Secure Japan 2020
Tokyo, Japan | Mon, Mar 2 - Sat, Mar 14, 2020SANS Secure Japan 2020 to Proceed with Appropriate Safety Measures.
We are currently planning to proceed with SANS Secure Japan 2020, running March 2 to March 14. The following two courses have been cancelled:
- SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- SEC545: Cloud Security Architecture and Operations
The remaining seven courses will run as scheduled.
Students to Receive Online Course Access Where Available
Registered students at SANS Secure Japan will also receive OnDemand access to their selected courses at no additional charge, except for students of SEC760 which is not available OnDemand. SANS OnDemand training format delivers SANS expert instructors, custom course content, hands-on labs, e-learning tools, subject-matter expert support, and archived lectures with unlimited course access for four months.
SANS is providing a number of training alternatives for students who are registered for courses that have been cancelled, or for others attending the event. Contact japan@sans.org for more information about these options.
At the Japan event, we will follow all protocols recommended by the Japanese government. We will be temperature screening and making available hand sanitizer and masks for event participants and SANS staff.
Anyone who is feeling unwell will be provided with a mask and be advised to promptly seek medical attention. SANS will provide access to the OnDemand version of their course, where available, to students who must leave the event early so that they can complete their training online.
SEC401: Security Essentials Bootcamp Style will be taught in Japanese using Japanese language course materials. All other courses will use English language course materials and be taught in English with simultaneous translation in Japanese.
SEC540: Cloud Security and DevOps Automation
Mon, March 9 - Fri, March 13, 2020
Associated Certification: GIAC Cloud Security Automation (GCSA)
Course Syllabus · 38 CPEs · Lab Requirements
Instructor: Eric Johnson
SEC540 provides development, operations, and security professionals with a methodology to build and deliver secure infrastructure and software using DevOps and cloud services. Students will explore how the principles, practices, and tools of DevOps can improve the reliability, integrity, and security of on-premise and cloud-hosted applications.
Starting with on-premise deployments, the first two days of the course examine the Secure DevOps methodology and its implementation using lessons from successful DevOps security programs. Students will gain hands-on experience using popular open-source tools such as Puppet, Jenkins, GitLab, Vault, Grafana, and Docker to automate Configuration Management ("infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. The lab environment starts with a CI/CD pipeline that automatically builds, tests, and deploys infrastructure and applications. Leveraging the Secure DevOps toolchain, students perform a series of labs injecting security into the CI/CD pipeline using a variety of security tools, patterns, and techniques.
After laying the DevSecOps foundation, the final three days move DevOps workloads to the cloud, build secure cloud infrastructure, and deliver secure software. SEC540 provides in-depth analysis of the Amazon Web Services (AWS) toolchain, while lightly covering comparable services in Microsoft Azure. Using the CI/CD toolchain, students build a cloud infrastructure that can host containerized applications and microservices. Hands-on exercises analyze and fix cloud infrastructure and application vulnerabilities using security services and tools such as API Gateway, Identity and Access Management (IAM), CloudFront Signing, Security Token Service (STS), Key Management Service (KMS), managed WAF services, serverless functions, CloudFormation, AWS Security Benchmark, and much more.
SEC540 Will Prepare You To:
Understand the core principles and patterns behind DevOps:
- Recognize how work is done in DevOps and identify keys to success
Map and implement a Continuous Delivery/Continuous Deployment pipeline:
- Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools
- Identify the security risks and issues associated with DevOps and Continuous Delivery
Understand the DevSecOps methodology and toolchain:
- Use DevOps practices to secure DevOps tools and workflows
- Conduct effective risk assessments and threat modeling in a rapidly changing environment
- Design and write automated security tests and checks in CI/CD
- Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
- Implement self-serve security services for developers
- Inventory and patch your software dependencies
- Threat model and secure your build and deployment environment
Integrate security into production operations:
- Automate configuration management using infrastructure as code
- Secure container technologies (such as Docker)
- Build continuous monitoring feedback loops from production to engineering
- Securely manage secrets for continuous integration servers and applications
- Automate compliance and security policy scanning
Move your DevOps workloads to the cloud:
- Secure your Amazon Web Services account
- Understand the cloud architecture components
- Use Infrastructure as Code (specifically CloudFormation) to automate cloud infrastructure
- Incorporate security scanning into CodePipeline using CodeBuild
- Containerize applications with the EC2 Container Registry and EC2 Container Service
Consume cloud services to secure cloud applications:
- Protect sensitive secrets with KMS and the SSM Parameter Store
- Protect static content with CloudFront Signing
- Secure REST APIs with API Gateway
- Leverage serverless functions to authorize requests to the API Gateway
Automate cloud security and operations tasks:
- Patch systems with blue/green deployments
- Deploy the AWS WAF and write custom WAF rules
- Detect and respond to security events using CloudWatch and serverless functions
Student Notices and Requirements:
- Please plan to arrive 30 minutes early on Day 1 for lab preparation and set-up.. During this time, students can confirm that their Amazon Web Services (AWS) account is properly set up, ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine. The instructor will be available to assist students with laptop prep and set-up from 8:30 - 9:00 AM. Class lecture begins at 9:00 AM (excludes vLive, Mentor, and OnDemand).
