Visão Geral

Curso Cloud Security and DevSecOps Automation, 

• Crie uma equipe de segurança que entenda as práticas modernas de segurança na nuvem e DevSecOps
• Faça parceria com DevOps e equipes de engenharia para injetar segurança em pipelines automatizados
• Aproveite os serviços de nuvem e a automação para melhorar os recursos de segurança
• Garanta que sua organização esteja pronta para iniciativas de migração para a nuvem e transformação digital

A nuvem se move rapidamente. Automatize para acompanhar.

Os desafios de segurança comuns para organizações que lutam com a cultura DevOps incluem problemas como:

• Revisões iniciais de código de pares e aprovações de segurança podem não ocorrer para aprovação de mudanças e requisitos de auditoria
• A falta de verificação de infraestrutura e aplicativos pode permitir que invasores encontrem um ponto de entrada e comprometam o sistema
• Erros de configuração de segurança na nuvem podem expor publicamente dados confidenciais ou introduzir novos caminhos de exfiltração de dados

As equipes de segurança podem ajudar as organizações a evitar esses problemas, como o uso de ferramentas DevOps e práticas recomendadas para a nuvem. Este curso fornece aos profissionais de desenvolvimento, operações e segurança um profundo conhecimento e experiência prática com a metodologia DevOps usada para criar e fornecer infraestrutura e software em nuvem. Os alunos aprendem como atacar e fortalecer todo o fluxo de trabalho do DevOps, desde o controle de versão até a integração contínua e a execução de cargas de trabalho na nuvem. A cada etapa, os alunos exploram os controles de segurança, a configuração e as ferramentas necessárias para melhorar a confiabilidade, a integridade e a segurança dos sistemas locais e hospedados na nuvem. Os alunos aprendem como implementar mais de 20 controles de segurança DevSecOps para criar, testar, implantar e monitorar infraestrutura e serviços em nuvem.

Objetivo

Após realizar este Curso Cloud Security and DevSecOps Automation, você será capaz de:

• Entenda como o DevOps funciona e identifique as chaves para o sucesso
• Conecte a verificação de segurança em pipelines e fluxos de trabalho CI/CD automatizados
• Crie ciclos de feedback de monitoramento contínuo, desde a produção até a engenharia
• Automatize o gerenciamento de configuração usando Infraestrutura como Código (IaC)
• Tecnologias seguras de container (como Docker e Kubernetes)
• Use serviços nativos de segurança em nuvem e ferramentas de terceiros para proteger sistemas e aplicativos
• Gerencie segredos com segurança para servidores e aplicativos de Integração Contínua
• Integre o log e as métricas da nuvem
• Realize verificações contínuas de conformidade e política de segurança

Publico Alvo

• Qualquer pessoa trabalhando ou fazendo a transição para um ambiente de nuvem pública
• Qualquer pessoa trabalhando ou fazendo a transição para um ambiente DevOps
• Qualquer pessoa que queira entender onde adicionar verificações de segurança, testes e outros controles aos pipelines de entrega contínua de nuvem e DevOps
• Qualquer pessoa interessada em aprender como migrar cargas de trabalho DevOps para a nuvem, especificamente Amazon Web Services (AWS) e Microsoft Azure
• Qualquer pessoa interessada em aproveitar os serviços de segurança de aplicativos em nuvem fornecidos pela AWS ou Azure
• Desenvolvedores
• arquitetos de software
• engenheiros de operações
• Administradores do sistema
• Analistas de segurança
• engenheiros de segurança
• Auditores
• Gerentes de risco
• consultores de segurança

Materiais

Conteúdo Programatico

DevOps Security Automation

Overview

starts by introducing DevOps practices, principles, and tools by attacking a vulnerable Version Control and Continuous Integration System configuration. Students gain an in-depth understanding of how the toolchain works, the risks these systems pose, and identify key weaknesses that could compromise the workflow. Next, we'll examine the security features available in various Continuous Integration (CI) and Continuous Delivery (CD) systems, such as Jenkins, GitHub, GitLab, Azure DevOps, and AWS CodePipeline, and then start hardening the environment. After automating various code analysis tools and discovering insecurely stored secrets, students will focus on storing sensitive data in secrets management solutions such as HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault.

