SEC540: SANS Amsterdam October 2024

Provided by

Enquire about this course

What You Will Learn
The Cloud Moves Fast. Automate to Keep Up

Common security challenges for organizations struggling with DevOps culture include issues such as:
  • Malicious code, credential theft, and compromised extensions from improperly protected continuous integration and delivery pipelines.
  • Unenforced peer code reviews and security approvals that do not meet change approval and audit requirements.
  • False positives, noise, and build failures from incorrectly automated security scanners.
  • Configuration drift between environments, resource misconfigurations, and public data exposure from insufficiently managed cloud infrastructure.
  • Failure to standardize golden virtual machine and container base images across the organization.
  • Ignoring software supply chain vulnerabilities inherited from malicious libraries, third-party software, and compromised build artifacts.
  • Operating Kubernetes services without policies that prevent lateral movement between workloads, reduce pod permissions, and monitor cluster activity.
  • Failing to release patches and close vulnerability windows due to code freezes and failed deployments.
  • Lacking inventory and visibility between microservices and serverless systems.
Security teams can help organizations prevent these issues by developing a DevOps mindset and learning to apply cloud native security controls. This course provides development, operations, and security professionals with a deep understanding of and hands-on experience with the DevOps methodology used to build and deliver cloud native infrastructure and software. Students learn how to attack and then harden the entire DevOps workflow, from version control to continuous integration and running cloud native workloads. Each step of the way, students explore the security controls, configuration, and policies required to improve the reliability, integrity, and security of on-premises and cloud-hosted systems. Students learn how to implement more than 20 DevSecOps security controls to build, test, deploy, harden, and monitor cloud native infrastructure and services.

"BEST class I have ever taken at SANS. This is one of those courses where I can log into work after class ends and immediately start applying into my daily tasks and responsibilities. I already went on my team's Slack channel and told them this needs to be the next class they take." - Brian Esperanza, Teradata

"Every single person I've sent to class has loved it. It's been transformational for them because it goes beyond security concepts and teaches how modern operations and DevOps works. It's also impactful sending developers (who are not working in cloud yet) because they want to develop in cloud and get into concepts like Infrastructure as Code." - Brett Cumming
Business Benefits
  • Build a modern security team that understands cloud native security and DevSecOps workflows
  • Partner with DevOps and engineering teams to inject security into automated pipelines and earlier into the development process
  • Leverage cloud native services to deploy, harden, and monitor software products
  • Ensure your organization is ready to refactor, revise, and rebuild products during their cloud migration
  • Use cloud monitoring and event triggered automation to improve security capabilities and respond to risk effectively
Skills Learned
  • Understand how DevOps works and identify keys to success
  • Wire security scanning into automated CI/CD pipelines and workflows
  • Parse security scanning results and display the data on CI/CD dashboards
  • Manage secrets for CI/CD servers and cloud native applications
  • Automate configuration management using Infrastructure as Code (IaC)
  • Build, harden, and publish golden virtual machine images using CI/CD workflows
  • Operate and secure container technologies using Docker and Kubernetes
  • Manage the software supply chain using software provenance, attestations, artifact signing, software bill of materials (SBOM), and SBOM vulnerability scanning.
  • Harden Kubernetes clusters with workload identity and admission control
  • Monitor Kubernetes audit logs using cloud logging and monitoring services
  • Deploy patches using cloud and Kubernetes blue / green deployments
  • Refactor systems to take advantage of microservice and serverless architectures
  • Automate cloud compliance and security policy guardrails and auto-remediation playbook
What Is DevSecOps Automation?

DevSecOps automation allows security professionals to introduce continuous security controls, guardrails, and policies in their product delivery workflows.
Hands-On DevSecOps Automation Training

35 Unique, Immersive, Hands-On Labs
  • 3 CI/CD security labs
  • 16 AWS focused labs
  • 16 Azure focused labs
CloudWars Bonus Challenges

SEC540 goes well beyond traditional lectures and immerses students in hands-on application of techniques during each section of the course. Each lab includes a step-by-step guide to learning and applying hands-on techniques, as well as a "no hints" approach for students who want to stretch their skills and see how far they can get without following the guide. This allows students, regardless of background, to choose the level of difficulty they feel is best suited for them -- always with a frustration-free fallback path. Immersive hand-on labs ensure that students not only understand theory, but how to configure and implement each security control.

The SEC540 lab environment simulates a real-world DevOps environment, with more than 10 automated pipelines responsible for building DevOps container images, cloud infrastructure, automating gold image creation, orchestrating Kubernetes workloads, executing security scans, and enforcing compliance standards. Students are challenged to sharpen their technical skills and automate more than 20 security-focused challenges using a variety of command line tools, programming languages, and markup templates.