- An Amazon Web Services (AWS) account is required to do hands-on exercises during this course. Students must create an AWS account prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class.
- The estimated AWS cost for running the lab environment is $20 per week. Costs are significantly less for free-tier accounts.
- Optional Microsoft Azure bonus challenges are available to students. Completing the bonus requires students to create a Microsoft Azure account prior to the start of class.
- The estimated Azure cost for running the lab environment is $20 per week. Eligible free-tier accounts receive $200 in Azure credits (subject to verification and approval)
Course Syllabus
SEC540.1: Introduction to Secure DevOps
Eric Johnson
Mon Mar 9th, 2020
9:30 AM - 7:30 PM
Overview
SEC540 starts by introducing DevOps practices, principles, and tools. We will examine how DevOps works, how work is done in DevOps, and the importance of culture, collaboration, and automation.
Using case studies of DevOps "Unicorns" - the Internet tech leaders who have created the DevOps DNA - we'll consider how and why these leaders succeeded and examine the keys to their DevOps security programs.
We'll then look at Continuous Delivery, which is the DevOps automation engine. We'll explore how to build up a Continuous Delivery or Continuous Deployment pipeline, including how to fold or wire the DevSecOps security controls into the Continuous Delivery pipeline, and how to automate security checks and tests in Continuous Delivery.
Exercises
- Exploring CI/CD Tools and Pipelines
- Deployment Kata
- Pre-Commit Security: Git Hooks and Security Unit Testing
- Automating Static Analysis in CI
- Automating Dynamic Analysis in CI/CD
- NetWars (Day 1): Secure DevOps Bonus Challenges
CPE/CMU Credits: 8
Topics
- Introduction to DevOps
- Case Studies on DevOps Unicorns
- Working in DevOps
- Security Challenges in DevOps
- Building a CD Pipeline
- DevOps Deployment Data
- Secure Continuous Delivery
- Security in Pre-Commit
- Security in Commit
- Security in Acceptance
SEC540.2: Moving to Production
Eric Johnson
Tue Mar 10th, 2020
9:30 AM - 7:30 PM
Overview
Building on the ideas and frameworks developed in Section 1 of the course, and using modern automated configuration management tools like Puppet, Chef, and Ansible, you'll learn how secure Infrastructure as Code allows you to quickly and consistently deploy new infrastructure and manage configurations.
Because the automated CD pipeline is so critically important to DevOps, you'll also learn to secure the pipeline using a variety of defensive approaches.
As the infrastructure and application code moves to production, we'll spend the second half of the day exploring container security issues associated with tools such as Docker and Kubernetes, as well as how to protect secrets using Vault and how to build continuous security monitoring using Grafana, Graphite, and StatsD.
Finally, we'll discuss how to build compliance into Continuous Delivery, using the security controls and guardrails that have been built in the DevOps toolchain.
