Cloud Security and DevSecOps Automation

Organizations are moving to the cloud to enable digital transformation and reap the benefits of cloud computing. However, security teams struggle to understand the DevOps toolchain and how to introduce security controls in their automated pipelines responsible for delivering changes to cloud-based systems. Without effective pipeline security controls, security teams lose visibility into the changes released into production environments.

Course Key Learnings:

• Understand how DevOps works and identify keys to success
• Wire security scanning into automated CI/CD pipelines and workflows
• Build continuous monitoring feedback loops from production to engineering
• Automate configuration management using Infrastructure as Code (IaC)
• Secure container technologies (such as Docker and Kubernetes)
• Use native cloud security services and third-party tools to secure systems and applications
• Securely manage secrets for Continuous Integration servers and applications
• Integrate cloud logging and metrics
• Perform continuous compliance and security policy scanning

BUSINESS TAKEAWAYS

• Build a security team that understands modern cloud security and DevSecOps practices
• Partner with DevOps and engineering teams to inject security into automated pipelines
• Leverage cloud services and automation to improve security capabilities
• Ensure your organization is ready for cloud migration and digital transformation initiatives

Course Content:

Module1: DevOps Security Automation

Overview

SEC540 starts by introducing DevOps practices, principles, and tools by attacking a vulnerable Version Control and Continuous Integration System configuration. Students gain an in-depth understanding of how the toolchain works, the risks these systems pose, and identify key weaknesses that could compromise the workflow. Next, we’ll examine the security features available in various Continuous Integration (CI) and Continuous Delivery (CD) systems, such as Jenkins, GitHub, GitLab, Azure DevOps, and AWS CodePipeline, and then start hardening the environment. After automating various code analysis tools and discovering insecurely stored secrets, students will focus on storing sensitive data in secrets management solutions such as HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault.

Exercises

• Attacking the DevOps Toolchain
• Version Control Security
• Automating Static Analysis
• Protecting Secrets with Vault
• CloudWars (Section 1): Cloud & DevOps Security Bonus Challenges

Topics

DevOps and Security Challenges

• Understand the Core Principles and Patterns behind DevOps
• Recognize how DevOps works and identify keys to success

DevOps Toolchain

• Build CI/CD pipelines using Jenkins, CodePipeline, and Azure DevOps
• GitFlow
• GitHub Actions
• GitLab CI/CD
• Jenkins
• Securing DevOps Workflows
• Threat model and secure your build and deployment environment

Secure DevOps tools and workflows

• Conduct effective risk assessments and threat modeling in a rapidly changing environment
• Design and write automated security tests and checks in CI/CD
• Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
• Inventory and patch your software dependencies
• Wire security scanning into Jenkins, CodePipeline, and Azure DevOps workflows

Pre-Commit Security Controls

• Rapid Risk Assessment
• Git Hook Security
• Code Editor Extensions
• Branch Protections
• CodeOwners
• Peer Reviews

Commit Security Controls

• Static Analysis Security Testing
• Component Analysis

Secrets Management

• Managing secrets in CI / CD
• Azure Key Vault
• AWS SSM Parameter Store
• AWS Secrets Manager
• HashiCorp Vault

Module2: Cloud Infrastructure Security

Overview

Section 2 challenges students to use their DevOps skills to deploy a code-driven cloud infrastructure with AWS CloudFormation and Terraform using more than 150 cloud resources. Students perform a cloud network assessment, identify insecure network configurations, and harden the network traffic flow rules. Moving to cloud virtual machines, students learn how to automate configuration management and build gold images using Ansible, Vagrant, and Packer. To finish the day, students focus on scanning and hardening container images before deploying workloads to the cloud.

Exercises

• Infrastructure as Code Network Hardening
• Gold Image Creation
• Container Security Hardening
• Automating Dynamic Analysis
• CloudWars (Section 2): Cloud & DevOps Security Bonus Challenges

Topics

Cloud Infrastructure as Code

• Introduction to Cloud Infrastructure as Code
• AWS Cloud Formation
• Terraform
• Deploying
• Cloud Infrastructure as Code security analysis

Configuration Management as Code

• Automating Configuration Management in CI / CD
• Using Ansible to Configure Virtual Machines
• Building Gold Images with Vagrant and Packer
• Certifying Gold Images with InSpec

Container Security

• Dockerfile and BuildKit Security
• Base Image Hardening with Hadolint and Conftest
• Container Image Security
• Scanning Container Images with Docker Scan and Trivy
• Container Registry Security
• Container Scanning with AWS ECR and Azure ACR
• Container Runtime Security

Acceptance Stage Security

• Dynamic Application Security Testing
• Vulnerability Management in DevSecOps

Module3: Cloud Security Operations

Section 3 prepares students to deploy and run containerized workloads in cloud-native orchestration services such as AWS Elastic Container Service (ECS) and Azure Kubernetes Service (AKS). Students analyze the cloud resources, identify common security misconfigurations, and leverage automation to quickly secure the workloads. The focus then shifts to monitoring workloads, analyzing log files, detecting an attack in real time, and sending alerts to the security team. Students finish the section by examining cloud-native data protection capabilities and encrypting sensitive data.