The SEC540 course labs come in both AWS and Azure versions. Students will choose one cloud provider at the beginning of class to use for the duration of the course. Both options leverage Terraform for Infrastructure as Code (IaC) and the cloud provider's managed Kubernetes for container orchestration. Students are welcome to do labs for the aternate cloud provider on their own time once they finish the first set of labs.

For students who want an extra challenge, 2 hours of CloudWars Bonus Challenges are available during extended hours each day. These CloudWars challenges provide additional opportunities for hands-on experience with the cloud and DevOps toolchain.
  • Section 1: Attacking the DevOps Toolchain, Version Control Security, Automating Code Analysis, Protecting Secrets with Vault, CloudWars (Section 1): Cloud & DevOps Security Bonus Challenges
  • Section 2: Infrastructure as Code Network Hardening, Gold Image Creation, Container Image Hardening, Container Supply Chain Security, CloudWars (Section 2): Cloud & DevOps Security Bonus Challenges
  • Section 3: Container Registry Security, Kubernetes Workload Identity, Kubernetes Admission Control, Continuous Security Monitoring, CloudWars (Section 3): Cloud & DevOps Bonus Challenges
  • Section 4: Automated Blue/Green Deployments, Content Protection with CDNs, API Gateway Security, Serverless Security, CloudWars (Section 4): Cloud & DevOps Security Bonus Challenges
  • Section 5: Cloud Security Posture Management, Blocking Attacks with WAF, Automated Remediation with Cloud Custodian, CloudWars (Section 5): Cloud & DevOps Security Bonus Challenges
"Labs were really impressive. You can tell there are hours of work in there. It was organized really well and was great practice." - David Heaton, Grange Insurance

"Labs were the best bit of the whole thing - well maintained, keep it up." - Richard Ackroyd, PwC

"Great wealth of scripts to use and leverage." - Ravi Balla, GE

"Fun and straightforward. Everything worked like a charm." - Kenneth Jordan, Openaltar
Syllabus Summary

Section 1: Attacking and Hardening the DevOps Toolchain

Section 2: Securing Cloud Infrastructure, Container Images, and the Software Supply Chain

Section 3: Securing Container Registries, Kubernetes, and Monitoring

Section 4: Securing Content, APIs, and Serverless

Section 5: Automating Compliance, Attack Defense, and Remediation
Additional Free Resources

Posters, Cheat Sheets, and Lists
  • Cloud Native Security Tool
  • Nine Key Cloud Security Concentrations & SWAT Checklist
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • Security Web Application Technologies (SWAT) Checklist
  • Cloud Flight Simulator: Parts 1-4
  • Mastering Cloud Security Policy as Code, November 2023
  • Destroying Long-Lived Cloud Credentials with Workload Identity Federation, October 2023
  • DevSecOps Survey, August 2023
  • Protecting CI/CD Pipelines - Growing Threats and the Keys to Securing Them, June 2023
  • Docker Crash Course: How to Containerize Your Favorite Security Tools, June 2023
  • Securing the pipelines: DevSecOps and Cloud Security, June 2023
  • Container Security 101, June 2023
  • Beyond ChatGPT, Building Security Applications using OpenAI API, March 2023
  • See a complete list of Cloud Security tools here, all of which are applicable to SEC540.
What You Will Receive
  • Printed and electronic courseware
  • SANS provides time-limited AWS and Azure cloud accounts for completing the labs.
  • SANS provides instructions for accessing a virtual environment, also known as the Cloud Security Flight Simulator. Upon connecting to the environment, students can access the DevOps services (GitLab, VS Code, Terminal, and Vault) using Firefox to complete the lab exercises.
  • GitLab repositories with workflow, Terraform, Packer, Ansible, Kubernetes, and Docker configurations deploying the AWS and Azure infrastructure.
  • Browser access to an electronic workbook with lab instructions and commands to complete the lab exercises.
  • Ability to launch the DevOps server and lab infrastructure in your personal AWS and Azure cloud accounts after the course ends.
What Comes Next?

DevSecOps Professionals:
  • SEC522: Application Security: Web Applications, APIs, and Microservices
Cloud Security Engineer:
  • SEC510: Cloud Security Controls and Mitigations
  • SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection
  • SEC588: Cloud Penetration Testing
Cloud Security Architect:
  • SEC549: Cloud Security Architecture
Cloud Security Manager:
  • LDR520: Cloud Security for Leaders

Please plan to arrive 30 minutes early before your first session for lab preparation and set-up. During this time, students can confirm that their cloud accounts are properly provisioned and connect to the Cloud Security Flight Simulator's DevOps server. For live classes (online or in-person), the instructor will be available to assist students with set-up 30 minutes prior to the course start time. The lecture will begin at the scheduled course start time.


Start date Location / delivery
07 Oct 2024 Amsterdam Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...