Exercises
- Configuration Management with Puppet
- Auditing Docker's Security
- Monitoring with Dashboards, Granfana, and Graphite
- Protecting Secrets with Vault
- Auditing with OpenSCAP
- NetWars (Day 2): Secure DevOps Bonus Challenges
CPE/CMU Credits: 8
Topics
- Secure Configuration Management Using Infrastructure as Code
- Securing Configuration Management and Continuous Integration/Continuous Delivery Pipelines
- Container Security, Hardening, and Orchestration
- Continuous Monitoring and Feedback Loops
- Secure Secrets Management
- Automating Compliance as Code
SEC540.3: Moving to the Cloud
Eric Johnson
Wed Mar 11th, 2020
9:30 AM - 7:30 PM
Overview
Observing DevOps principles, you'll learn to deploy infrastructure, applications, and the CI/CD toolchain into the cloud. This section starts with an overview of Amazon Web Services (AWS) and introduces the foundational tools and practices you'll need to deploy an automated infrastructure pipeline to the AWS cloud.
Students spend the second half of the day scanning and testing their cloud infrastructure code for common cloud misconfiguration vulnerabilities. Correcting and committing infrastructure code changes will trigger an automated infrastructure pipeline to harden the cloud infrastructure code.
Finally, students will explore cloud continuous integration and delivery tools, and leverage serverless computing to perform static analysis and software supply chain vulnerability scans before releasing containers into the orchestration services.
Exercises
- AWS Account Configuration and Hardening
- AWS Command Line Interface Automation
- Cloud Infrastructure Deployment with Jenkins Blue Ocean and CloudFormation
- Cloud Infrastructure Scanning and Hardening
- Security Scanning in CI/CD with CodeBuild and CodePipeline
- NetWars (Day 3): Cloud Infrastructure as Code Bonus Challenges
CPE/CMU Credits: 8
Topics
Introduction to the Cloud
- Cloud Provider Comparison
- Introduction to AWS Services
- Automation with the AWS Command Line Interface
Cloud Architecture Overview
- AWS Architecture Components
- CloudFormation Infrastructure as Code
- CloudFormation Static Analysis with CFN_NAG
- Automating Cloud Architecture with Jenkins Blue Ocean
Secure Cloud Deployment
- CodeCommit Security
- Cloud Container Orchestration
- Common Cloud Security Issues such as;
S3 Bucket Misconfiguration
- IAM Privilege Escalation
- Controlling Traffic Flow with NACLs and Security Groups
- Exposed Admin Access
- Applying Patches with Infrastructure as Code
- TLS Misconfiguration and Hardening
Security Scanning in CI/CD
- CodeBuild and CodePipeline Integrations
- Static Analysis with Serverless Functions (Lambda)
- Static Analysis with CodeBuild
- Integrating Jenkins and CodePipeline
SEC540.4: Cloud Application Security
Eric Johnson
Thu Mar 12th, 2020
9:30 AM - 7:30 PM
Overview
In this section, you'll learn to leverage cloud application security services to ensure that applications have appropriate encryption, authentication, authorization, and access control, while also maintaining functional and high-availability systems.
Starting with cloud data protection, we will explore the various encryption services and how to implement secrets management in the cloud. Leveraging that knowledge, students will learn to protect static website content served by a Content Delivery Network (CDN) using private key signing.
The second half of the day explores the world of microservices, protecting APIs with an API Gateway, and deploying serverless functions to manage authorization, data entitlements, and access control.
Exercises
- Encrypting Application Secrets with KMS and the SSM Parameter Store
- Securing CloudFront Content with Signed URLs
- Protecting REST Web Services with API Gateway
- Protecting APIs with Lambda and JSON Web Tokens (JWT)
- NetWars (Day 4): Cloud Application Security Bonus Challenges
CPE/CMU Credits: 8
Topics
Data Protection
- Data Storage (S3, RDS, DynamoDB)
- Secrets Management
- Approaches to Secrets Management
- Key Management Service
- Third-Party Solutions
Secure Content Delivery
- Introduction to Content Delivery Networks
- Restricting Origin Access with Origin Access Identities
- CloudFront Trusted Signing and Access Control with Signed Cookies and URLs
- Configuring Cross-Origin Resource Sharing Security with Bucket Policies
Microservice Security
- Microservice Architecture Attack Surface
- Microservice Security:
- Authentication with AWS Security Token Service, Identify Federation, and Web Identity Federation
- Authorization with JSON Web Tokens
- Service to Service MTLS
- REST Security
- API Gateway Security
Serverless Security
- Overview of Serverless Computing
- Serverless Security Considerations
- AWS Lambda
- Security Automation with Lambda
SEC540.5: Cloud Security Automation
Eric Johnson
Fri Mar 13th, 2020
9:30 AM - 5:30 PM
Overview
Expanding on the foundation of the previous sections, DevSecOps practitioners shift their focus in this course section to leveraging cloud services to automate security tasks. Students start by deploying a security path to an application using blue/green environments to minimize downtime.
