About the course
Cert: GCSA GIAC Cloud Security Automation
SEC540 provides security professionals with a methodology for securing modern Cloud and DevOps environments. Students learn how to implement over 20 DevSecOps Security Controls for building, testing, deploying, and monitoring cloud infrastructure and services. Immersive hand-on labs ensure students not only understand theory, but how to configure and implement each security control. By embracing the DevOps culture, you will walk away battle tested and ready to build to your organization's Cloud & DevOps Security program.
What You Will Learn
The Cloud Moves Fast. Automate to Keep Up.
SEC540 provides development, operations, and security professionals with a methodology to build and deliver secure infrastructure and software using DevOps and cloud services. Students will explore how DevOps principles, practices, and tools of DevOps can improve the reliability, integrity, and security of on-premise and cloud-hosted applications.
SEC540 examines the Secure DevOps methodology and its implementation using lessons from successful DevOps security programs. Students will gain hands-on experience using popular tools such as Jenkins, GitLab, Puppet, Vault, and Grafana to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), cloud infrastructure, containerization, micro-segmentation, Functions as a Service (FaaS), Compliance as Code, and Continuous Monitoring.
The lab environment starts with an on-premise CI/CD pipeline that automatically builds, tests, and deploys infrastructure and containerized applications. Leveraging the Secure DevOps toolchain, students perform a series of labs injecting security into the CI/CD pipeline using a variety of security tools, patterns, and techniques. After laying the DevSecOps foundation, students put their DevSecOps skills to work by deploying and managing a real-world cloud infrastructure. Hands-on exercises deploy containerized workloads in the cloud, integrate on-premise configuration management with Puppet, and manage secrets with HashiCorp Vault and Cloud Key Management Service (KMS). Students analyze and fix cloud infrastructure vulnerabilities, perform cloud-hosted application vulnerability scanning, and defend microservices using tools such as API Gateway and FaaS. Cloud security compliance tools help monitor the infrastructure using code-drive Web Application Firewall (WAF) services, continuous auditing with CloudMapper, and continuous monitoring with Cloud Custodian.
SEC540 Will Prepare You To:
- Understand the Core Principles and Patterns behind DevOps
- Recognize how DevOps works and identify keys to success
- Map and Implement a Continuous Delivery/Continuous Deployment Pipeline
- Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools
- Identify the security risks and issues associated with DevOps and Continuous Delivery
Understand the DevSecOps Methodology and Workflow
- Use DevOps practices to secure DevOps tools and workflows
- Conduct effective risk assessments and threat modeling in a rapidly changing environment
- Design and write automated security tests and checks in CI/CD
- Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
- Implement self-serve security services for developers
- Inventory and patch your software dependencies
- Threat model and secure your build and deployment environment
Integrate Security into Production Operations
- Automate configuration management using Infrastructure as Code
- Secure container technologies (such as Docker and Kubernetes)
- Build continuous monitoring feedback loops from production to engineering
- Securely manage secrets for continuous integration servers and applications
- Automate compliance and security policy scanning
Move Your DevOps Workloads to the Cloud
- Understand how to automate cloud architecture components
- Use CloudFormation and Terraform to create Infrastructure as Code
- Build CI/CD pipelines using Jenkins and CodePipeline
- Wire security scanning into Jenkins and CodePipeline workflows
- Containerize applications with Elastic Container Service and Azure Kubernetes Service
- Integrate cloud logging and metrics with Grafana
- Create Slack alerts from CloudWatch metrics
- Manage secrets with Vault, KMS, and the SSM Parameter store
Consume Cloud Services to Secure Cloud Applications
- Protect static content with CloudFront Signatures
- Leverage Elastic Container Service for blue/green deployments
- Secure REST APIs with API Gateway
- Implement an API Gateway custom authorization Lambda function
- Deploy the AWS WAF and build custom WAF rules
- Perform continuous compliance scans with CloudMapper
- Enforce cloud configuration policies with Cloud Custodian
SEC540 goes well beyond traditional lectures and immerses students in hands-on application of techniques during each section of the course. Each lab includes a step-by-step guide to learning and applying hands-on techniques, as well as a "no hints" approach for students who want to stretch their skills and see how far they can get without following the guide. This allows students, regardless of background, to choose a level of difficulty they feel is best suited for them - always with a frustration-free fallback path.
