Secure DevOps Training | Cloud Application Security Course

What You Will Learn

The Cloud Moves Fast. Automate to Keep Up.

SEC540 provides development, operations, and security professionals with a methodology to build and deliver secure infrastructure and software using DevOps and cloud services. Students will explore how DevOps principles, practices, and tools of DevOps can improve the reliability, integrity, and security of on-premise and cloud-hosted applications.

SEC540 examines the Secure DevOps methodology and its implementation using lessons from successful DevOps security programs. Students will gain hands-on experience using popular tools such as Jenkins, GitLab, Puppet, Vault, and Grafana to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), cloud infrastructure, containerization, micro-segmentation, Functions as a Service (FaaS), Compliance as Code, and Continuous Monitoring.

The lab environment starts with an on-premise CI/CD pipeline that automatically builds, tests, and deploys infrastructure and containerized applications. Leveraging the Secure DevOps toolchain, students perform a series of labs injecting security into the CI/CD pipeline using a variety of security tools, patterns, and techniques. After laying the DevSecOps foundation, students put their DevSecOps skills to work by deploying and managing a real-world cloud infrastructure. Hands-on exercises deploy containerized workloads in the cloud, integrate on-premise configuration management with Puppet, and manage secrets with HashiCorp Vault and Cloud Key Management Service (KMS). Students analyze and fix cloud infrastructure vulnerabilities, perform cloud-hosted application vulnerability scanning, and defend microservices using tools such as API Gateway and FaaS. Cloud security compliance tools help monitor the infrastructure using code-drive Web Application Firewall (WAF) services, continuous auditing with CloudMapper, and continuous monitoring with Cloud Custodian.

SEC540 Will Prepare You To:

Understand the Core Principles and Patterns behind DevOps

Recognize how DevOps works and identify keys to success

Map and Implement a Continuous Delivery/Continuous Deployment Pipeline

Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools

Identify the security risks and issues associated with DevOps and Continuous Delivery

Understand the DevSecOps Methodology and Workflow

Use DevOps practices to secure DevOps tools and workflows
Conduct effective risk assessments and threat modeling in a rapidly changing environment
Design and write automated security tests and checks in CI/CD
Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
Implement self-serve security services for developers
Inventory and patch your software dependencies
Threat model and secure your build and deployment environment

Integrate Security into Production Operations

Automate configuration management using Infrastructure as Code
Secure container technologies (such as Docker and Kubernetes)
Build continuous monitoring feedback loops from production to engineering
Securely manage secrets for continuous integration servers and applications
Automate compliance and security policy scanning

Move Your DevOps Workloads to the Cloud

Understand how to automate cloud architecture components
Use CloudFormation and Terraform to create Infrastructure as Code
Build CI/CD pipelines using Jenkins and CodePipeline
Wire security scanning into Jenkins and CodePipeline workflows
Containerize applications with Elastic Container Service and Azure Kubernetes Service
Integrate cloud logging and metrics with Grafana
Create Slack alerts from CloudWatch metrics
Manage secrets with Vault, KMS, and the SSM Parameter store

Consume Cloud Services to Secure Cloud Applications

Protect static content with CloudFront Signatures
Leverage Elastic Container Service for blue/green deployments
Secure REST APIs with API Gateway
Implement an API Gateway custom authorization Lambda function
Deploy the AWS WAF and build custom WAF rules
Perform continuous compliance scans with CloudMapper
Enforce cloud configuration policies with Cloud Custodian

SEC540 goes well beyond traditional lectures and immerses students in hands-on application of techniques during each section of the course. Each lab includes a step-by-step guide to learning and applying hands-on techniques, as well as a "no hints" approach for students who want to stretch their skills and see how far they can get without following the guide. This allows students, regardless of background, to choose a level of difficulty they feel is best suited for them - always with a frustration-free fallback path.

SEC540 also offers students an opportunity to participate in NetWars Bonus Challenges each day. The gamified environment allows students to compete against each other in a race to win the SEC540 challenge coin, while also providing more hands-on experience with the cloud and DevOps toolchain.

