Workshop

Seasides 2025 Edition

Mastering DevSecOps

The training sessions will help the audiences to learn about implementing DevSecOps in practical. The training material itself is self sustained and comprehensive and does not require any prerequisite knowledge. The attendee will be required to have their own laptop. The session duration will be around 16 hours. The training session will also involve hands-on realtime exercises and the Virtual Machines (8GB RAM, 2vCPU ) will be provided for the same to every attendee.

DevSecOps Training Agenda

DevSecOps Training Agenda

Beginner – Introduction to DevSecOps (2.5 Hours)

1. What is Continuous Integration and Continuous Deployment?

2. What is DevSecOps?

3. Modern Software Development & Deployment Stack

  • GitHub and GitHub Actions
    • What is GitHub and GitHub Actions?
    • GitHub Merge, Pull Requests, and Commits.
  • Docker
    • What is Docker and Containers?
    • How to write Dockerfile?
    • Why Docker?
  • Kubernetes
    • What is Kubernetes?
    • Why Kubernetes?
    • Understanding Pod, Deployment, and StatefulSet.
    • Communication in Kubernetes:
      • Ingress
      • NodePorts
      • Services
  • Cloud
    • What is AWS, Azure, and GCP?
    • Top Security Issues in Cloud.

4. Practical Demonstration of Deploying Damn Vulnerable Code

  • Adding Vulnerable Codes and Dockerfile.
  • Writing a sample GitHub Action Workflow.
  • Deploying on Workflow Dispatch.
  • Deployment on Kubernetes via CI/CD.

Intermediate – Implementing Security at CI (2.5 Hours)

1. SSH into Virtual Machines for Practical Exercises

2. What is SAST and DAST?

3. SAST: Secure Code Review

  • Introduction to Semgrep and Sonarqube.
  • Running Semgrep and Sonarqube on a Vulnerable Codebase.
  • Using Sonarqube Dashboard.
  • Implementing SonarScanner in GitHub Actions:
    • Running real SonarScanner on GitHub Actions CI flow.
    • Failing build on critical issues.

4. SAST: Token Detection

  • Running Tools like Gitleaks.
  • Adding Gitleaks to CI/CD:
    • Demonstrating secret detection.
    • Removing secrets from commits and history (Link only).

5. SCA – Software Composition Analysis

  • Scanning Dependencies with Trivy.
  • Understanding Pip, Gemfile, Dockerfile, etc.
  • Dependency Confusion and Injection Attacks.
  • What is SBOM?
  • Running Grype and Syft.

6. Docker Security

  • Running Trivy to scan Dockerfile.
  • Best practices for writing Dockerfile.

7. IaC Scanning

  • Running Scanners on Terraform files.
  • Running CheckOV.

8. DAST

  • Setting up OWASP ZAP (Pre-installed on VMs).
  • Running ZAP in CI/CD.
  • Running ZAP on Postman Collections.

Advanced – Securing Kubernetes, Cloud, and Pipelines (3 Hours)

1. Cloud Security

  • Running Prowler on AWS, GCP, and Azure.
  • Compliances in Cloud.
  • AWS-Specific Security Topics:
    • Public S3 buckets.
    • Exposed Ports.
    • Misconfigured Security Groups and NACL.
    • Setting up GuardDuty Alerts.
    • CloudTrail and VPCFlow logs.

2. Kubernetes Security

  • Scanning Kubernetes Manifests with Kubescape and Trivy:
    • Top vulnerabilities in Kubernetes.
    • Network Policies and securing communication.
    • RBAC in Kubernetes – Role vs Cluster Role.
    • RBAC Assessment.
  • Runtime Kubernetes Security:
    • Setting up Sysdig Falco in real time.
    • Understanding Syscalls and eBPF.
    • Real-time alerts on Sysdig Falco Dashboard and Slack.
    • Linux Capabilities.
    • AppArmor, Seccomp, and SeLinux.
    • Case Study: Detecting Log4j attack using Sysdig Falco for India’s largest FinTech.