Fundamentals of DevSecOps : HandsOn Included

"Master the fundamentals of DevSecOps in this comprehensive course. Learn how to seamlessly integrate security practices into the development and operations lifecycle, ensuring robust and secure software delivery. Gain the skills to build a strong foundation for a successful DevSecOps career."

Links for Bio : https://www.udemy.com/user/amrit-choudhary-3/

Linkedin: https://www.linkedin.com/in/amritchoudhary/

Website: https://trainmefordevsecops.gihub.io/

DevSecOps: Elevate software development with security-first principles. Seamlessly integrate security into your DevOps workflow for enhanced software reliability and protection. Learn more about DevSecOps best practices for agile and secure development.

Linux: An open-source operating system kernel that powers a wide range of devices, servers, and systems. Known for its stability, security, and versatility, Linux offers a customizable platform for various computing needs and is a cornerstone of modern technology.

Introduction to DevSecOps Organization & Projects.

OWASP

OWASP ZAP

OWASP Top 10

OWASP Cheatsheet

CIS benchmark

CIS Controls

CVE

CWE

CVSS

CISA

OWASP (Open Web Application Security Project): A global nonprofit focused on improving software security. It provides resources, tools, and best practices to help organizations develop and maintain secure web applications, effectively mitigating vulnerabilities and enhancing overall cybersecurity posture.

OWASP ZAP (Zed Attack Proxy): An open-source security testing tool used for finding vulnerabilities in web applications. ZAP helps developers, testers, and security professionals identify and address potential security issues during the development lifecycle, enabling the creation of more secure and robust web applications.

OWASP Top 10: A regularly updated list of the ten most critical web application security risks. Published by the Open Web Application Security Project (OWASP), this list serves as a guide for developers, security professionals, and organizations to prioritize and address common vulnerabilities such as injection attacks, broken authentication, and sensitive data exposure.

OWASP Cheat Sheet: A collection of concise, practical, and actionable security guidelines provided by the Open Web Application Security Project (OWASP). These cheat sheets offer developers quick reference resources for implementing secure coding practices, mitigating common vulnerabilities, and ensuring the overall security of web applications.

CIS Benchmark: Developed by the Center for Internet Security (CIS), these benchmarks are industry-recognized best practices for securing various technology systems and software. They provide specific configuration guidelines and recommendations to enhance the security posture of systems, networks, and applications, ensuring alignment with established security standards.

CIS Controls: The Center for Internet Security (CIS) Controls are a set of 20 prioritized actions that organizations can take to improve their cybersecurity posture. These controls provide a practical framework for enhancing cybersecurity defenses, focusing on essential areas like inventory and control of hardware assets, secure configurations, continuous vulnerability assessment, and incident response. Implementing CIS Controls helps organizations mitigate risks and strengthen their overall security strategies.

CVEs (Common Vulnerabilities and Exposures): A standardized system for identifying and naming security vulnerabilities and exposures in software and hardware products. CVEs are maintained by the MITRE Corporation and provide a unique identifier for each vulnerability, enabling organizations to accurately track and discuss security issues across different platforms and products.

CVSS (Common Vulnerability Scoring System): A framework used to assess the severity of security vulnerabilities in software and hardware products. CVSS provides a numeric score that helps organizations prioritize and understand the potential impact of a vulnerability. The score takes into account factors such as the exploitability of the vulnerability, the impact on confidentiality, integrity, and availability, and other relevant metrics. This allows organizations to make informed decisions about patching and mitigating vulnerabilities based on their potential risk.

CISA (Cybersecurity and Infrastructure Security Agency): A United States government agency responsible for enhancing the nation's cybersecurity and protecting critical infrastructure. CISA works to provide cybersecurity guidance, coordinate response efforts to cyber threats, and offer resources to both government and private sector organizations to bolster their security measures and resilience against cyberattacks.

CWE (Common Weakness Enumeration): A community-driven list of software and hardware weaknesses and vulnerabilities that often lead to security issues. Maintained by the MITRE Corporation, CWE provides a standardized way to describe and categorize common weaknesses that can be used as a reference by software developers, security professionals, and organizations to improve the security of their systems and applications.

