SEC540: SANS Paris June 2023

What You Will Learn

The Cloud Moves Fast. Automate to Keep Up

Common security challenges for organizations struggling with the DevOps culture include issues such as:

• Upfront peer code reviews and security approvals may not occur for change approval and audit requirements
• Missing infrastructure and application scanning can allow attackers to find an entry point and compromise the system
• Cloud security misconfigurations may publicly expose sensitive data or introduce new data exfiltration paths

Security teams can help organizations prevent these issues such as using DevOps tooling and cloud-first best practices. This course provides development, operations, and security professionals with a deep understanding of and hands-on experience with the DevOps methodology used to build and deliver cloud infrastructure and software. Students learn how to attack and then harden the entire DevOps workflow, from version control to continuous integration and running cloud workloads. Each step of the way, students explore the security controls, configuration, and tools required to improve the reliability, integrity, and security of on-premise and cloud-hosted systems. Students learn how to implement more than 20 DevSecOps security controls to build, test, deploy, and monitor cloud infrastructure and services.

"BEST class I have ever taken at SANS. This is one of those courses where I can log into work after class ends and immediately start applying into my daily tasks and responsibilities. I already went on my team's Slack channel and told them this needs to be the next class they take."- Brian Esperanza, Teradata

"Every single person I've sent to class has loved it. It's been transformational for them because it goes beyond security concepts and teaches how modern operations and DevOps works. It's also impactful sending developers (who are not working in cloud yet) because they want to develop in cloud and get into concepts like Infrastructure as Code." - Brett Cumming

BUSINESS TAKEAWAYS

• Build a security team that understands modern cloud security and DevSecOps practices
• Partner with DevOps and engineering teams to inject security into automated pipelines
• Leverage cloud services and automation to improve security capabilities
• Ensure your organization is ready for cloud migration and digital transformation initiatives

SKILLS LEARNED

• Understand how DevOps works and identify keys to success
• Wire security scanning into automated CI/CD pipelines and workflows
• Build continuous monitoring feedback loops from production to engineering
• Automate configuration management using Infrastructure as Code (IaC)
• Secure container technologies (such as Docker and Kubernetes)
• Use native cloud security services and third-party tools to secure systems and applications
• Securely manage secrets for Continuous Integration servers and applications
• Integrate cloud logging and metrics
• Perform continuous compliance and security policy scanning

HANDS-ON TRAINING

SEC540 goes well beyond traditional lectures and immerses students in hands-on application of techniques during each section of the course. Each lab includes a step-by-step guide to learning and applying hands-on techniques, as well as a "no hints" approach for students who want to stretch their skills and see how far they can get without following the guide. This allows students, regardless of background, to choose the level of difficulty they feel is best suited for them -always with a frustration-free fallback path. Immersive hand-on labs ensure that students not only understand theory, but how to configure and implement each security control.

The SEC540 lab environment simulates a real-world DevOps environment, with more than 10 automated pipelines responsible for building DevOps container images, cloud infrastructure, automating gold image creation, orchestrating containerized workloads, executing security scanning, and enforcing compliance standards. Students are challenged to sharpen their technical skills and automate more than 20 security-focused challenges using a variety of command line tools, programming languages, and markup templates.

The SEC540 course labs come in both AWS and Azure versions. Students will choose one cloud provider at the beginning of class to use for the duration of the course. Students are welcome to do labs for both cloud providers on their own time once they finish the first set of labs.

For advanced students, 2 hours of CloudWars Bonus Challenges are available during extended hours each day. These CloudWars challenges provide additional opportunities for hands-on experience with the cloud and DevOps toolchain.