Next, we review deploying and configuring a cloud web application firewall with monitoring, attack detection, and active defense capabilities to catch and block bad actors. Taking this concept to the next level, students finish off the course by building custom monitoring, detection, and enforcement of cloud compliance policies and hardening guidelines.
Exercises
- Deploying Security Patches Using Blue/Green Environments
- Security Automation with the AWS WAF
- Security Monitoring and Alerting with CloudWatch and CloudTrail
- Automating Cloud Compliance with the CIS AWS Security Benchmark Project
- NetWars (Day 5): Cloud Security Automation Bonus Challenges
CPE/CMU Credits: 6
Topics
Blue/Green Deployment Options
- EC2 DNS Routing
- EC2 Auto Scaling Groups
- ALB Launch Configuration
- ECS DNS Routing
- ECS Service Swapping
- ECS Task Definition
Security Automation
- Insufficient Attack Protection
- Cloud Web Application Firewalls
- AWS Security Automations Project
- Blocking Bat Bots with Honeypot Endpoints
- Writing a Custom WAF Rule
Security Monitoring and Compliance
- Exploring CloudWatch Logs and Metrics
- Enabling CloudTrail for Audit Logging
- Cloud Monitoring Services
- Third-Party Cloud Monitoring Solutions
- CIS Cloud Security Benchmarks
Additional Information
Lab Requirements
Laptop Requirements
Plan to arrive early on Day 1 (8:30 AM local time) for lab preparation and setup. During this time, students can confirm that their Amazon Web Services (AWS) account is properly set up, ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine.
The instructor will be available to assist students with laptop prep and set-up from 8:30 - 9:00 AM. Class lecture begins at 9:00 AM (excludes vLive, Mentor, and OnDemand).
!!! IMPORTANT NOTICE !!!
It can take more than 24 hours for a new AWS free-tier account to become active. Please do the following at least one week prior to the start of class:
- Register for a personal free-tier account.
- Activate your new account.
- Log in to the AWS Console with your root account.
- Browse to the EC2 Service and verify that you see the dashboard (not an activation screen).
- In the top right-hand corner of the page, select one the following supported regions (preferably the region closest to where the course is running):
- U.S. East (Northern Virginia)
- U.S. West (Oregon)
- E.U. (Ireland)
- Asia Pacific (Tokyo)
6. From the left navigation bar, select "Limits."
7. Verify that you have at least 5 t2.micro instances available
8. If your limits are less than 5 t2.micro instances, please start by creating a new t2.micro instance. Creating a new instance often causes the limits to increase automatically. If your limits do not automatically increase (wait 30 minutes to check again), request an increase to open a ticket with the AWS support team. More details can be found in the AWS EC2 Service Limits documentation.
BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:
A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly:
Download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to the start of the class.
- If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 14.0, VMware Fusion 10.0, or VMware Workstation Player 14.0.
- If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
Mandatory Host Hardware Requirements
- CPU: 64-bit 2.5+ GHz multi-core processor or higher
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
- Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT - 16GB of RAM is MANDATORY)
- Working USB 2.0 or higher port
- Wireless Ethernet 802.11 B/G/N/AC
- You must have Local Administrator Access within your host operating system
Mandatory Host Operating System Requirements
You must bring a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:
- Windows (8 or 10)
- Mac OS X (Sierra, High Sierra, Mojave)
Mandatory Software Requirements
Prior to class, ensure that the following software is installed on the host operating system:
- VMware Workstation Pro 14.0, VMware Fusion 10.0, or VMware Workstation Player 14.0
- Zip File Utility (7Zip or the built-in operating system zip utility)
In summary, before beginning the course you should:
- Bring a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system.
- Install VMware (Workstation, Workstation Player, or Fusion).
- Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled.
- Verify that the USB drive is active and capable of mounting an exFAT file system. (The course VM will be copied onto your laptop from a USB key provided by SANS.)
- Register a NEW AWS free-tier account prior to the start of the class at https://aws.amazon.com/.