Linux fundamentals involves gaining a foundational understanding of the Linux operating system, including command line usage, file management, permissions, and basic system administration tasks. This knowledge forms the basis for efficient navigation, execution of commands, and management of Linux systems and servers.

File permissions and ownership in Linux govern the level of access and control over files and directories. Permissions include read, write, and execute privileges for the owner, group, and others, while ownership determines the user and group that have authority over the file.

Practical/demo for chmod files , directories in Linux

How to change ownership of files and directories in linux

The passwd file stored user account information in plain text format. However, modern systems typically use more secure methods, such as hashing and salting passwords, to protect user credentials. The passwd file now contains references to password hashes and other user-related details.

The purpose of the shadow file is to store the encrypted user passwords and additional security-related information, separate from the passwd file.

The group file is a system file commonly found in Unix-like operating systems, including Linux. It is located in the /etc directory and contains information about user groups on the system. The file helps manage user permissions, access control, and group memberships.

sudo command provides a secure and controlled way to perform administrative tasks without logging in as the root user permanently.

Try hands on for practical experience and understanding it in a better way

Privilege escalation in Linux refers to the process of gaining higher levels of access or permissions beyond what is initially granted to a user. It involves elevating privileges to perform administrative tasks or access restricted files and directories. There are several methods attackers can use to escalate privileges, and it's crucial for system administrators to be aware of these techniques to protect against unauthorized access. However, it's important to note that privilege escalation can also occur unintentionally due to misconfigurations or vulnerabilities in the system.

APT (Advanced Package Tool) is a package management system for Debian-based Linux distributions. It provides a command-line interface (apt) to install, upgrade, and remove software packages, along with features such as dependency resolution, package caching, and automatic updates, simplifying software management and ensuring system stability.

Ubuntu provides a package called "unattended-upgrades" that manages automatic updates for you

SSH is a secure network protocol that allows remote login and communication between two computers over an unsecured network by establishing an encrypted and authenticated connection.

How to create public and private key and use it to login to remote server using ssh

Understanding ssh and securing it.

sshd configuration file defines the behavior of the SSH server, such as port number, authentication methods, allowed users, key exchange algorithms, and more.

Linux basic commands used in day to day operations

A CIS Hardened Ubuntu Image is an Ubuntu operating system image that has been configured and optimized according to the security benchmarks and guidelines provided by the Center for Internet Security (CIS). These benchmarks define specific security settings, configurations, and best practices for Ubuntu systems to enhance their security posture and reduce the risk of vulnerabilities. Using a CIS Hardened Ubuntu Image helps ensure that your Ubuntu-based systems start with a strong security foundation.

what was the challenge before docker ?

Why docker ?

Docker Solution ?

How dockers work ?

Why Containers/Dockers matter ?

Docker Engine

The underlying technology of docker.

Why Developers / DevOps care ?

A Docker Registry is a storage and distribution service used to manage Docker container images. It allows users to store, retrieve, and distribute Docker images across different systems and environments. Docker Registry is a critical component in containerized application development and deployment, enabling teams to share and manage container images efficiently while ensuring version control and security. Popular examples include Docker Hub (public registry) and self-hosted solutions like Docker Trusted Registry.

Dockerfile contains instructions on how to build your containerized application, also contains information like base image to use etc.

some basic Docker commands that are commonly used

Follow these Docker recommendations: Regularly update base images to patch vulnerabilities, implement least privilege by using minimal permissions in containers, and use Docker Compose to define and manage multi-container applications for easier orchestration and scalability.

Handons with docker, docker security scan using trivy, Dockerfile lint using hadolint container image, creating docker registries, pushing images to registry and various other things.

Terraform is an open-source infrastructure as code (IaC) tool developed by HashiCorp. It allows you to define and manage your infrastructure resources across various cloud providers, such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and many others.

This tutorial includes recommendations, best practices, tools and ways to follow secure practices for IAC (Infrastructure as code)

How to create automation user, setup credentials, validate if terraform run is success. 

Demo to understand how terraform works, best practices to follow, lint to scan terraform files and fix all security issues.

Introduction to Jenkins as CI/CD Tool, CI/CD stages,

Explanation of Master-Slave Architecture of Jenkins. How it works ?

