What You Will Learn
Principles! Practices! Tools! Oh My! Start Your Journey On The DevSecOps Road Here.
SEC534: Secure DevOps: A Practical Introduction explains the fundamentals of DevOps and how DevOps teams can build and deliver secure software. You will learn how DevOps principles, practices, and tools and how they can be leveraged to improve the reliability, integrity, and security of systems.
Using lessons from successful DevOps security programs, this course will explain how Secure DevOps can be implemented. Students will gain hands-on experience using popular open-source tools such as Puppet, Jenkins, GitLab, Vault, Grafana, and Docker to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. The lab environment starts with a CI/CD pipeline that automatically builds, tests, and deploys infrastructure and applications. Leveraging the Secure DevOps toolchain, students perform a series of labs injecting security into the CI/CD pipeline using a variety of security tools, patterns, and techniques.
YOU WILL LEARN:
- Foundations and principles of DevOps, Continuous Delivery, and Continuous Deployment
- The security risks and challenges posed by DevOps
- The keys to successful DevOps security programs
- How to build security into Continuous Delivery and Continuous Deployment
- The tools, patterns, and techniques of security automation in DevOps
- How to secure your build and deployment environment and tool chain
- How to leverage Infrastructure as Code for secure configuration management and provisioning
- How manual security practices (risk assessments, audits, and pen tests) can be adapted to continuously changing environments, and the important role that they still play
- Security risks and challenges posed by containers, and how to secure container technology
- How to automate compliance in DevOps, using the DevOps Audit Defense Toolkit
COURSE CONTENT OVERLAP NOTICE
Please note that the course material for SEC534 and SEC540 overlap. SEC534 introduces students to Secure DevOps with discussions targeting on-premise deployments. SEC540 covers Secure DevOps from both a cloud and on-premise perspective.
- Understanding how a Continuous Delivery/Deployment pipeline works
- The DevOps Deployment Kata
- How to implement static analysis testing into Continuous Delivery
- How to write automated security tests in Continuous Delivery
- Security in system monitoring
- Infrastructure as Code - securing a Puppet manifest
- Container Security - finding vulnerabilities in Docker configurations
- Automated auditing
YOU WILL BE ABLE TO:
- Understand the core principles and patterns behind DevOps, how work is done in DevOps, and what the keys to success in DevOps are
- Map out and implement a Continuous Delivery/Deployment pipeline
- How to do a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations
- How Continuous Integration, Continuous Delivery, and Continuous Deployment work, including workflows, patterns, and tools
- How to identify the security risks and issues in DevOps and Continuous Delivery
- Map out where security controls and checks can be added in Continuous Delivery and Continuous Deployment
- Conduct effective risk assessments and threat modeling in a rapidly changing environment
- Design and write automated security tests and checks in CI/CD
- Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
- Implement self-service security services for developers
- Inventory your software dependencies and secure them
- Threat model and secure your build and deployment environment
- Integrate security into production operations
- Automate security policies
- Leverage container technologies (such as Docker) for security
- Automate compliance and run-time defense
- Create continuous feedback loops from production to engineering
- Create a plan for introducing or improving security in a DevOps environment
- Apply DevOps techniques to secure DevOps practices
WHAT YOU WILL RECEIVE
- Printed and Electronic Courseware and Lab Workbook
- Digital Download Lab environment
- Extensive links to resources on DevOps, Continuous Delivery/Deployment, case studies, tools, etc.
Posters, Cheat Sheets, and Lists
- Cloud Security and DevOps Best Practices poster
- Fix Security Issues Left of Prod Cheat Sheet
- CWE/SANS Top 25 Most Dangerous Software Errors
- Security Web Application Technologies (SWAT) Checklist
- Cloud and DevSecOps 3-Part Webcast Series, May 2021
- Extending DevSecOps Security Controls into the Cloud: A SANS Survey, October 2020
- Winning in the Dark: Defending Serverless Infrastructure in the Cloud, June 2020
- Attacking and Defending Cloud Metadata Services, October 2019
- Cloud Security and DevOps Automation: Keys for Modern Security Success, April 2019
- Continuous Security: Monitoring & Active Defense in the Cloud, August 2018
See a complete list of Cloud Security tools here.
WHAT SANS COURSE TO TAKE NEXT
Syllabus (12 CPEs)Download PDF
SEC534 starts by introducing DevOps practices, principles, and tools. We will examine how DevOps works, how work is done in DevOps, and the importance of culture, collaboration, and automation.
