations

  • Automate security policies.
  • Leverage container technologies (such as Docker) for security.
  • Automate compliance and run-time defense.
  • Create continuous feedback loops from production to engineering.

Create a plan for introducing - or improving - security in a DevOps environment.

  • Use DevOps practices to secure DevOps tools and workflows.

Move your DevOps workflows to the cloud

  • Use Amazon Web Services (AWS)
  • Use CloudFormation to create Infrastructure as Code
  • Build CI / CD pipelines using CodePipeline
  • Containerize applications with EC2 Container Registry and EC2 Container Service

Consume cloud services to secure cloud applications

  • Authorize requests using IAM and Cognito
  • Secure REST APIs with API Gateway
  • Scale horizontally with load balancers and autoscaling groups
  • Protect sensitive secrets with KMS
  • Monitor for security events using CloudWatch

Hide

Course Content Overlap Notice:

Please note that course material for DEV540 and DEV534 overlaps. Days 1 and 2 of DEV540 contains material that is covered in DEV534. We recommend DEV540 for those interested in DevOps and cloud application security with Amazon Web Services (AWS). DEV534 only covers Secure DevOps topics.

Course Syllabus

Overview

An introduction to DevOps practices, principles and tooling. How DevOps works, and how work is done in DevOps. The importance of culture, collaboration, and automation in DevOps.

Using case studies of DevOps "Unicorns" - the Internet tech leaders who have created the DNA for DevOps - you understand how and why they succeeded. This includes the keys to their DevOps security programs.

Then you learn Continuous Delivery - the automation engine in DevOps - and how to build up a Continuous Delivery or Continuous Deployment pipeline. This includes how security controls can be folded into or wired into the CD pipeline, and how to automate security checks and tests in CD.

Exercises
  • Understanding CI/CD pipelines
  • Deployment Kata
  • Automating static analysis in CI
  • Automating dynamic analysis in CI/CD

CPE/CMU Credits: 6

Topics
  • Introduction to DevOps
  • Case studies on DevOps Unicorns
  • DevOps Principles
  • Working in DevOps
  • From Continuous Integration to Continuous Delivery
  • Building a CD Pipeline
  • Deployment Kata
  • Secure Continuous Delivery: Challenges and Issues
  • Introducing Security into CD
  • Static Analysis in CD
  • Pen Testing and Manual Assessments - how do they fit in DevOps?
  • Vulnerability Management in CD
  • Securing your Software Supply Chain
  • Automated security testing and scanning in CI/CD

Overview

Building on the ideas and frameworks developed in Section 1, you learn how secure Infrastructure as Code, using modern automated configuration management tools like Puppet, Chef and Ansible, allows you to quickly and consistently deploy new infrastructure and manage configurations.

Because the automated CD pipeline is so critically important to DevOps, you also learn how to secure the pipeline, including RASP and other run-time defense technologies. This includes containerization and security issues when using containers like Docker.

Next you learn how to protect the secrets that utilized by the automated tools used for CI/CD.

Finally, you learn how to build compliance into Continuous Delivery, using the security controls and guardrails that have been built in the DevOps toolchain.

Exercises
  • Managing configuration with Puppet
  • Auditing Docker's security
  • Monitoring with dashboards, Granfana, and Graphite
  • Protecting secrets with Vault
  • Auditing with OpenSCAP

CPE/CMU Credits: 6

Topics
  • Securing your CD Pipeline. Threat modeling and locking down your build and deployment environment.
  • Runtime Checks and Monitoring - monkeys and smart checks.
  • Run-time Defense: RASP, IAST and other run-time security solutions
  • Security in Monitoring. Using production metrics and insight to drive improvements in your security program.
  • Red Teaming, Bug Bounties and Blameless Postmortems
  • Secure Infrastructure as Code. Building security policies into infrastructure code
  • Security with Puppet lab
  • Managing Secrets. The problem of secrets in automated environment. Patterns - and anti-patterns - for managing secrets.
  • Container Security - introduction to containers, Docker, and Docker security risks and tools.
  • Compliance as Code. How to satisfy compliance requirements using Continuous Delivery and Continuous Deployment.
  • Going Forward: introducing security into DevOps - and DevOps into security. Quick Wins and long-term investments needed to succeed.
Overview

Utilizing DevOps principles you learn how to move your CI/CD toolchain into the cloud. This section provides an overview of Amazon Web Services (AWS) and introduces the foundational tools and practices needed to securely deploy your applications in the cloud.