NOTICE TO STUDENTS:

Please plan to arrive 30 minutes early before your very first session for lab preparation and set-up. During this time, students can confirm that their Amazon Web Services (AWS) account is properly set up, ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine. For Live Online, the instructor will be available to assist students with laptop prep and set-up 30 minutes prior to course start time. Live Online class lecture will begin on time.
An Amazon Web Services (AWS) account is required to do hands-on exercises during this course. Students must create an AWS account prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account during a live class.
The estimated AWS cost for running the lab environment is $20 per week. Costs are significantly less for free-tier accounts.
Microsoft Azure bonus challenges are available to students. Completing the bonus challenges requires that students register a Microsoft Azure account prior to the start of class.
The estimated Azure cost for running the lab environment is $20 per week. Eligible free-tier accounts receive $200 in Azure credits (subject to verification and approval)

WHAT YOU WILL RECEIVE:

Electronic Courseware
ISO containing the course Virtual Machine (VM)
Course VM containing a pre-built DevOps CI/CD toolchain, Cloud Security, and Secure DevOps lab exercises
A VM-hosted wiki and an electronic lab workbook for completing the lab exercises

Syllabus (38 CPEs)

Download PDF

Overview
SEC540 starts by introducing DevOps practices, principles, and tools. We will examine how DevOps works, how to work in DevOps, and the importance of culture, collaboration, and automation.
We'll use case studies of DevOps "Unicorns" - the Internet tech leaders that have created the DevOps DNA - to consider how and why these leaders succeeded and to examine the keys to their DevOps security programs.
We'll then look at Continuous Delivery, which is the DevOps automation engine. We'll explore how to build up a Continuous Delivery or Continuous Deployment pipeline, including how to fold or wire the DevSecOps security controls into the Continuous Delivery pipeline, and how to automate security checks and tests in Continuous Delivery.
Exercises
- Deployment Kata
- Pre-Commit Security: Git Hooks and Security Unit Testing
- Commit Security: Automating Static Analysis in CI
- Acceptance Security: Automating Dynamic Analysis in CI/CD
- NetWars (Day 1): Cloud & DevOps Security Bonus Challenges
Topics
- Introduction to the Cloud and DevOps
- Case Studies on DevOps Unicorns
- Security Challenges in DevOps
- DevOps Deployment Kata
- Secure Continuous Delivery
- Security in Pre-Commit
- Security in Commit
- Security in Acceptance
Overview
Building on the ideas and frameworks developed in section 1, we'll examine how Cloud Infrastructure as Code can quickly and consistently deploy new infrastructure and services. Using modern automated configuration management tools like Puppet, Chef, and Ansible, we'll also cover how to enforce desired state configuration for cloud-hosted virtual machines. Since workloads are moving into container services, we'll explore the container security issues associated with tools such as Docker and Kubernetes.
Exercises
- Managing AWS with Jenkins Pipelines
- CloudFormation Automation
- Managing Configuration with Puppet
- Auditing Docker's Security
- NetWars (Day 2): Cloud & DevOps Security Bonus Challenges
Topics
- Cloud Security Fundamentals
- Secure Infrastructure as Code
- Configuration Management as Code
  - Chef, Puppet, Ansible
- Container Security Hardening
Overview
Students start the day reviewing container orchestration options and scanning and testing their cloud infrastructure code for common cloud misconfiguration vulnerabilities. Correcting and committing infrastructure code changes will trigger an automated infrastructure pipeline to harden the cloud infrastructure code. Next, we will explore cloud continuous integration and delivery tools and leverage serverless computing to perform static analysis and software supply chain vulnerability scans before releasing containers into the orchestration services. We then shift focus to production and operations by building continuous security monitoring using Grafana, CloudWatch, and Slack. Section 3 wraps up with cloud data protection, exploring the various encryption services, how to implement secrets management in the cloud, and how to integrate on-premise secrets with cloud resources.
Exercises
- Cloud Infrastructure Scanning and Hardening
- Security Scanning in CI/CD with CodeBuild and CodePipeline
- Continuous Monitoring and Feedback Loops with Grafana and CloudWatch
- Secure Secrets Management with HashiCorp Vault and AWS KMS
- NetWars (Day 3): Cloud & DevOps Bonus Challenges
Topics
Securing Cloud Architecture
- Cloud Container Orchestration
- Common Cloud Security Issues
Security Scanning in CI/CD
- CodeBuild and CodePipeline Integrations
- Static Analysis with Serverless Functions (Lambda)
- Static Analysis with CodeBuild
- Integrating Jenkins and CodePipeline
Continuous Security Monitoring
- Monitoring and Metrics with Grafana/CloudWatch
- CloudWatch Log Insights
- Osquery
- Alerting with Slack
- DevOps Postmortems
- Gameday Exercises
Data Protection and Secrets Management
- Data Storage (S3, RDS, DynamoDB)
- Azure Key Vault
- AWS Key Management Service
- Hashicorp Vault
Overview
In this section we'll leverage cloud security services to lock down functional and high-availability systems. Students start by deploying a security patch to an application using blue/green environments to minimize downtime. Shifting focus, we move on to protecting static website content served by a Content Delivery Network (CDN) using private key signing. The second half of the day explores the world of microservices, protecting APIs with an API Gateway, and deploying serverless functions to manage authorization, data entitlements, and access control.
Exercises
- Deploying Security Patches Using Blue/Green Environments
- Securing CloudFront Content with Signed URLs
- Protecting REST Web Services with API Gateway
- Protecting APIs with Lambda and JSON Web Tokens
- NetWars (Day 4): Cloud & DevOps Security Bonus Challenges
Topics
Blue/Green Deployment Options
- Azure Traffic Manager
- Azure Kubernetes Services
- EC2 DNS Routing
- ALB Weighted Target Groups
- Elastic Contained Service Swapping
Secure Content Delivery
- Introduction to Content Delivery Networks
- Restricting Origin Access with Origin Access Identities
- CloudFront Trusted Signing and Access Control with Signed Cookies and URLs
- Configuring Cross-Origin Resource Sharing Security with Bucket Policies
Microservice Security
- Microservice Architecture Attack Surface
- Microservice Security
Serverless Security
- Overview of Serverless Computing
- Serverless Security Considerations
- Azure Functions/AWS Lambda
- Security Automation with Lambda
Overview
Expanding on the foundation from previous sections, DevSecOps practitioners now shift to leveraging cloud services to automate security compliance. We start by deploying and configuring a cloud web application firewall with monitoring, attack detection, and active defense capabilities to catch and block bad actors. Next, we implement continuous compliance scanning for cloud misconfigurations. Finally, we work on enforcing policy as code to detect and correct cloud configuration drift.
Exercises
- Security Automation with the AWS WAF
- Continuous Cloud Auditing with CloudMapper
- Policy as Code with Cloud Custodian
- NetWars (Day 5): Cloud & DevOps Security Bonus Challenges
Topics
Runtime Security Automation
- Insufficient Attack Protection
- Cloud Web Application Firewalls
- Azure FrontDoor
- AWS Security Automations Project
- Blocking Bat Bots with Honeypot Endpoints
- Writing a Custom WAF Rule
- RASP / IAST
Continuous Auditing
- Audit Defense Toolkit
- InSpec
- Cloud Security CIS Benchmarks
- CloudMapper
Cloud Security Monitoring
- Azure Security Center
- Azure Log Analytics
- AWS Security Hub
- AWS CloudTrail
- Cloud Custodian