SEC540 also offers students an opportunity to participate in NetWars Bonus Challenges each day. The gamified environment allows students to compete against each other in a race to win the SEC540 challenge coin, while also providing more hands-on experience with the cloud and DevOps toolchain.
NOTICE TO STUDENTS:
- Please plan to arrive 30 minutes early before your very first session for lab preparation and set-up. During this time, students can confirm that their Amazon Web Services (AWS) account is properly set up, ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine. For Live Online, the instructor will be available to assist students with laptop prep and set-up 30 minutes prior to course start time. Live Online class lecture will begin on time.
- An Amazon Web Services (AWS) account is required to do hands-on exercises during this course. Students must create an AWS account prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account during a live class.
- The estimated AWS cost for running the lab environment is $20 per week. Costs are significantly less for free-tier accounts.
- Microsoft Azure bonus challenges are available to students. Completing the bonus challenges requires that students register a Microsoft Azure account prior to the start of class.
- The estimated Azure cost for running the lab environment is $20 per week. Eligible free-tier accounts receive $200 in Azure credits (subject to verification and approval)
WHAT YOU WILL RECEIVE:
- Printed and Electronic Courseware
- ISO containing the course Virtual Machine (VM)
- Course VM containing a pre-built DevOps CI/CD toolchain, Cloud Security, and Secure DevOps lab exercises
- A VM-hosted wiki and an electronic lab workbook for completing the lab exercises
Syllabus (38 CPEs)
SEC540.1: Introduction to DevSecOps
SEC540.2: Cloud Infrastructure and Orchestration
SEC540.3: Cloud Security Operations
SEC540.4: Cloud Security as a Service
SEC540.5: Compliance as Code
GIAC Cloud Security Automation
“The GIAC Cloud Security Automation (GCSA) certification covers cloud services and modern DevSecOps practices that are used to build and deploy systems and applications more securely. The certification shows that you not only know how to speak the language of modern cloud and DevSecOps principles but can put them into practice in an automated and repeatable manner.” - Frank Kim, SEC540 Course Co-Author
- Using cloud services with Secure DevOps principles, practices, and tools to build & deliver secure infrastructure and software
- Automating Configuration Management, Continuous Integration, Continuous Delivery, and Continuous Monitoring
- Use of open-source tools, the Amazon Web Services toolchain, and Azure services
Courses or equivalent experiences that are prerequisites for SEC540:
- SEC488: Cloud Security Essentials
- Familiarity with Linux command shells and associated commands
- Basic understanding of common application attacks and vulnerabilities (e.g., OWASP Top 10)
- Hands-on experience using the AWS and Azure Cloud recommended
Preparing for SEC540
Students taking SEC540 will have the opportunity to learn and use a number of DevOps and cloud tools during the hands-on exercises. Getting a head start on the following tools, technologies, and languages will help students enjoy their lab experience:
- Running basic Git commands (clone, add, commit, push): https://docs.gitlab.com/ee/gitlab-basics/start-using-git.html
- Using GitLab for version control: https://docs.gitlab.com/ee/gitlab-basics/
- Jenkins Getting Started Guide: https://jenkins.io/doc/book/getting-started/
- Learning Puppet: https://puppet.com/docs/puppet/6.5/puppet_language.html
- YAML: https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
- AWS CloudFormation Templates (YAML & JSON): https://aws.amazon.com/cloudformation/aws-cloudformation-templates/
- Terraform HCL: https://www.terraform.io/docs/configuration/syntax.html
Who Should Attend SEC540?
Anyone working in or transitioning to a public cloud environment
Anyone working in or transitioning to a DevOps environment
Anyone who wants to understand where to add security checks, testing, and other controls to cloud and DevOps Continuous Delivery pipelines
Anyone interested in learning how to migrate DevOps workloads to the cloud, specifically Amazon Web Services (AWS) and Microsoft Azure
Anyone interested in leveraging cloud application security services provided by AWS