AppSec California 2020

Course Abstract 
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.

This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations.

In addition, students will walk away with a powerful DevSecOps toolkit that can be used to integrate and orchestrate security tools This training has been very popular as a sold-out program in BlackHat USA 2019, CodeBlue Japan, as well as several OWASP events in the past.


Course Objectives 
* Practical and Scalable Application Security Automation Techniques that work across different segments of the Agile SDL or DevOps pipeline
* Integration of AppSec test activities in the CI/CD pipeline
* Leverage open-source tools and test automation frameworks to integrate SAST, DAST, SCA, IAST in the CI/CD Pipeline
* Leverage Automation Techniques to implement Security practices for Cloud Deploy

Training Syllabus 
Day 1
The Problem with the old models of Application Delivery
A Quick History of Agile and DevOps
The Coming of DevOps
The Need for Security in DevOps
Security in Continuous Integration
Security Integrations for Jenkins and other CI Tools
Introduction to Static Application Security Testing (SAST) for
Continuous Integration
Success Factors for SAST - Tool Focus
FindSecBugs
NodeJSScan
Bandit
Brakeman
MobSF (Mobile SAST)
Hands-on Labs - SAST Framework for CI Tools like Jenkins
Rolling out custom SAST Workflows – using Abstract Syntax Trees
and Regular Expressions
Hands-on SAST - Write your own AST checks for SAST
Dynamic Application Security Testing with Continuous Integration
Concepts of DAST with Security Testing
Security Automation Testing using BurpSuite Professional, OWASP
ZAP, w3af, Selenium, OpenAPI (Swagger)
Security Regression Tests - How to design and write them
Hands on Labs - Creating Parameterized Security Automation Testing
Scripts for w3af, OWASP ZAP, BurpSuite Pro and Selenium
Hands-on Labs: Leveraging Functional Test Automation with multiple
frameworks for Security Testing
Robot Framework
NighwatchJS
Tavern - REST API Testing
Puppeteer
Hands on labs - Integrating Custom Security Automation with Jenkins
and other CI Tools
Hands-on Automation for Security Regressions
Application Security Automation – Deep-Dive:
Hands-on:
OWASP ZAP Deep-Dive
Scan Policy
Extensions
Certificate Management
OWASP ZAP API Deep-Dive
OWASP ZAP Scripting Workshop
Create Active Scan Scripts for Custom Application Vulnerabilities
Create Zest Scripts for Authentication
OWASP ZAP API Testing with OpenAPI Specification
BurpSuite 2.0 API Deep-Dive
Scan
Leveraging Burp 2.x API with Selenium for testing browser-based
applications
Leveraging Burp 2.x API and (Tavern/RESTInstance/Chai) to test web
services and microservices
Scan Profiles with Audit and Crawl Profiles
BurpSuite Knowledge Definitions
Introduction to Robot Framework:
Introduction to BDD and ATDD Frameworks
Introduction to Robot Framework and its Declarative Syntax
Writing Application Security Test Recipes using Robot Framework
Hands-on: OWASP ZAP - Robot Framework Integration
Creating Parameterized AppSec Automation with Robot Framework,
Selenium, OWASP ZAP and BurpSuite Pro
Identifying Insecure Software Libraries in Continuous Integration
Hands-on Labs: OWASP Dependency Check and Dependency Track
Hands-on labs: RetireJS
Hands-on Labs: RoboNPMAudit
Hands-on Labs: Integrating Source Composition Analysis into the CI
Pipeline
Software Bill of Materials (SBOM) and Source Composition Analysis
Standardizing Software Metadata to identify security issues against
Third-Party Libraries
Hands-on Labs: Using CycloneDX and OWASP Dependency Track to
continuously track and monitor Software components in a CI Pipeline
with Jenkins/Gitlab
Hands-on: Using these techniques to create an "Continuous
Application Security Test Pipeline”
Introduction to IAST and RASP
Why IAST? Why RASP? And when to use it
A look at the tools for IAST and RASP
Hands-on Labs: Deploying IAST and RASP on an Intentionally
Vulnerable Java Application

Upon Completion of this training, attendees will know
A plethora of Implementation techniques and ideas with hands-on experience to be able to implement a full-fledged Application Security Pipeline

Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate

Detailed Cloud Security Automation coverage with Terraform and boto3. Tools that are extensively used to provision cloud environments. Gives participants immediate approaches to implement scalable cloud security

Attendees will be provided with (by trainer)
* Instructions for the Labs
* Slides for the entire session + Speaker notes
* Access to we45 cloud labs
* Code snippets used and the setup files to configure lab
environment post-training

Attendees should bring
* A Laptop with an SSH client and ability to connect to WiFi networks in class (Optional) BurpSuite License for 1 Lab around BurpSuite Automation
=> However, code will be provided for practice offline as well
* AWS Account with Administrative Access to the account. We will be using free-tier resources to provision and quickly deprovision resources through Terraform/boto3. Recommend to NOT bring work AWS accounts.

** Note on the Lab Environment **
The participants will be using our state-of-the-art lab management system that has evolved over the years based on the feedback received from our trainings across the world. This eliminates the need for participants to bring high-compute machines with third-party applications installed, that is typically required for most trainings. The lab management system provisions on-demand lab servers that can be accessed via. any browser providing a terminal interface, code-editor and all other dependencies that are necessary to run the labs.
This enables the participants to essentially walk into our trainings with any device that has a browser installed and they will be able to participate in all hands-on labs. All artefacts such as code snippets, slides and setup scripts used in the training will be available for the participants to download and use even after the training concludes!

Pre-requisites for attendees:
- Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
- Basic knowledge of Linux command line
- Basic knowledge of some (any) programming language
- Basic/Rudimentary understanding of Cloud concepts and services