GIAC Cloud Security Automation

“The GIAC Cloud Security Automation (GCSA) certification covers cloud services and modern DevSecOps practices that are used to build and deploy systems and applications more securely. The certification shows that you not only know how to speak the language of modern cloud and DevSecOps principles but can put them into practice in an automated and repeatable manner.” - Frank Kim, SEC540 Course Co-Author

Using cloud services with Secure DevOps principles, practices, and tools to build & deliver secure infrastructure and software
Automating Configuration Management, Continuous Integration, Continuous Delivery, and Continuous Monitoring
Use of open-source tools, the Amazon Web Services toolchain, and Azure services

Prerequisites

Course Prerequisites

Courses or equivalent experiences that are prerequisites for SEC540:

SEC488: Cloud Security Essentials

Familiarity with Linux command shells and associated commands
Basic understanding of common application attacks and vulnerabilities (e.g., OWASP Top 10)
Hands-on experience using the AWS and Azure Cloud recommended

Preparing for SEC540

Students taking SEC540 will have the opportunity to learn and use a number of DevOps and cloud tools during the hands-on exercises. Getting a head start on the following tools, technologies, and languages will help students enjoy their lab experience:

Running basic Git commands (clone, add, commit, push): https://docs.gitlab.com/ee/gitlab-basics/start-using-git.html
Using GitLab for version control: https://docs.gitlab.com/ee/gitlab-basics/
Jenkins Getting Started Guide: https://jenkins.io/doc/book/getting-started/
Learning Puppet: https://puppet.com/docs/puppet/6.5/puppet_language.html
YAML: https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
AWS CloudFormation Templates (YAML & JSON): https://aws.amazon.com/cloudformation/aws-cloudformation-templates/
Terraform HCL: https://www.terraform.io/docs/configuration/syntax.html

Laptop Requirements

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

!!! IMPORTANT NOTICE !!!

