The Cloud Moves Fast. Automate to Keep Up.
Common security challenges for organizations struggling with the DevOps culture include issues such as:
- Upfront peer code reviews and security approvals may not occur for change approval and audit requirements
- Missing infrastructure and application scanning can allow attackers to find an entry point and compromise the system
- Cloud security misconfigurations may publicly expose sensitive data or introduce new data exfiltration paths
Security teams can help organizations prevent these issues such as using DevOps tooling and cloud-first best practices. This course provides development, operations, and security professionals with a deep understanding of and hands-on experience with the DevOps methodology used to build and deliver cloud infrastructure and software. Students learn how to attack and then harden the entire DevOps workflow, from version control to continuous integration and running cloud workloads. Each step of the way, students explore the security controls, configuration, and tools required to improve the reliability, integrity, and security of on-premise and cloud-hosted systems. Students learn how to implement more than 20 DevSecOps security controls to build, test, deploy, and monitor cloud infrastructure and services.
"BEST class I have ever taken at SANS. This is one of those courses where I can log into work after class ends and immediately start applying into my daily tasks and responsibilities. I already went on my team's Slack channel and told them this needs to be the next class they take." - Brian Esperanza, Teradata
"Every single person I've sent to class has loved it. It's been transformational for them because it goes beyond security concepts and teaches how modern operations and DevOps works. It's also impactful sending developers (who are not working in cloud yet) because they want to develop in cloud and get into concepts like Infrastructure as Code." - Brett Cumming
- Build a security team that understands modern cloud security and DevSecOps practices
- Partner with DevOps and engineering teams to inject security into automated pipelines
- Leverage cloud services and automation to improve security capabilities
- Ensure your organization is ready for cloud migration and digital transformation initiatives
- Understand how DevOps works and identify keys to success
- Wire security scanning into automated CI/CD pipelines and workflows
- Build continuous monitoring feedback loops from production to engineering
- Automate configuration management using Infrastructure as Code (IaC)
- Secure container technologies (such as Docker and Kubernetes)
- Use native cloud security services and third-party tools to secure systems and applications
- Securely manage secrets for Continuous Integration servers and applications
- Integrate cloud logging and metrics
- Perform continuous compliance and security policy scanning
SEC540 goes well beyond traditional lectures and immerses students in hands-on application of techniques during each section of the course. Each lab includes a step-by-step guide to learning and applying hands-on techniques, as well as a "no hints" approach for students who want to stretch their skills and see how far they can get without following the guide. This allows students, regardless of background, to choose the level of difficulty they feel is best suited for them -always with a frustration-free fallback path. Immersive hand-on labs ensure that students not only understand theory, but how to configure and implement each security control.
The SEC540 lab environment simulates a real-world DevOps environment, with more than 10 automated pipelines responsible for building DevOps container images, cloud infrastructure, automating gold image creation, orchestrating containerized workloads, executing security scanning, and enforcing compliance standards. Students are challenged to sharpen their technical skills and automate more than 20 security-focused challenges using a variety of command line tools, programming languages, and markup templates.
The SEC540 course labs come in both AWS and Azure versions. Students will choose one cloud provider at the beginning of class to use for the duration of the course. Students are welcome to do labs for both cloud providers on their own time once they finish the first set of labs.
For advanced students, 2 hours of CloudWars Bonus Challenges are available during extended hours each day. These CloudWars challenges provide additional opportunities for hands-on experience with the cloud and DevOps toolchain.
Section 1: Attacking the DevOps Toolchain, Version Control Security, Automating Static Analysis, Protecting Secrets with Vault, CloudWars (Section 1): Cloud & DevOps Security Bonus Challenges
Section 2: Infrastructure as Code Network Hardening, Gold Image Creation, Container Security Hardening, Automating Dynamic Analysis, CloudWars (Section 2): Cloud & DevOps Security Bonus Challenges
Section 3: Cloud Workload Security Review, Cloud-Hosted CI/CD Guardrails, Continuous Security Monitoring, Data Protection Services, CloudWars (Section 3): Cloud & DevOps Bonus Challenges
Section 4: Deploying Security Patches Using Blue/Green Environments, Securing Content Delivery Networks with Signed URLs, Protecting REST Web Services with API Gateway, Protecting APIs with Serverless and JSON Web Tokens, CloudWars (Section 4): Cloud & DevOps Security Bonus Challenges
Section 5: Cloud Security Posture Management, Blocking Attacks with WAF, Automated Remediation with Cloud Custodian, CloudWars (Section 5): Cloud & DevOps Security Bonus Challenges
"Labs were really impressive. You can tell there are hours of work in there. It was organized really well and was great practice." - David Heaton, Grange Insurance
"Labs were the best bit of the whole thing - well maintained, keep it up." - Richard Ackroyd, PwC
"Great wealth of scripts to use and leverage." - Ravi Balla, GE
"Fun and straightforward. Everything worked like a charm." - Kenneth Jordan, Openaltar
Section 1: Attacking and Hardening the DevOps Toolchain
Section 2 :Securing Cloud Infrastructure, Containers, and Applications
Section 3 :Securing Cloud Workloads, Monitoring, and Data Protection
Section 4: Securing Content, APIs, and Serverless
Section 5: Automating Compliance, Attack Defense, and Remediation
ADDITIONAL FREE RESOURCES:
Posters, Cheat Sheets, and Lists
See a complete list of Cloud Security tools here, all of which are applicable to SEC540.