Using case studies of DevOps "Unicorns" - the Internet tech leaders who've created the DevOps DNA - we'll consider how and why these leaders succeeded and examine the keys to their DevOps security programs.
We'll then look at Continuous Delivery, which is the DevOps automation engine. We'll explore how to build up a Continuous Delivery or Continuous Deployment pipeline, including how to fold or wire the DevSecOps security controls into the Continuous Delivery pipeline, and how to automate security checks and tests in Continuous Delivery.
- Exploring CI/CD Tools and Pipelines
- Deployment Kata
- Pre-Commit Security: Git Hooks and Security Unit Testing
- Automating Static Analysis in CI
- Automating Dynamic Analysis in CI/CD
- Introduction to DevOps
- Working in DevOps
- Security Challenges in DevOps
- DevOps Deployment Kata
- Secure Continuous Delivery
- Security in Pre-Commit
- Security in Commit
- Security in Acceptance
Building on the ideas and frameworks developed in Section 1 of the course, and using modern automated configuration management tools like Puppet, Chef, and Ansible, you'll learn how secure Infrastructure as Code allows you to quickly and consistently deploy new infrastructure and manage configurations.
Because the automated Continuous Delivery pipeline is so critically important to DevOps, you'll also learn to secure the pipeline, including RASP and other run-time defense technologies.
As the infrastructure and application code moves to production, we'll spend the second half of the day exploring container security issues associated with tools such as Docker and Kubernetes, as well as how to protect secrets using Vault and how to build continuous security monitoring using Grafana, Graphite, and StatsD.
Finally, we will explain how to build compliance into Continuous Delivery, using the security controls and gates that we've already built in.
- Configuration Management with Puppet
- Auditing Docker's Security
- Monitoring with Dashboards, Granfana, and Graphite
- Protecting Secrets with Vault
- Auditing with OpenSCAP
- Secure Configuration Management Using Infrastructure as Code
- Securing Configuration Management and the Continuous Integration/ Continuous Delivery Pipelines
- Container Security, Hardening, and Orchestration
- Continuous Monitoring and Feedback Loops
- Secure Secrets Management
- Automating Compliance as Code
- Going Forward: Introducing Security into DevOps, and DevOps into Security
- Quick Wins and Long-term Investments Needed to Succeed
Students should have the following:
- A basic understanding of application security, common attacks, and vulnerabilities (e.g., the OWASP Top 10)
- Some familiarity with Agile development and Agile project/product management practices
- Basic familiarity with Linux command shells
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not use a system storing any sensitive data.
System Hardware Requirements
CPU: Your system's processor must be a 64-bit Intel i5/i7 2.0+ GH processor or higher. Your CPU and OS must support a 64-bit guest virtual machine.
- VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
- Windows users can use this article to learn more about their CPU and OS capabilities.
- Apple users can use this support page to learn more information about Mac 64-bit capability.
BIOS: Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password protected, you must have the password.
USB: USB 3.0 Type-A port: At least one available USB 3.0 Type-A port is required for copying large data files from a USB 3.0 drive. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.
RAM: 16 GB RAM is REQUIRED. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
Hard Drive Free Space: 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. For SEC534, an SSD drive is REQUIRED.
Operating System: Your system must be running either Windows 10 Pro or macOS 10.13 or higher. Make sure your operating system is fully updated with the correct drivers and patches prior to arriving in class.
Additional Hardware Requirements
The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Laptop Requirements for SEC534
Network, Wireless Connection: A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or and external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.
Additional Software Requirements
Solid State Drive: Solid State Drive (SSD) is REQUIRED.
VMware: VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
Credential Guard: If your host computer is running Windows, Credential Guard may interfere with the ability to run VMs. It is important that you start up VMWare prior to class and confirm that virtual machines can run. It is required that Credential Guard is turned off prior to coming to class.
System Configuration Settings
Local Admin: Have an account with local admin privileges. Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to use a different system.
Disable VPN: Enterprise VPN clients may interfere with the network configuration required to participate in the class. To avoid any frustration in class, uninstall or disable your enterprise VPN client for the duration of the class. If you keep it installed, make sure that you have the access to disable or uninstall it at class.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
"DevOps is already radically changing the way that organizations design, build, deploy, and operate online systems. DevOps leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps is making its way from Internet â€˜Unicornsâ€™ and cloud providers into enterprises.
"Traditional approaches to security can't come close to keeping up with this rate of accelerated change and with engineering and operations teams that have broken down 'the walls of confusion' between their organizations and are increasingly leveraging new kinds of automation, such as Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms.
"Security must be reinvented in a DevOps world."