Course Overview
Please note attendees work together in teams of 5 as a minimum and the pricing advertised is per team of 5.
Course Content
This OpenHack enables attendees to add security-oriented tooling into their workflow and CI/CD tasks. This OpenHack simulates a real-world scenario where a development team is concerned, they might have leaked information in their web app that could expose their site to being hacked. This discovery has led the team to leverage DevSecOps practices to increase their security posture and catch issues early in the development process.
Technologies:
Microsoft Azure DevOps, Azure Key Vault, Azure Automation, Microsoft Security Code Analysis, Azure Kubernetes Service, Azure Container Registry, Azure Active Directory, Third Party Sonar Cloud, Aqua, Fossa, White Source,
Prerequisites
To be successful and get the most out of this OpenHack and to avoid any delays with downloading or installing tooling, you are encouraged to have the following ready to go.
- Install your choice of Integrated Development Environment (IDE) Software, i.e. [link=https://code.visualstudio.com/docs#download] Visual Studio / Visual Studio Code/ Eclipse / IntelliJ
- Download Azure CLI 2.0 – preferred version is 2.0.43 or Azure PowerShell
- Browser Client (e.g. Chrome/ Safari/ Firefox)
Course Objectives
During the “hacking” attendees will focus on leveraging available tools/tasks in Azure DevOps to enable best-practice oriented scenarios such as:
- Managing Secrets
- Enabling static analysis/ dependency/ container scanning
- Dynamic Application Security Testing
- Workflow and organization policy enforcement
By the end of the OpenHack, attendees will have built out a technical solution that enables secure development workflow taking into account recommended best practices, all found through real world engagements with S500 and Hi-Po partners.
Outline: OpenHack – DevSecOps (OHDVSCO)
Challenge 1: Managing Secrets
- Identify the tools and technologies that can help to protect from leaking credentials and secrets while in development
- Create a custom search pattern for secrets in your source code
Challenge 2: Secret Rotation
- Manage/Rotate secrets in dev/test/production environments
Challenge 3: Keep your code clean and vulnerability free
- Identify the tools and technologies that you will use find security issues early in your development process
- Design/implement a workflow that eliminates many issues and false positives using static code analysis and dependency scanning
- Analyze dependencies in code and scan containers for known vulnerabilities
Challenge 4: Automate penetration testing
- Scan for OWASP top 10 vulnerabilities
- Incorporate pen testing into UI Automation testing
- Adjust scoring algorithm based on your threat model (SMACD)
Challenge 5: Streamline and integrate workflow
- Learn techniques/ trade-offs to speed up execution and minimize impact to developer productivity.
- Integrate into PR based workflow to provide effective and timeline feedback from automation
- Enable bot automation to streamline false positive resolution in external systems such as sonarcloud
Challenge 6: Apply security policy to your organization
- Make DevSecOps mandatory for all PR merges to master branches for your organization
- Reject a push to repository that contains secrets
Challenge 7: Enable quality gates and resolve issues
- Implement quality gates
- Resolve some of the discovered issues
At the end of the event, we will provide content and a recommended set of task that can be incorporated into a dev crew engagement to enable some of the practices that are covered during the event.