Save $350 on Cyber Security Training at SANS Anaheim 2019. Ends 12/19!

Security East 2019

New Orleans, LA | Sat, Feb 2 - Sat, Feb 9, 2019
Event starts in 47 Days
 

DEV540: Secure DevOps and Cloud Application Security

Mon, February 4 - Fri, February 8, 2019

As a developer who is responsible for infrastructure and security, this class was very useful for a broad, comprehensive overview of what I should be looking at, as well as deep dives on how to implement the solutions.

Kraig Hufstedler, Enterprise Holdings

I have a security background & interface with engineers/developers every day in my role, I'm finding the course very useful.

Devika Y, Bloomberg

DEV540 gives developers and security professionals the tools needed to build and deliver secure software using DevOps and cloud services, specifically Amazon Web Services (AWS). It explains how the principles, practices, and tools of DevOps and AWS can improve the reliability, integrity, and security of applications.

The first two days of the course examine the implementation of Secure DevOps using lessons from successful DevOps security programs. Using popular open-source tools such as GitLab, Puppet, Jenkins, Vault, Graphana, and Docker, you will create a secure DevOps CI/CD toolchain that can automatically build, test, and deploy infrastructure and applications. In a series of labs, you will inject security into your CI/CD toolchain using a variety of security tools, patterns, and techniques.

The final three days of the course will teach you to shift your DevOps workloads to the cloud and secure software using AWS. With your CI/CD toolchain, you will build a cloud infrastructure that can deploy applications and microservices to the cloud, instead of to local servers. You'll also analyze and fix cloud infrastructure and application vulnerabilities using AWS security services and tools such as API Gateway, IAM, CloudFront Signed URLs, Security Token Service, KMS, encryption, WAF, Lambda for Serverless computing, CFN NAG scanner, AWS Security Benchmark, and much more.

DEV540 makes extensive use of open-source materials and tooling for automated configuration management ("Infrastructure as Code"xf), Continuous Integration, Continuous Delivery, Continuous Deployment, containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. It also uses Jenkins and AWS developer tools such as CloudFormation, CodeCommit, CodeBuild, CodePipeline, and other cloud application services, so you can experience the use of these services when securing infrastructure and applications.

More

DEV540 will prepare you to:

  • Understand the core principles and patterns behind DevOps:

    • Recognize how work is done in DevOps and identify keys to success
  • Map and implement a Continuous Delivery/Deployment pipeline:
    • Create a Value Stream Map of the processes and workflows to make code or configuration changes, from check-in to deployment and operations
    • Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools
    • Identify the security risks and issues associated with DevOps and Continuous Delivery
  • Map where security controls and checks can be added in Continuous Delivery and Continuous Deployment:
    • Conduct effective risk assessments and threat modeling in a rapidly changing environment
    • Design and write automated security tests and checks in CI/CD
    • Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
    • Implement self-serve security services for developers
    • Inventory and patch your software dependencies
    • Threat model and secure your build and deployment environment
  • Integrate security into production operations:
    • Automate security policies
    • Use container technologies (such as Docker) to enhance security
    • Automate compliance and run-time defense
    • Create continuous feedback loops from production to engineering

  • Create a plan to introduce or improve security in a DevOps environment

    • Use DevOps practices to secure DevOps tools and workflows

  • Move your DevOps workloads to the cloud:
    • Secure your Amazon Web Services account
    • Use CloudFormation to create Infrastructure as Code
    • Build CI/CD pipelines using CodePipeline
    • Wire security scanning into CodePipeline using CodeBuild.
    • Containerize applications with EC2 Container Registry and EC2 Container Service
    • Scale horizontally with load balancers and auto-scaling groups
  • Consume cloud services to secure cloud applications:
    • Protect sensitive secrets with KMS and the SSM Parameter Store
    • Protect static content with CloudFront Signing
    • Secure REST APIs with API Gateway
    • Implement an API Gateway custom authorization Lambda function
    • Deploy the AWS WAF and build custom WAF rules
    • Monitor security events using CloudWatch

Hide

Course Syllabus


Gregory Leonard
Mon Feb 4th, 2019
9:00 AM - 5:00 PM

Overview

The first course section introduces DevOps practices, principles, and tooling. We will examine how DevOps works, how work is done in DevOps, and the importance of culture, collaboration, and automation.