- Register a NEW Azure free-tier account prior to the start of class at https://azure.microsoft.com/en-us/free/.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
Who Should Attend
- Anyone working in or transitioning to a public cloud environment
- Anyone working in or transitioning to a DevOps environment
- Anyone who wants to understand where to add security checks, testing, and other controls to cloud and DevOps Continuous Delivery pipelines
- Anyone interested in learning to migrate DevOps workloads to the cloud, specifically Amazon Web Services (AWS)
- Anyone interested in leveraging cloud application security services provided by AWS
- Developers
- Software architects
- Operations engineers
- System administrators
- Security analysts
- Security engineers
- Auditors
- Risk managers
- Security consultants
Prerequisites
- Familiarity with Linux command shells and associated commands
- Basic understanding of common application attacks and vulnerabilities (e.g. OWASP Top 10)
- Hands-on experience using the AWS and Azure Cloud is recommended
Preparing for SEC540:
Students taking SEC540 will have the opportunity to learn and use a number of DevOps and Cloud tools during the hands-on exercises. Getting a head start on the following tools, technologies, and languages will help students enjoy their lab experience:
Running basic Git commands (clone, add, commit, push)
Using GitLab for version control
Hands-on Labs
SEC540 goes well beyond traditional lectures and immerses students in hand-on application of techniques in each section. Each lab includes a step-by-step guide to learning and applying hands-on techniques, as well as a "no hints" approach for those who want to stretch their skills and see how far they can get without following the guide. This allows each student, regardless of background, to choose a level of difficulty - always with a frustration-free fallback path.
SEC540 also offers students an opportunity to participate in NetWars Bonus Challenges each day. The gamified environment allows students to compete against each other in a race to win the SEC540 Challenge Coin, while also providing more hands-on experience with the cloud and DevOps toolchain.
Other Courses People Have Taken
Other Courses People Have Taken
Courses or equivalent experiences that are prerequisites for SEC540:
What You Will Receive
- Course books
- USB drive containing the course Virtual Machine (VM)
- A course VM containing a pre-built DevOps CI/CD toolchain, Cloud Security, and Secure DevOps lab exercises
- A VM-hosted wiki and a printed lab workbook for completing the lab exercises
This Course will Prepare You To:
- Build a Secure DevOps workflow in your organization
- Create automated security tasks in Continuous Integration/Continuous Delivery (CI/CD) systems
- Configure and run scanners from the Secure DevOps Toolchain
- Perform cloud infrastructure security audits for common misconfiguration vulnerabilities
- Wire cloud application security scans in cloud-hosted (CI/CD) systems
- Review and identify cloud encryption services for data storage vulnerabilities
- Perform secure secrets management using on-premise and cloud-hosted secrets management tools
- Audit microservice architectures for security vulnerabilities in containers, serverless, and API gateway appliances
- Leverage cloud automation to automate patching and software deployments without downtime
- Build serverless functions to monitor, detect, and actively defend cloud services and configurations
Press & Reviews
"SEC540 helped me understand the complex ecosystem of DevOps. I came away with a well-rounded understanding of how the different technologies work together and how security needs to be tied into the CI/CD aspect. More than that, I found a new enthusiasm to learn and explore DevOps. Eric Johnson, our instructor was the best person to teach this course as he is a practitioner of these technologies and he very gladly gave his time to help and answer questions during the labs. The labs were very well designed to drill the concepts home." - Uday Pothakamury, Citi
"It has helped me get a better handle on the SEC DEV OPS concepts." - Fausto Franco, NYS ITS
"Definitely makes security in Dev Ops more relatable and concrete. Love that we are asked to fix issues." - Stephen Germain, Disney
"Great course! Excellent instructor! Lots of hands-on! Met my expectations definitely and I will absolutely recommend it to other people." - Sandro Blatter, SBB
Authors Statement
"DevOps and cloud are radically changing the way that organizations design, build, deploy, and operate online systems. Leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet 'Unicorns' and cloud providers into enterprises.
"Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams that have broken down the 'walls of confusion' in their organizations are increasingly leveraging new kinds of automation, including Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms. The question is: Can security take advantage of the tools and automation to better secure its systems?
"Security must be reinvented in a DevOps and cloud world."
- Ben Allen, Jim Bird, Eric Johnson, and Frank Kim