WHAT YOU WILL RECEIVE:
- Printed and electronic courseware
- ISO containing the course Virtual Machine (VM)
- Course VM containing a pre-built DevOps CI/CD toolchain, Cloud Security, and DevSecOps lab exercises
- CloudFormation and Terraform code to deploy AWS and Azure infrastructure
- A VM-hosted wiki and an electronic lab workbook for completing the lab exercises
- Ability to use the Infrastructure as Code (IaC) and course VM indefinitely to continue your learning after the course ends
WHAT COMES NEXT:
Depending on your current role or future plans, one of these courses is a great next step in your cloud security journey:
Cloud Security Engineer:
Cloud Security Architect:
Cloud Security Manager:
NOTICE TO STUDENTS
- Please plan to arrive 30 minutes early before your first session for lab preparation and set-up (though obtaining your cloud account(s) should happen PRIOR TO this.) During this time, students can confirm that their cloud accounts are properly set up, ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine. For live classes (online or in-person), the instructor will be available to assist students with laptop prep and set-up 30 minutes prior to the course start time. The lecture will begin at the scheduled course start time.
- Similar to providing hardware and software, students are required to provide their own AWS and Azure cloud accounts. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS or Azure accounts during a live class. Review the Laptop Requirements below for details.
!!! IMPORTANT NOTICE !!!
CRITICAL NOTE: Apple systems using the M1 processor cannot perform the necessary virtualization and cannot be used with the VM in this course. However, a cloud based VM can be provided if you have a M1 Mac..
1) MANDATORY CLOUD ACCOUNTS:
Students must bring their own AWS or Azure accounts to complete the course labs.
The SEC540 course labs come in both AWS and Azure versions. Students must choose one cloud provider at the beginning of class to use for the duration of the course. Students are welcome to do labs for both cloud providers on their own time once they finish the first set of labs.
Students selecting the AWS labs require an Amazon Web Services (AWS) account. The estimated AWS cost for running the AWS lab environment during a 5-day live event is approximately $20 per week. Costs are less for free-tier accounts.
Students selecting the Azure labs require a Microsoft Azure account and paid subscription. The estimated cost for running the Azure lab environment is approximately $100 per week. New Azure subscriptions may be eligible for a $200 credit for 30 days to help offset the cost.
- Students must create either an AWS account OR an Azure account prior to starting the course:
Live events (in-person or Live Online)
2) MANDATORY LAPTOP REQUIREMENT:
Students must bring their own system configured according to these instructions
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
Students must be in full control of the network running the VM. The VM communicates with several external services (AWS, Docker Hub, Terraform, Azure, etc.) over HTTPS, SSH, and other non-standard ports. Running the course virtual machine on a host with a VPN, intercepting proxy, or egress firewall filter may cause connection issues communicating with these services. Students must be able to configure or disable these services for the lab environment to function properly.
BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:
- A properly configured system is required for each student participating in this course. Before starting your course, carefully read and follow these instructions exactly:
- Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
- Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
- Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
- Download and install 7-Zip (for Windows Hosts) or Keka (macOS). Without these extraction tools, you'll be unable to extract large archives we'll supply to you in class.
- Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x, or Fusion 11.5.x or higher versions before class.
- If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at its website.
- Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
- VMware Workstation Pro and VMware Player on Windows 10 are not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class if they're enabled on your system by following instructions in this document.
Mandatory Host Hardware Requirements
- CPU: 64-bit 2.5+ GHz multi-core processor or higher
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
- Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! - 16GB of RAM is MANDATORY)
- Working USB 2.0 or higher port
- Wireless Ethernet 802.11 B/G/N/AC
- Local Administrator Access within your host operating system
Mandatory Host Operating System Requirements
You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:
- Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
Mandatory Software Requirements
Prior to class, ensure that the following software is installed on the host operating system:
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+
- Zip File Utility (7Zip or the built-in operating system zip utility)
Cloud Virtual Machine (AWS AMI)
If your workstation or network does not meet the above requirements, please reach out to your instructor, TA, or OnDemand SME for access to the SEC540 Amazon Machine Image (AMI). After sharing the AMI, instructions will be provided for launching and connecting to the virtual machine over Remote Desktop (RDP). This option is required for students that cannot meet the laptop requirements.
Before beginning the course you should:
- Have a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system.
- Install VMware (Workstation or Fusion).
- Windows only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled.
- Download the SEC540 Lab Setup Instructions and Course Media from your sans.org account.
- Register a NEW AWS account prior to the start of the class at https://aws.amazon.com
- Register a NEW Azure account and paid subscription prior to the start of class at https://azure.microsoft.com
After you have completed those steps, your course media will be delivered via download. The media files for class can be large, some in the 40 to 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will increase quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.