Securing Jenkins is crucial to ensure the overall security of your DevSecOps environment. In this lecture we will discuss on securing jenkins as well as how to secure the development pipelines ci/cd .

How to install jenkins using docker-compose.yml file

How to setup a jenkins agent in a vm or ec2 .

How to setup an agent in jenkins, earlier know as slave

How to create your first job in jenkins

This is the basic introduction to all the testing tools, vulnerability assessment and mitigation we will be covering in the tutorial.

Learn to identify vulnerabilities in source code (SAST) using industry tools. Develop the skills to secure applications proactively by detecting issues early and dynamically, ensuring robust software development practices.

"Discover Code Vulnerabilities with Fortify SAST: A Comprehensive Udemy Guide

Dive into the world of secure coding and vulnerability detection with Fortify Static Application Security Testing (SAST). In this expert-led Udemy course, you'll learn how to leverage Fortify, an industry-leading SAST tool, to detect potential security flaws in your software applications.

Dynamic Application Security Testing (DAST), focusing on assessing web application vulnerabilities during runtime. Explore tools to simulate real-world attacks, identify weaknesses, and fortify applications dynamically. Acquire the expertise to enhance application security by uncovering vulnerabilities and ensuring robust defense mechanisms.

witness a hands-on demonstration of Dynamic Application Security Testing (DAST) using OWASP ZAP. Learn to scan web applications, simulate attacks, and interpret results. Gain practical skills in identifying and addressing vulnerabilities, ensuring a secure and resilient application environment.

explore Software Composition Analysis (SCA), understanding how to scan and analyze third-party components within your applications. Learn to identify and manage open-source vulnerabilities, ensuring the security of your software by mitigating risks associated with using external libraries.

Incorporating hands-on exercises, our course will guide you through using the Snyk tool for Software Composition Analysis (SCA). Learn to scan and monitor your projects for vulnerable open-source dependencies, and practice remediation steps to enhance application security by addressing potential vulnerabilities efficiently and effectively.

Incorporating hands-on exercises, our course will guide you through using the Snyk tool for Software Composition Analysis (SCA). Learn to scan and monitor your projects for vulnerable open-source dependencies, and practice remediation steps to enhance application security by addressing potential vulnerabilities efficiently and effectively.

Penetration Testing : mastering the art of simulating real-world cyberattacks on systems and applications. Acquire hands-on experience with various tools and methodologies to identify vulnerabilities, exploit weaknesses, and provide actionable recommendations for improving the security posture of your software and infrastructure.

Vulnerability Assessment : a crucial aspect of cybersecurity. Learn how to systematically identify and evaluate vulnerabilities within systems and applications using a variety of tools and techniques. Through hands-on practice, understand the importance of regular assessments in maintaining a proactive security strategy and safeguarding against potential threats.

uncover key security principles that underpin effective cybersecurity. Explore concepts such as the principle of least privilege, defense in depth, and continuous monitoring. Learn how to apply these principles to design secure systems, mitigate risks, and cultivate a proactive security mindset in your organization.

"YAML Basic Introduction: Simplified Data Serialization for Developers! Explore the fundamentals of YAML (YAML Ain't Markup Language) and how it simplifies data serialization and configuration files. Learn to create clean, human-readable data structures with this beginner-friendly"

We will be learning on below topcis in this lecture.

How to create repositories in github ?

How to create github workflows, jobs using yaml ?

"GitHub Pipeline (CI/CD) with YAML: Hands-On Demo for Efficient Development! Dive into the world of GitHub pipelines using YAML for seamless CI/CD automation. Learn to set up end-to-end continuous integration and deployment workflows with this practical, SEO-optimized Udemy course featuring a hands-on demonstration of GitHub pipelines with YAML configuration."

How our DevSecOps pipeline would look i.e the end goal of DevSecOps pipeline with all basic stages

DevSecOps with Customized script to fail the pipelines based of security vulenrabilities if required

DevSecOps pipeline to pass the pipeline while running all security checks (simply just run all security jobs to get all the security info , may be early stage if integration to allow teams to have a look of what is going on with the project and later work to fail the jobs based on the critical vulnerabilities.)