• Section 1: Attacking the DevOps Toolchain, Version Control Security, Automating Static Analysis, Protecting Secrets with Vault, CloudWars (Section 1): Cloud & DevOps Security Bonus Challenges
• Section 2: Infrastructure as Code Network Hardening, Gold Image Creation, Container Security Hardening, Automating Dynamic Analysis, CloudWars (Section 2): Cloud & DevOps Security Bonus Challenges
• Section 3: Cloud Workload Security Review, Cloud-Hosted CI/CD Guardrails, Continuous Security Monitoring, Data Protection Services, CloudWars (Section 3): Cloud & DevOps Bonus Challenges
• Section 4: Deploying Security Patches Using Blue/Green Environments, Securing Content Delivery Networks with Signed URLs, Protecting REST Web Services with API Gateway, Protecting APIs with Serverless and JSON Web Tokens, CloudWars (Section 4): Cloud & DevOps Security Bonus Challenges
• Section 5: Cloud Security Posture Management, Blocking Attacks with WAF, Automated Remediation with Cloud Custodian, CloudWars (Section 5): Cloud & DevOps Security Bonus Challenges

"Labs were really impressive. You can tell there are hours of work in there. It was organized really well and was great practice." - David Heaton, Grange Insurance

"Labs were the best bit of the whole thing - well maintained, keep it up." - Richard Ackroyd, PwC

"Great wealth of scripts to use and leverage." - Ravi Balla, GE

"Fun and straightforward. Everything worked like a charm."- Kenneth Jordan, Openaltar

SYLLABUS SUMMARY

• Section 1: Attacking and Hardening the DevOps Toolchain
• Section 2 :Securing Cloud Infrastructure, Containers, and Applications
• Section 3 :Securing Cloud Workloads, Monitoring, and Data Protection
• Section 4: Securing Content, APIs, and Serverless
• Section 5: Automating Compliance, Attack Defense, and Remediation

ADDITIONAL FREE RESOURCES

Cloud Ace Podcast

Posters, Cheat Sheets, and Lists

• Nine Key Cloud Security Concentrations & SWAT Checklist
• Fix Security Issues Left of Prod
• CWE/SANS Top 25 Most Dangerous Software Errors
• Security Web Application Technologies (SWAT) Checklist

Webcasts

• Extending DevSecOps Security Controls into the Cloud: A SANS Survey
• Winning in the Dark: Defending Serverless Infrastructure in the Cloud
• Attacking and Defending Cloud Metadata Services
• Cloud Security and DevOps Automation: Keys for Modern Security Success

Tools

See a complete list of Cloud Security tools here, all of which are applicable to SEC540.

WHAT YOU WILL RECEIVE

• Printed and electronic courseware
• ISO containing the course Virtual Machine (VM)
• Course VM containing a pre-built DevOps CI/CD toolchain, Cloud Security, and DevSecOps lab exercises
• CloudFormation and Terraform code to deploy AWS and Azure infrastructure
• A VM-hosted wiki and an electronic lab workbook for completing the lab exercises
• Ability to use the Infrastructure as Code (IaC) and course VM indefinitely to continue your learning after the course ends

WHAT COMES NEXT

Depending on your current role or future plans, one of these courses is a great next step in your cloud security journey:

DevSecOps Professionals:

• SEC522: Application Security: Web Applications, APIs, and Microservices

Cloud Security Engineer:

• SEC510: Public Cloud Security: AWS, Azure, and GCP
• SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection
• SEC588: Cloud Penetration Testing

Cloud Security Architect:

• SEC549: Enterprise Cloud Security Architecture

Cloud Security Manager:

• MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
• MGT520: Leading Cloud Security Design and Implementation

NOTICE TO STUDENTS

Please plan to arrive 30 minutes early before your first session for lab preparation and set-up (though obtaining your cloud account(s) should happen PRIOR TO this.) During this time, students can confirm that their cloud accounts are properly set up, ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine. For live classes (online or in-person), the instructor will be available to assist students with laptop prep and set-up 30 minutes prior to the course start time. The lecture will begin at the scheduled course start time.

Similar to providing hardware and software, students are required to provide their own AWS and Azure cloud accounts. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS or Azure accounts during a live class. Review the Laptop Requirements below for details.