Introduction to Building & Securing your CI/CD Pipelines

Introduction to Building & Securing your CI/CD Pipelines

The DevSecOps Training is a 1 day training on Cloud Infrastructure Security. This Training is intended for students/professionals interested in making a career in the Information Security domain and specifically into Cloud Security domain. This training involves real world scenarios that every Security Professional must be well versed with. It involves setting up the complete end-to-end pipelines and deployment instances from security standpoint.

This training covers understanding the internals of a CI/CD Pipeline, Bringing up secure and hardened instances from ground up, implementing and working with various security controls in a CI/CD Pipeline. This training is made of CTF based modules where the attendees will have to solve a different set of Challenges to move on to the next set of modules, giving them real time hands-on experience on securing the Cloud Infrastructures.

TARGET AUDIENCE

• Security Analysts/Researchers
• IT professionals working in Information Technology-Security domain

DELIVERABLES

• Training Slides
• Custom Docker images

REQUIREMENTS

• Laptop/System with minimum 30 GB Hard Disk Space & 8GB RAM with administrative privileges
• A free Gitlab account (for Gitlab CI)
• 2 Functional USB Ports

Topics will be covered

• Introduction to CI/CD
• Working with Gitlab CI
• Working with Gitlab Runners
• Creating your first Gitlab CI Pipeline
• Secrets Management
• Introduction to IaC (Infrastructure as a Code)
• Bringing Up Hardened Instances using Terraforms
• Building your first secure CI/CD Pipeline
1. Check commits for sensitive information
2. Source Composition Analysis
3. Implementing SAST & DAST
4. Securing your Docker Containers against attacks
• Securing your Docker Containers against attacks
1. Restrict the container using the capabilities
2. Securing docker user
3. Scanning for the secrets
4. Securing the container using the AppArmor
5. Securing the container using the Seccomp
6. Limiting the container resources
7. Auditing the docker configuration using the docker bench
8. Auditing the image using the Clair(Demo-only)
• Adding Baseline Security using Terraforms

What you will get from this session :

• Creating a complete CI/CD Pipeline from the ground up
• Understanding the Security implications in the pipelines
• Integrating and working with securing the pipelines

About Trainer :

Nikhil is a Security Researcher and International Security Trainer. His area of interest includes Web Application Penetration Testing, Mobile Application Security and Machine Learning. He has presented his talks at International and National level Conferences and meets such as Nuit Du Hack Paris, OWASP AppSec, Cocon International Cyber Policing and Security Conference, DEFCON Bangalore Chapter, Null Open Security Meet Bangalore, Null Open Security Meet Mysore. He is also a Bug Bounty Hunter and has been listed and Acknowledged in the Hall Of Fames of Companies such as Microsoft, Apple, Adobe, Nokia, Engine Yard and AVIRA Antivirus. He currently also leads the Bangalore Chapter of Null Open Security Community.

Shilpa Ranganatha works as a Senior Security Delivery Analyst, she’s a Certified Ethical Hacker and her areas of expertise is into iOS and Android Application Security. Her keen interest lies in Cloud Security & into secure CI/CD implementations. She is responsible for innovating the mobile application security assets to ensure secure delivery of the mobile applications at her workplace. She had previously presented her training on iOS Security at OWASP Seasides 2019.

Joshua Jebaraj works as an intern at Practical DevSecOps alongside his undergrad at Vellore Institute of Technology. He’s been in the Security domain for over 3 years with areas of interest in Web Application, Mobile Application & Cloud Security. He’s a regular contributor to various projects such as “DevSecOps-University” & “Awesome-Threat-Modelling” and is a regular speaker at the Null Community meets.