Exercises
  • AWS configuration and setup
  • AWS CLI automation
  • Securing VPC with CloudFormation
  • Infrastructure automation
  • CodeCommit, CodeBuild, and CodePipeline
  • Cloud container Orchestration with ECR and ECS

CPE/CMU Credits: 6

Topics

Introduction to the cloud

  • Overview of cloud definitions
  • IaaS, PaaS, SaaS
  • Key cloud computing characteristics
  • Cloud deployment models
  • Cloud computing adoption
  • Cloud provider comparison

Introduction to Amazon Web Services (AWS)

  • AWS services
  • Application architecture
  • AWS CLI

Cloud infrastructure as code

  • EC2 introduction
  • Virtual Private Cloud networks
  • CloudFormation

Cloud CI/CD

  • CodeCommit
  • CodeBuild
  • CodePipeline
  • Securing CI/CD

Cloud container orchestration

  • Orchestration comparison

    • AWS ECS, Google Container Service, Azure Containers
  • Automating deployment
Overview

Leverage cloud application security services to ensure that applications have appropriate authentication and access control functionality while maintaining availability even while patching critical security defects.

Exercises
  • Service to service authentication with STS and JSON Web Tokens (JWT)
  • Protecting REST web services
  • Securing content with signed cookies
  • Seamless patching with blue/green deploys

CPE/CMU Credits: 6

Topics

Authentication and Access Control

  • AWS IAM
  • AWS Security Token Service (STS)
  • Amazon Cognito

API Gateway

  • API security provider comparison
  • Authentication

    • Cognito User Pools
    • Cognito Federated Identities
    • Custom Identity Providers
  • Securing REST APIs

Availability

  • Elastic Load Balancer (ELB)

    • Class Load Balancer
    • Application Load Balancer
  • Autoscaling
  • Content Deliver Network (CDN) security comparison
  • CloudFront features
  • Signed Cookies and Signed URLs

Patch Management

  • Blue/Green deploy
  • Approaches for patching running applications
Overview

Expand usage of cloud application security services to provide encryption, monitoring, and automation.

Exercises
  • Securely managing application secrets
  • Application monitoring and instrumentation
  • Automated alerting and blocking
  • Using Serverless for security automation

CPE/CMU Credits: 6

Topics

Encryption

  • Data storage

    • S3, RDS, DynamoDB
  • Secrets Management

    • Approaches to secrets management
    • Key Management Service (KMS)
    • CloudHSM
    • Third-party solutions

Security Monitoring

  • CloudTrail
  • CloudWatch

Security Automation

  • AWS WAF
  • Integration with monitoring tools

Serverless Security

  • Overview of Serverless computing
  • Key use cases
  • Lambda overview
  • Serverless security considerations
  • Leveraging Lambda for automation

Additional Information

!!! IMPORTANT - PLEASE PLAN ON ARRIVING IN CLASS AT 8AM THE FIRST MORNING TO SET UP THE VIRTUAL MACHINE BEFORE CLASS STARTS !!!

!!! IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS !!!

!!! IMPORTANT - STUDENTS MUST CREATE A NEW AWS FREE-TIER ACCOUNT TO COMPLETE THE CLOUD EXERCISES !!!

!!! IT CAN TAKE MORE THAN 24 HOURS FOR A NEW AWS FREE-TIER ACCOUNT TO BECOME ACTIVE !!!

!!! YOU MUST CREATE AN ACCOUNT WHEN YOU REGISTER TO ENSURE THAT IT IS ACTIVE IN TIME FOR CLASS !!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to class beginning. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 10, VMware Fusion 7.0, or VMware Workstation Player 7.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.

VMware Workstation Player is a free download that does not need a commercial license. Most students find VMware Workstation Player adequate for the course.