Using case studies of DevOps "Unicorns" - the Internet tech leaders who've created the DevOps DNA - we'll consider how and why these leaders succeeded, and examine the keys to their DevOps security programs.

We'll then look at Continuous Delivery, the DevOps automation engine. We'll explore how to build up a Continuous Delivery or Continuous Deployment pipeline, including how to fold or wire security controls into the CD pipeline, and how to automate security checks and tests in CD.

Exercises
  • Exploring CI/CD Tools and Pipelines
  • Deployment Data
  • Automating Static Analysis in CI
  • Automating Dynamic Analysis in CI/CD

CPE/CMU Credits: 6

Topics
  • Introduction to DevOps
  • Case Studies on DevOps Unicorns
  • Working in DevOps
  • Security Challenges in DevOps
  • Building a CD Pipeline
  • DevOps Deployment Data
  • Secure Continuous Delivery
  • Security in Pre-Commit
  • Security in Commit
  • Security in Acceptance

Gregory Leonard
Tue Feb 5th, 2019
9:00 AM - 5:00 PM

Overview

Building on the ideas and frameworks developed in Section 1, and using modern automated configuration management tools like Puppet, Chef, and Ansible, you'll learn how secure Infrastructure as Code allows you to quickly and consistently deploy new infrastructure and manage configurations.

Because the automated CD pipeline is so critically important to DevOps, you'll also learn to secure the pipeline, including RASP and other run-time defense technologies.

As the infrastructure and application code moves to production, we'll spend the second half of the day exploring container security issues associated with tools such as Docker and Kubernetes, as well as how to protect secrets using Vault and how to build continuous security monitoring using Graphana, Graphite, and StatsD.

Finally, we'll discuss how to build compliance into Continuous Delivery, using the security controls and guardrails that have been built in the DevOps toolchain.

Exercises
  • Managing Configuration with Puppet
  • Auditing Docker's Security
  • Monitoring with Dashboards, Granfana, and Graphite
  • Protecting Secrets with Vault
  • Auditing with OpenSCAP

CPE/CMU Credits: 6

Topics
  • Secure Infrastructure as Code: Building Security Policies into Infrastructure Code
  • Security with Puppet Lab
  • Securing Your CD Pipeline
  • Threat Modeling and Locking Down Your Build and Deployment Environment
  • Run-time Defense: RASP, IAST and other run-time security solutions
  • Container Security: Introduction to Containers, Docker, and Docker Security Risks and Tools
  • Security in Monitoring; Using Production Metrics and Insight to Drive Improvements in Your Security Program
  • Red Teaming, Bug Bounties, and Blameless Postmortems
  • Managing Secrets: The Problem of Secrets in an Automated Environment; Patterns and Anti-patterns for Managing Secrets
  • Compliance as Code: How to Satisfy Compliance Requirements Using Continuous Delivery and Continuous Deployment


Gregory Leonard
Wed Feb 6th, 2019
9:00 AM - 5:00 PM

Overview

Observing DevOps principles, you'll learn to deploy infrastructure, applications, and CI/CD toolchain into the cloud. This section provides an overview of Amazon Web Services (AWS) and introduces the foundational tools and practices you'll need to securely deploy your applications in the cloud.

Exercises
  • AWS Account Configuration and Hardening
  • AWS CLI Automation
  • Cloud Infrastructure Deployment with Jenkins Blue Ocean and CloudFormation
  • Cloud Infrastructure Scanning and Hardening
  • Security Scanning in CI/CD with CodeBuild and CodePipeline

CPE/CMU Credits: 6

Topics

Introduction to the Cloud

  • Cloud Provider Comparison
  • Introduction to AWS Services
  • Automation with the AWS Command Line Interface

Cloud Architecture Overview

  • AWS Architecture Components
  • CloudFormation Infrastructure as Code
  • CloudFormation Static Analysis with CFN_NAG
  • Automating Cloud Architecture with Jenkins Blue Ocean

