DevSecOps Discoverer Edition
Venue:
Radisson Blu Hotel, Riyadh Qurtuba
Al Thumama Road, Riyadh, 11263, Saudi Arabia
Timings:
- Registration starts at 8am
- Training from 9am to 5pm
Topics:
- The Problem with the old models of Application Delivery
- Introduction to Static Application Security Testing (SAST) for Continuous Integration
- Introduction to SemmleQL/CodeQL
- Dynamic Application Security Testing with Continuous Integration
- Concepts of DAST with Security Testing
- Application Security Automation – Deep-Dive
- Introduction to Robot Framework
- Identifying Insecure Software Libraries in Continuous Integration
- Software Bill of Materials (SBOM) and Source Composition Analysis
- Introduction to IAST and RASP
- Application Security Pipelines in Continuous Integration Suites
- Application Vulnerability Correlation and Management
- DevSecOps - Cloud Focus
- Security Automation in the Cloud with Terraform, AWS-CDK and boto3
Overview
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.
This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work. The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations.
The training begins with a detailed view of Continuous Application Security, through Application Security Automation with SAST, DAST, SCA, IAST and RASP. We will focus on real-world tools and techniques to automate application security tooling in CI/CD
pipelines. Including a deep-dive of several popular Test Automation Frameworks like Tavern, Robot Framework and Selenium that can be leveraged extensively to parameterize application security tests with test automation scripts. All of this expertise
will go into actually “building” security pipelines that can be integrated into the organization’s DevOps processes.
Subsequently, the training focuses on Cloud Security with a focus on Amazon Web Services (AWS), where we will use Terraform, AWS-CDK and Boto3 among other tools to deploy and configure security parameters and features for various Cloud services.
The Cloud Security section of the class will also focus on integrating Cloud Vulnerability Assessment and Benchmark tools like Scout2, Prowler and CSSuite as part of the CI/CD Pipeline. For a more scalable approach to CI/CD on cloud, we will look into implementing
SCA, SAST and DAST jobs with AWS Lambda and Fargate.
At the end of the training, participants will have immediate takeaways and practical techniques that they can use for their own implementations of DevSecOps, within their organization. The tools and frameworks detailed in the program are largely open-source
or freely available, thereby ensuring that participants can actually implement these scalable DevSecOps programs without having to additionally invest in tooling. Several frameworks and tools used in this program have been developed by the authors of the
program, as part of their extensive implementation expertise of DevSecOps, ranging from Cloud Security to Application Security Automation.
Who Should Take This Course:
- Application Security Engineers
- DevOps Professionals
- Security Engineers
- Security Managers who are trying to understand how they should implement Security for DevOps
- Developers
- Security Architect