Mandatory: Students must bring their own AWS and Azure accounts to complete the cloud exercises. Please ensure you have done the following before class starts:

Register for a personal free-tier account.
Activate your new account.
Log in to the AWS Console with your root account.
Browse to the EC2 Service and verify that you see the dashboard (not an activation screen).
In the top right-hand corner of the page, select one the following supported regions (preferably the region closest to where the course is running or you live):

U.S. East (Northern Virginia)
U.S. West (Oregon)
E.U. (Ireland)
Asia Pacific (Tokyo)

6. From the left navigation bar, select "Limits."

7. Verify that you have at least 10vCPUs for On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances.

8. If your limits are less than 10 vCPUs, please start by creating a new t2.micro instance. Creating a new instance often causes the limits to increase automatically. If your limits do not automatically increase (wait 30 minutes to check again), request an increase to open a ticket with the AWS support team. More details can be found in the AWS EC2 Service Limits documentation.

Microsoft Azure

1. Browse to the Azure Portal.

2. Register for a personal 12-month free account.

BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:

A properly configured system is required for each student participating in this course. Before starting your course, carefully read and follow these instructions exactly:

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
Download and install 7-Zip (for Windows Hosts) or Keka (macOS). Without these extraction tools, you'll be unable to extract large archives we'll supply to you in class.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class.
If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

Mandatory Host Hardware Requirements

CPU: 64-bit 2.5+ GHz multi-core processor or higher
BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! - 16GB of RAM is MANDATORY)
Working USB 2.0 or higher port
Wireless Ethernet 802.11 B/G/N/AC
Local Administrator Access within your host operating system

Mandatory Host Operating System Requirements

You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

Mandatory Software Requirements

Prior to class, ensure that the following software is installed on the host operating system:

VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
Zip File Utility (7Zip or the built-in operating system zip utility)

In summary, before beginning the course you should:

Have a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system.
Install VMware (Workstation or Fusion).
Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled.
Download the SEC540 Lab Setup Instructions and Course Media from your sans.org account.
Register a NEW AWS free-tier account prior to the start of the class at https://aws.amazon.com/.
Register a NEW Azure free-tier account prior to the start of class at https://azure.microsoft.com/en-us/free/.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement

"DevOps and the cloud are radically changing the way that organizations design, build, deploy, and operate online systems. Leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet 'Unicorns' and cloud providers into enterprises.

"Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams that have broken down the 'walls of confusion' in their organizations are increasingly leveraging new kinds of automation, including Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms. The question is: Can security take advantage of the tools and automation to better secure its systems?

"Security must be reinvented in a DevOps and cloud world."

- Ben Allen, Jim Bird, Eric Johnson, and Frank Kim

"Instructor's insight and knowledge of the materal and how to apply it in real life scenarios was very valuable." - Chris Turvey, Southeastern Grocers

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

In Person (5 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend SEC540?

Anyone working in or transitioning to a public cloud environment
Anyone working in or transitioning to a DevOps environment
Anyone who wants to understand where to add security checks, testing, and other controls to cloud and DevOps Continuous Delivery pipelines
Anyone interested in learning how to migrate DevOps workloads to the cloud, specifically Amazon Web Services (AWS) and Microsoft Azure
Anyone interested in leveraging cloud application security services provided by AWS
Developers
Software architects
Operations engineers
System administrators
Security analysts
Security engineers
Auditors
Risk managers
Security consultants

"There is value whether entry, mid- to manager." - Alex Rams

See prerequisites

Reviews

Great course! Excellent instructor! Lots of hands-on! Met my expectations definitely and I will absolutely recommend it to other people.

Sandro Blatter

SBB

SEC540 truly deserves the 5 of 5 excellent rating. I really can't express how impressed I am with my first SANS course.

Dwayne Sander

ALERRT

This course definitely makes security in DevOps more relatable and concrete. Love that we are asked to fix issues.

Stephen Germain

Disney

SEC540: Cloud Security and DevOps Automation

GIAC Cloud Security Automation (GCSA)

Course Authors:

Ben Allen

Jim Bird

Frank Kim

Eric Johnson

What You Will Learn

Syllabus (38 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

GIAC Cloud Security Automation

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend SEC540?

Reviews

Find ways to take this course