Secure Cloud Deployment

  • CodeCommit Security
  • Cloud Container Orchestration
  • Common Cloud Security Issues such as:
    • S3 Bucket Misconfiguration
    • IAM Privilege Escalation
    • Controlling Traffic Flow with NACLs and Security Groups
    • Exposed Admin Access
    • Applying Patches with Infrastructure as Code
    • TLS Misconfiguration and Hardening

Security Scanning in CI/CD

  • CodeBuild and CodePipeline Integrations
  • Static Analysis with Serverless Functions (Lambda)
  • Static Analysis with CodeBuild
  • Integrating Jenkins and CodePipeline


Gregory Leonard
Thu Feb 7th, 2019
9:00 AM - 5:00 PM

Overview

In this section, you'll learn to leverage cloud application security services to ensure that applications have appropriate encryption, authentication, authorization, and access control, while also maintaining functional and high-availability systems.

Exercises
  • Encrypting Application Secrets with KMS and the SSM Parameter Store
  • Securing CloudFront Content with Signed URLs
  • Protecting REST Web Services with API Gateway
  • Protecting APIs with Lambda and JSON Web Tokens (JWT)

CPE/CMU Credits: 6

Topics

Data Protection

  • Data Storage (S3, RDS, DynamoDB)
  • Secrets Management
    • Approaches to Secrets Management
    • Key Management Service
    • Third-Party Solutions

Secure Content Delivery

  • Introduction to Content Delivery Networks
  • Restricting Origin Access with Origin Access Identities
  • CloudFront Trusted Signing and Access Control with Signed Cookies and URLs
  • Configuring Cross-Origin Resource Sharing Security with Bucket Policies

Microservice Security

  • Microservice Architecture Attack Surface
  • Microservice Security:
    • Authentication with AWS Security Token Service, Identify Federation, and Web Identity Federation
    • Authorization with JSON Web Tokens
    • Service to Service MTLS
    • REST Security
  • API Gateway Security

Serverless Security

  • Overview of Serverless Computing
  • Serverless Security Considerations
  • AWS Lambda
  • Security Automation with Lambda


Gregory Leonard
Fri Feb 8th, 2019
9:00 AM - 5:00 PM

Overview

Expanding on the foundation of the previous sections, we'll now focus on leveraging cloud services to automate security tasks such as deploying application patches to blue/green environments, deploying and configuring cloud web application firewalls, enabling cloud security monitoring, and automating cloud compliance scanning.

Exercises
  • Deploying Security Patches Using Blue/Green Environments
  • Security Automation with the AWS WAF
  • Security Monitoring and Alerting with CloudWatch and CloudTrail
  • Automating Cloud Compliance with the CIS AWS Security Benchmark Project

CPE/CMU Credits: 6

Topics

Blue/Green Deployment Options

  • EC2 DNS Routing
  • EC2 Auto Scaling Groups
  • ALB Launch Configuration
  • ECS DNS Routing
  • ECS Service Swapping
  • ECS Task Definition

Security Automation

  • Insufficient Attack Protection
  • Cloud Web Application Firewalls
  • AWS Security Automations Project
  • Blocking Bat Bots with Honeypot Endpoints
  • Writing a Custom WAF Rule

Security Monitoring

  • Exploring CloudWatch Logs and Metrics
  • Enabling CloudTrail for Audit Logging
  • Cloud Monitoring Services
  • Third-Party Cloud Monitoring Solutions

Cloud Compliance

  • Compliance with AWS Artifact
  • CSA Cloud Security Guidance Project
  • CIS Cloud and Container Security Benchmarks
  • AWS Security Benchmark Project

Additional Information

Laptop Requirements

Plan to arrive early on Day 1 (8:00 AM local time) for lab preparation and setup. During this time you can confirm that your AWS account is properly set up, ensure that your laptop has virtualization enabled, copy the lab files, and start the Linux virtual machine.

