Detailed Course Outline
Challenge 1: Managing Secrets
- Identify the tools and technologies that can help to protect from leaking credentials and secrets while in development
- Create a custom search pattern for secrets in your source code
Challenge 2: Secret Rotation
- Manage/Rotate secrets in dev/test/production environments
Challenge 3: Keep your code clean and vulnerability free
- Identify the tools and technologies that you will use find security issues early in your development process
- Design/implement a workflow that eliminates many issues and false positives using static code analysis and dependency scanning
- Analyze dependencies in code and scan containers for known vulnerabilities
Challenge 4: Automate penetration testing
- Scan for OWASP top 10 vulnerabilities
- Incorporate pen testing into UI Automation testing
- Adjust scoring algorithm based on your threat model (SMACD)
Challenge 5: Streamline and integrate workflow
- Learn techniques/ trade-offs to speed up execution and minimize impact to developer productivity.
- Integrate into PR based workflow to provide effective and timeline feedback from automation
- Enable bot automation to streamline false positive resolution in external systems such as sonarcloud
Challenge 6: Apply security policy to your organization
- Make DevSecOps mandatory for all PR merges to master branches for your organization
- Reject a push to repository that contains secrets
Challenge 7: Enable quality gates and resolve issues
- Implement quality gates
- Resolve some of the discovered issues
At the end of the event, we will provide content and a recommended set of task that can be incorporated into a dev crew engagement to enable some of the practices that are covered during the event.