AppSec California 2020

Course Abstract 
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.

This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Se curity Automation in the Cloud with detailed perspectives ofimplementing scalable security for cloud-native deployments.

By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations. In addition, students will walk away with a powerful DevSecOps toolkit that can be used to integrate and orchestrate security tools This training has been very popular as a sold-out program in BlackHat USA 2019, CodeBlue Japan, as well as several OWASP events in the past.

Course Objectives 
* Practical and Scalable Application Security Automation Techniques
that work across different segments of the Agile SDL or DevOps
pipeline
* Integration of AppSec test activities in the CI/CD pipeline
* Leverage open-source tools and test automation frameworks to
integrate SAST, DAST, SCA, IAST in the CI/CD Pipeline
* Leverage Automation Techniques to implement Security practices
for Cloud Deploy

Training Syllabus 
Day 2
Application Security Pipelines in Continuous Integration Suites
Approaches to Application Security Pipelines
Ground Truths and Challenges with Security Pipelines
Differences between traditional and security pipelines
“Breaking the Build” - Myth and Reality
False Positive Management
Types of Application Security Pipelines
Incremental Security Pipeline
Autonomous Security Pipeline
“Build-only” Security Pipeline
Hands-on Labs
Incremental Security Pipelines with Jenkins Pipeline Jobs
Autonomous Pipelines with ThreatPlaybook (Application Security
Automation Framework, built on Robot Framework) Recipes and
Jenkins/Gitlab
Asynchronous Security Pipelines with AWS Lambda and Fargate
Application Vulnerability Correlation and Management
Approaches to Vulnerability Correlation and Orchestron
Integrating Vulnerability Management with Bug Tracking/SDLC tools
like JIRA
Using Orchestron Community and Webhooks to manage and
correlate vulnerabilities as part of Continuous Application Security
DevSecOps - Cloud Focus
Intro to Cloud and Cloud Services
Intro to AWS and AWS Service Offerings
AWS Products and Service Offerings
Azure and Google Cloud
IaaS, PaaS, FaaS, and SaaS
Variation in Services Management
Security Services in the Cloud
AWS Security Services
Responsibility Matrix - AWS Services
Security Responsibilities of Users vs AWS
AWS Compliance and Security Implementations
PCI-DSS, HIPAA, SOC, GDPR
Common AWS Security Mistakes
Security Automation in the Cloud with Terraform and boto3
A Hands-on Introduction to Terraform and boto3 (Amazon SDK for
Python)
Hands-on: IAM => Roles, Policies, Groups and Users
Host and Network Security Practices:
Hands-on VPC, Security Groups, Private and Public Subnets
Hands-on: Host Security Assessment with Automated deployments
of Hardening tools like Lynis
Hands-on: Post-Deploy Vulnerability Assessment with Amazon
Inspector and Vuls.io
Hands-on: Security Configuration with AWS Config
Security Automation with Cloud-Native Environments
Hands-on: Leveraging AWS Lambda for Security Monitoring
Hands-on: AWS Step Functions
Hands-on: Code Pipeline and Azure DevOps
Vulnerability Assessment for Cloud Environments
Common Vulnerabilities in AWS environments
IAM Sprawl => Demonstrated with multiple examples, including
DynamoDB Injection
S3
Vulnerability Assessment for Cloud-Native environments:
Scout2
Prowler
CSSuite
Cloud-Custodian

Upon Completion of this training, attendees will know
A plethora of Implementation techniques and ideas with hands-on experience to be able to implement a full-fledged Application Security Pipeline

Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate

Detailed Cloud Security Automation coverage with Terraform and boto3. Tools that are extensively used to provision cloud environments. Gives participants immediate approaches to implement scalable cloud security

Attendees will be provided with (by trainer)
* Instructions for the Labs
* Slides for the entire session + Speaker notes
* Access to we45 cloud labs
* Code snippets used and the setup files to configure lab
environment post-training

Attendees should bring
* A Laptop with an SSH client and ability to connect to WiFi networks in class (Optional) BurpSuite License for 1 Lab around BurpSuite Automation
=> However, code will be provided for practice offline as well
* AWS Account with Administrative Access to the account. We will be using free-tier resources to provision and quickly deprovision resources through Terraform/boto3. Recommend to NOT bring work AWS accounts.

** Note on the Lab Environment **
The participants will be using our state-of-the-art lab management system that has evolved over the years based on the feedback received from our trainings across the world. This eliminates the need for participants to bring high-compute machines with third-party applications installed, that is typically required for most trainings. The lab management system provisions on-demand lab servers that can be accessed via. any browser providing a terminal interface, code-editor and all other dependencies that are necessary to run the
labs.
This enables the participants to essentially walk into our trainings with any device that has a browser installed and they will be able to participate in all hands-on labs. All artefacts such as code snippets, slides and setup scripts used in the training will be available for the participants to download and use even after the training concludes!

Pre-requisites for attendees:
- Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
- Basic knowledge of Linux command line
- Basic knowledge of some (any) programming language
- Basic/Rudimentary understanding of Cloud concepts and services