The instructor will be available to assist students with laptop prep and set-up from 8:00AM - 9:00AM. Class lecture begins at 9:00 AM (excludes vLive, Mentor, and OnDemand).

!!! IMPORTANT NOTICE:

It can take more than 24 hours for a new AWS free-tier account to become active. Please do the following at least one week prior to the start of class:

  1. Register for a personal free-tier account.
  2. Activate your new account.
  3. Log in to the AWS Console with your root account.
  4. Browse to the EC2 Service and verify that you see the dashboard (not an activation screen).
  5. In the top right-hand corner of the page, select one the following supported regions (preferably the region closest to where the course is running):

    - U.S. East (Northern Virginia

    - U.S. West (Oregon)

    - E.U. (Ireland)

    - Asia Pacific (Tokyo)

  6. From the left navigation bar, select "Limits."
  7. Verify that you have at least 5 t2.micro instances available.
  8. If your limits are less than 5 t2.micro instances, request an increase to open a ticket with the AWS support team.

BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly:

Download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to the start of the class.

  • If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 13.0, VMware Fusion 9.0, or VMware Workstation Player 13.0.
  • If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Host Hardware Requirements

  • CPU: 64-bit 2.5+ GHz multi-core processor or higher
  • Hard Disk: Solid-State Drive (SSD) is REQUIRED with 50GB of free disk space minimum
  • Memory: 16GB of RAM minimum
  • Working USB 2.0 or higher port
  • You must have Local Administrator Access within your host operating system
  • Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled

Mandatory Host Operating System Requirements

You must bring a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

  • Windows (8 or 10)
  • Mac OS X (El Capitan, Sierra, High Sierra)

Mandatory Software Requirements

Prior to class, ensure that the following software is installed on the host operating system:

  • VMware Workstation Pro 13.0, VMware Fusion 9.0, or VMware Workstation Player 13.0
  • Zip File Utility (7Zip or the built-in operating system zip utility)

In summary, before beginning the course you should:

  • Bring a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system.
  • Install VMware (Workstation, Workstation Player, or Fusion).
  • Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled.
  • Verify that the USB drive is active and capable of mounting an exFAT file system. (The course VM will be copied onto your laptop from a USB key provided by SANS.)
  • Register a NEW AWS free-tier account prior to the start of the class at https://aws.amazon.com/.

Contact laptop_prep@sans.org with any questions about laptop specifications.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Anyone working in or transitioning to a DevOps environment
  • Anyone who wants to understand where to add security checks, testing, and other controls to DevOps and Continuous Delivery
  • Anyone interested in learning to migrate DevOps workflows to the cloud, specifically Amazon Web Services (AWS)
  • Anyone interested in leveraging cloud application security services provided by AWS
  • Developers
  • Software architects
  • Operations engineers
  • System administrators
  • Security analysts
  • Security engineers
  • Auditors
  • Risk managers
  • Security consultants

  • A basic understanding of application security, common attacks, and vulnerabilities (e.g., the OWASP Top 10)
  • Familiarity with Agile development and Agile project/product management practices
  • Familiarity with Linux command shells and associated commands
  • Ability to understand basic coding concepts

This course goes well beyond traditional lectures and delves into literal application of techniques, reinforcing learning through a number of hands-on labs. The labs will include a step-by-step guide to learning and applying hands-on techniques, but they also employ a "no hints" approach for those who want to stretch their skills and see how far they can get without following the guide. This allows each student, regardless of background, to choose a level of difficulty - always with a frustration-free fallback path.

  • A course Virtual Machine (VM) containing pre-built DevOps CI/CD toolchain and lab exercises
  • A USB drive containing course VM
  • Course books
  • A lab workbook

Authors Statement

"DevOps and cloud are radically changing the way that organizations design, build, deploy, and operate online systems. Leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet 'Unicorns' and cloud providers into enterprises.

Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams that have broken down the 'walls of confusion' in their organizations are increasingly leveraging new kinds of automation, including Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms. The question is: can security take advantage of the tools and automation to better secure its systems?"

Security must be reinvented in a DevOps and cloud world.

- Ben Allen, Jim Bird, Eric Johnson, and Frank Kim