Exercises

• Cloud Workload Security Review
• Cloud-Hosted CI/CD Guardrails
• Continuous Security Monitoring
• Data Protection Services
• CloudWars (Section 3): Cloud & DevOps Bonus Challenges

Topics

Cloud Deployment & Orchestration

• Azure Pipelines
• AWS CodePipeline
• Cloud Container Orchestration
• Elastic Container Service (ECS)
• Azure Kubernetes Service (AKS)

Cloud Workload Security

• Cloud Storage Access Control
• Workload Identity & Privilege Escalation
• TLS Misconfiguration and Hardening

Security in Cloud CI/CD

• Software Composition Analysis
• AWS CodeBuild Security Integrations
• Azure DevOps Security Extensions

Continuous Security Monitoring

• Monitoring and feedback loops from production to engineering
• Cloud logging and metrics
• Azure Monitor & Log Analytics
• Kusto Query Language (KQL)
• AWS CloudWatch Log Insights
• AWS CloudWatch Dashboards
• OS Query
• Automated Slack Alerts

Data Protection Services

• Azure Key Vault
• Azure Service Integration
• AWS KMS
• AWS Service Integration

Module4:Cloud Security as a Service

Overview

Section 4 starts with students learning to leverage cloud-native services to patch containerized workloads and secure content delivery networks. From there, the discussion shifts to microservice architectures, best practices, and micro-segmentation with API Gateways. Finally, students learn how to build and deploy Functions as a Service (FaaS), such as Lambda and Azure Functions, along with resources to add guardrails to the microservice environment.

Exercises

• Deploying Security Patches Using Blue/Green Environments
• Securing Content with Signed URLs
• Protecting REST Web Services with API Gateway
• Protecting APIs with Serverless and JSON Web Tokens
• CloudWars (Section 4): Cloud & DevOps Security Bonus Challenges

Topics

Blue/Green Deployment Options

• Cloud Services for Blue/Green Deployments
• Azure Application Gateway
• Azure Kubernetes Services
• AWS EC2 DNS Routing
• AWS ALB Weighted Target Groups
• AWS Elastic Container Service Swapping

Secure Content Delivery

• Azure Content Delivery Network (CDN)
• Azure CDN Token Authentication & Policies
• AWS CloudFront
• AWS CloudFront Origin Access Identities (OAID)
• AWS CloudFront Signing
• CDN Cross-Origin Resource Sharing Policies

Microservice Security

• Microservice Architecture Attack Surface
• Microservice Security Controls
• Identity Federation & Open ID Connect (OIDC)
• JSON Web Token (JWT) Security & Best Practices
• Service Mesh Security Controls
• Azure API Management
• Azure API Management Custom Security Policies
• Azure API Management Request Throttling
• AWS API Gateway
• AWS API Gateway Custom Authorizers
• AWS API Gateway Request Throttling & Data Tracing

Serverless Security

• Overview of Serverless Computing
• Serverless Functions Security Implications
• Deploying Functions in CI / CD Pipelines
• Azure Functions
• AWS Lambda

Module5: Compliance as Code

Overview

Section 5 wraps up the journey with students learning to leverage cloud services to automate security compliance. Starting with Cloud Security Posture Management (CSPM) solutions students detect security issues in their cloud infrastructure. Next, using cloud-native Web Application Firewall (WAF) services, students enable monitoring, attack detection, and active defense capabilities to catch and block bad actors. The discussion then shifts to working in DevOps and how that affects policy and compliance. Students finish the course learning how to write policy as code for automated remediation using Cloud Custodian, and how to detect and correct cloud configuration drift.

Exercises

• Cloud Security Posture Management (CSPM) with Prowler and Microsoft Defender for Cloud
• Blocking Attacks with WAF
• Automated Remediation with Cloud Custodian
• CloudWars (Section 5): Cloud & DevOps Security Bonus Challenges

Topics

Continuous Compliance

• Continuous Compilance in DevSecOps
• DevOps Audit Defense Toolkit
• DevOps versus ITIL & PCI
• Automate compliance and security policy scanning
• Cloud Security Guardrails with InSpec, AWS Service Control Policies (SCP), and Azure Policy
• Cloud Native Cloud Security Posture Management (CSPM) Services
• Microsoft Defender for Cloud Workload Protection
• AWS Security Hub
• AWS Prowler

Runtime Security Protection

• Cloud Web Application Firewalls
• AWS and Azure WAF
• AWS Security Automations Project
• Writing a WAF as Code Custom Rules
• RASP/IAST

Automated Remediation

• Azure Event Grid
• Amazon EventBridge
• Automated Blocking of Bad Bots and Scanners
• Microsoft Defender for Cloud Automation
• AWS Security Hub Automated Response & Remediation
• Automated Playbooks

Prerequisites