Integrated DevSecOps

DevSecOps is the integration of security practices and principles into the DevOps process, with the aim of creating a more secure software development lifecycle. In this 2-day workshop, we will cover tips and tricks on how to increase security of software delivery supply chains and existing infrastructure.

What’s Inside

Day 1:

  • Introduction to DevSecOps
    • Definition of DevSecOps; the role of security in DevOps
    • Introduction into threat modeling, attack surface, vulnerability and risk management
    • Overview of DevSecOps tools and practices
  • Software supply chain security
    • Definition and importance of supply chain security
    • Supply chain elements: software packages/updates, CI/CD pipelines, external vendors, SaaS vendors
    • Software vendor management, compliance and regulatory requirements, incident response and recovery
    • Threats and risk management to supply chain security
    • Practical exercise: Conduct a supply chain risk assessment for a sample software product and develop a risk mitigation plan
    • Practical exercise: Develop an incident response plan for a supply chain security incident
  • Software Bill of Materials (SBOM)
    • Definition and purpose of SBOM in supply chain security
    • Overview of SBOM formats (e.g. SPDX, CycloneDX)
    • SBOM generation tools (e.g. OWASP Dependency-Track)
    • Practical exercise: Generate an SBOM for a sample software product using a SBOM generation tool and analyze it to identify potential security risks.
  • SIEM and log management
    • Introduction to security information and event management (SIEM)
    • SIEM components and architecture
    • Types of logs and log management
    • Log analysis and correlation
    • Real-time monitoring and alerting
    • Overview of popular SIEM tools (e.g. Splunk, ELK, LogRhythm)
    • Practical exercise: Install and configure a SIEM tool (ELK) and perform log analysis and correlation to identify potential security incidents.
  • Container and Orchestrator Security
    • Overview of containers and containerization
    • Container security risks
    • Secure container deployment
    • Container orchestration security
    • Popular container security tools (e.g. Aqua, Sysdig, Twistlock)
    • Practical exercise: Build and deploy a containerized application using a secure container platform (e.g. Docker , Kubernetes) and apply container security best practices.

Day 2:

  • Secret Management
    • Definition of secrets and their importance in security
    • Types of secrets (e.g. passwords, API keys, certificates)
    • Best practices for secret management (e.g. encryption, rotation, access control)
    • Secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager)
    • Integration of secret management in CI/CD pipelines
    • Practical exercise: Implement a simple secret management solution using a tool like HashiCorp Vault and integrate it into a CI/CD pipeline.
  • Secure software development
    • Secure coding practices, secure software development lifecycle (SSDL) and threat modeling
    • Code scanners for security problems, integration of security scanners into CI/CD pipelines
    • Practical exercise: Develop a sample application and apply secure coding practices, perform threat modeling, and integrate security testing in a CI/CD pipeline.
    • Overview of the OWASP Top Ten security threats
    • A1: Injection flaws
    • A2: Broken authentication and session management
    • A3: Cross-site scripting (XSS)
    • A4: Security misconfigurations
    • A5: Insecure direct object references
    • A6: Cross-site request forgery (CSRF)
    • A7: Using components with known vulnerabilities
    • A8: Insufficient logging and monitoring
    • Other security risks
    • Practical exercise: Perform a hands-on assessment of a web application, identify and exploit at least one OWASP Top Ten vulnerability.
  • Open-Source Security
    • Open-source software security risks
    • Vulnerability management in open-source software
    • Popular open-source security tools (e.g. OWASP Dependency-Check, SonarQube)
    • Practical exercise: Perform a hands-on assessment of an open-source software package using an open-source vulnerability scanner (e.g. OWASP Dependency-Check) and integrate static code analysis using an open-source tool (e.g. SonarQube).
  • Version Control Security
    • Git commit signing and verification
    • Git permissions models
    • Practical exercise: Configure Git commit signing with GPG and sign and verify Git commits.

Õppekavarühm: 0613 Tarkvara ja rakenduste arendus ning analüüs.

Lecturer’s Linkedin

Tähelepanu! Teie veebilehtiseja ei vasta kodulehe külastamiseks vajalikele nõuetele. Palun vahetage veebilehitsejat või seadet, millega te veebilehte sirvite.

Attention! Teie veebilehtiseja ei vasta kodulehe külastamiseks vajalikele nõuetele. Palun vahetage veebilehitsejat või seadet, millega te veebilehte sirvite.

Внимание! Teie veebilehtiseja ei vasta kodulehe külastamiseks vajalikele nõuetele. Palun vahetage veebilehitsejat või seadet, millega te veebilehte sirvite.