Mandatory Laptop Requirements

Mandatory Host Hardware Requirements

  • CPU: 64-bit 2.5+ GHz multi-core processor or higher
  • Memory: 16GB of RAM minimum
  • Hard Disk: Solid State Drive (SSD) is REQUIRED with 50GB of free disk space minimum
  • Working USB 2.0 or higher port
  • The student must have the capability to have Local Administrator Access within their host operating system
  • Verify the BIOS settings have virtualization enabled

Mandatory Host Operating System Requirements

You must bring a 64-bit laptop with one of the following operating systems. These operating systems have been verified to be compatible with course VMware image:

  • Windows (7, 8, or 10)
  • Mac OS X (Yosemite, El Capitan, Sierra)

Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to class:

  • VMware Workstation 10+, VMware Workstation Player 7+, or VMware Fusion 7+
  • Zip File Utility (WinZip, 7Zip, or the built-in operating system zip utility)

Mandatory Amazon Web Services (AWS) Account

This course teaches students about DevOps and application security in a cloud environment. The exercises are done online in the AWS cloud. To complete these exercises, students must register a NEW AWS free-tier account prior to the start of the class:

  • Create a new AWS account for this course: https://aws.amazon.com/
  • Ensure that the AWS account does NOT contain any personal or corporate resources
  • Ensure you can login to the root account using your username and password

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  • Bring a laptop with 16GB of RAM, and a 64-bit operating system
  • Install VMware (Workstation, Workstation Player, or Fusion)
  • Verify the USB drive is active and capable of mounting an exFAT file system. The course VM will be copied onto your laptop from a USB key provided by SANS.
  • Register a NEW AWS free-tier account prior to the start of the class: https://aws.amazon.com/

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Anyone working in the DevOps environment or transitioning to a DevOps environment
  • Anyone who wants to understand where to add security checks, testing, and other controls to DevOps and Continuous Delivery
  • Anyone interested in learning how to migrate DevOps workflows to the cloud, specifically Amazon Web Services (AWS)
  • Anyone interested in learning how to leverage cloud application security services provided by AWS

  • This includes the following:

    • Developers
    • Software Architects
    • Operations engineers
    • System administrators
    • Security analysts
    • Security engineers
    • Auditors
    • Risk managers
    • Security consultants
  • Basic understanding of application security, common attacks, and vulnerabilities (e.g., the OWASP Top 10)
  • Familiarity with Agile development and Agile project/product management practices
  • Familiarity with Linux command shells and associated commands
  • Ability to understand basic coding concepts
  • Course Virtual Machine (VM) containing pre-built DevOps CI/CD toolchain and lab exercises
  • USB drive containing course VM
  • Course Books
  • Lab Workbook

This class reinforces knowledge transfer by having many hands-on labs. This goes well beyond the traditional lecture and delves into literal application of techniques.

The class Workbook provides a step by step guide to learning and applying hands on techniques but also provides a "no hints" approach for those who want to stretch their skills and see how far they can get without following the guide. This allows students of varying backgrounds to pick a difficulty and always have a frustration free fallback path.

Author Statement

DevOps and cloud are radically changing the way that organizations design, build, deploy and operate online systems. Leaders like Amazon, Etsy and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning and continuously improving and continuously growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet "Unicorns" and cloud providers into enterprises.

Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams who have broken down "the walls of confusion" in their organizations are increasingly leveraging new kinds of automation: Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers and cloud service platforms. The question is, can security take advantage of the tools and automation to better secure its systems?

Security must be reinvented in a DevOps and cloud world.

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method


7 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Developer
New
Dec 4, 2017 -
Dec 8, 2017
 

Training Event
Developer
New
Dec 14, 2017 -
Dec 18, 2017
 

Training Event
Developer
New
Jan 8, 2018 -
Jan 12, 2018
 

Training Event
Developer
New
SANS Amsterdam January 2018
Amsterdam, Netherlands
Jan 15, 2018 -
Jan 19, 2018
 

Training Event
Developer
New
Mar 19, 2018 -
Mar 23, 2018
 

Training Event
Developer
New
SANS 2018
Orlando, FL
Apr 3, 2018 -
Apr 7, 2018
 

Training Event
Developer
New
May 11, 2018 -
May 15, 2018
 

*Course contents may vary depending upon location, see specific event description for details.