Course Outline
1. DevSecOps Foundations: Security by Design for Government
🔍 Learn: Core DevSecOps principles and secure SDLC practices tailored for government operations.
🛠️ Demo: Side-by-side comparison of legacy versus modern secure pipelines, highlighting improvements for government workflows.
🔧 Lab: Build your first DevSecOps-enabled pipeline template, designed to meet the stringent security requirements for government systems.
2. OWASP ZAP Security Testing Bootcamp
💣 Breach Simulation:
- Deploy a vulnerable application with SQL injection and cross-site scripting vulnerabilities.
- Use OWASP ZAP to detect and mitigate these threats, ensuring robust security for government applications.
⚙️ Defense Tactics:
- Automated scanning using ZAP to identify potential vulnerabilities in real-time.
- Integration of ZAP API into CI/CD pipelines to enhance continuous integration and deployment processes for government projects.
🧪 Lab: Customize ZAP baseline scans and attack rules to fit the specific needs of government applications.
🎯 Challenge: “Find the hidden admin panel in 10 minutes” to test your skills and readiness for securing government systems.
3. Dependency Hell: Supply Chain Defense
💣 Breach Simulation:
- Inject a malicious npm package with known Common Vulnerabilities and Exposures (CVEs) to simulate real-world threats faced by government applications.
🛡️ Defense Tactics:
- Monitor vulnerabilities using OWASP Dependency-Track to ensure timely detection and response for government systems.
- Enforce policy gates that fail builds on critical CVEs, maintaining the highest security standards for government software.
🧪 Lab: Create vulnerability policies and alert workflows to enhance governance and accountability in government projects.
⚠️ Shocking Demo: “How one bad dependency can compromise your infrastructure,” emphasizing the importance of secure dependencies in government applications.
4. Vulnerability Management War Room
💣 Breach Simulation:
- Exploit unpatched container vulnerabilities to understand the risks and develop mitigation strategies for government systems.
🛡️ Defense Tactics:
- Centralize reporting with OWASP DefectDojo to streamline vulnerability management processes for government agencies.
- Scan containers using Trivy to identify and address potential security issues in government infrastructure.
🧪 Lab: Build real dashboards for CISO and executive reporting, ensuring transparency and accountability in government security practices.
🏁 Competition: “Triage 50 findings faster than your rivals” to improve response times and enhance the overall security posture of government systems.
5. Secrets & Configuration Fire Drill
💣 Breach Simulation:
- Exfiltrate secrets from Git history using truffleHog to highlight the importance of secure configuration management in government applications.
🛡️ Defense Tactics:
- Implement pre-commit hooks to block sensitive patterns like
password=.*, ensuring that no critical information is inadvertently committed to repositories. - Use ZAP’s config spider to identify and address dangerous settings in government applications.
🧪 Lab: Implement GitHub Actions secrets scanning to enhance the security of configuration management processes for government systems.
🚨 Reality Check: “Your database password is in Slack right now” — a stark reminder of the importance of secure communication practices in government environments.
6. Wrap-Up: DevSecOps Battle Plan
🧭 OWASP Integration Roadmap:
- Plan your DefectDojo, Dependency-Track, and ZAP adoption to align with the security requirements of government systems.
📋 Personal Action Plan:
- Draft a 30-day security checklist tailored for government operations, ensuring that all necessary security measures are in place.
- Define your DevSecOps Key Performance Indicators (KPIs) and reporting dashboards to track progress and maintain accountability in government projects.
Requirements
Foundational Software and SDLC Experience
Audience
DevOps, Security, and Cloud Engineers who prefer practical security solutions over theoretical discussions for government operations.
Testimonials (1)
There were many practical exercises supervised and assisted by the trainer