Exercises

• Attacking the DevOps Toolchain
• Version Control Security
• Automating Static Analysis
• Protecting Secrets with Vault
• CloudWars (Section 1): Cloud & DevOps Security Bonus Challenges

DevOps and Security Challenges

1. Understand the Core Principles and Patterns behind DevOps
2. Recognize how DevOps works and identify keys to success

DevOps Toolchain

1. Build CI/CD pipelines using Jenkins, CodePipeline, and Azure DevOps
2. GitFlow
3. GitHub Actions
4. GitLab CI/CD
5. Jenkins
6. Securing DevOps Workflows
7. Threat model and secure your build and deployment environment

Secure DevOps tools and workflows

1. Conduct effective risk assessments and threat modeling in a rapidly changing environment
2. Design and write automated security tests and checks in CI/CD
3. Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
4. Inventory and patch your software dependencies
5. Wire security scanning into Jenkins, CodePipeline, and Azure DevOps workflows

Pre-Commit Security Controls

• Rapid Risk Assessment
• Git Hook Security
• Code Editor Extensions
• Branch Protections
• CodeOwners
• Peer Reviews

Commit Security Controls

1. Static Analysis Security Testing
2. Component Analysis

Secrets Management

1. Managing secrets in CI / CD
2. Azure Key Vault
3. AWS SSM Parameter Store
4. AWS Secrets Manager
5. HashiCorp Vault

Cloud Infrastructure Security

Overview

Section 2 challenges students to use their DevOps skills to deploy a code-driven cloud infrastructure with AWS CloudFormation and Terraform using more than 150 cloud resources. Students perform a cloud network assessment, identify insecure network configurations, and harden the network traffic flow rules. Moving to cloud virtual machines, students learn how to automate configuration management and build gold images using Ansible, Vagrant, and Packer. To finish the day, students focus on scanning and hardening container images before deploying workloads to the cloud.

Exercises

• Infrastructure as Code Network Hardening
• Gold Image Creation
• Container Security Hardening
• Automating Dynamic Analysis
• CloudWars (Section 2): Cloud & DevOps Security Bonus Challenges

Cloud Infrastructure as Code

1. Introduction to Cloud Infrastructure as Code
2. AWS Cloud Formation
3. Terraform
4. Deploying
5. Cloud Infrastructure as Code security analysis

Configuration Management as Code

1. Automating Configuration Management in CI / CD
2. Using Ansible to Configure Virtual Machines
3. Building Gold Images with Vagrant and Packer
4. Certifying Gold Images with InSpec

Container Security

1. Dockerfile and BuildKit Security
2. Base Image Hardening with Hadolint and Conftest
3. Container Image Security
4. Scanning Container Images with Docker Scan and Trivy
5. Container Registry Security
6. Container Scanning with AWS ECR and Azure ACR
7. Container Runtime Security

Acceptance Stage Security

• Dynamic Application Security Testing
• Vulnerability Management in DevSecOps

Cloud Security Operations

Overview

Section 3 prepares students to deploy and run containerized workloads in cloud-native orchestration services such as AWS Elastic Container Service (ECS) and Azure Kubernetes Service (AKS). Students analyze the cloud resources, identify common security misconfigurations, and leverage automation to quickly secure the workloads. The focus then shifts to monitoring workloads, analyzing log files, detecting an attack in real time, and sending alerts to the security team. Students finish the section by examining cloud-native data protection capabilities and encrypting sensitive data.

Exercises

• Cloud Workload Security Review
• Cloud-Hosted CI/CD Guardrails
• Continuous Security Monitoring
• Data Protection Services
• CloudWars (Section 3): Cloud & DevOps Bonus Challenges

Cloud Deployment & Orchestration

1. Azure Pipelines
2. AWS CodePipeline
3. Cloud Container Orchestration
4. Elastic Container Service (ECS)
5. Azure Kubernetes Service (AKS)

Cloud Workload Security

1. Cloud Storage Access Control
2. Workload Identity & Privilege Escalation
3. TLS Misconfiguration and Hardening

Security in Cloud CI/CD

1. Software Composition Analysis
2. AWS CodeBuild Security Integrations
3. Azure DevOps Security Extensions

Continuous Security Monitoring

1. Monitoring and feedback loops from production to engineering
2. Cloud logging and metrics
3. Azure Monitor & Log Analytics
4. Kusto Query Language (KQL)
5. AWS CloudWatch Log Insights
6. AWS CloudWatch Dashboards
7. OS Query
8. Automated Slack Alerts

Data Protection Services

• Azure Key Vault
• Azure Service Integration
• AWS KMS
• AWS Service Integration

Cloud Security as a Service

Overview

Section 4 starts with students learning to leverage cloud-native services to patch containerized workloads and secure content delivery networks. From there, the discussion shifts to microservice architectures, best practices, and micro-segmentation with API Gateways. Finally, students learn how to build and deploy Functions as a Service (FaaS), such as Lambda and Azure Functions, along with resources to add guardrails to the microservice environment.

Exercises

• Deploying Security Patches Using Blue/Green Environments
• Securing Content with Signed URLs
• Protecting REST Web Services with API Gateway
• Protecting APIs with Serverless and JSON Web Tokens
• CloudWars (Section 4): Cloud & DevOps Security Bonus Challenges

Blue/Green Deployment Options

1. Cloud Services for Blue/Green Deployments
2. Azure Application Gateway
3. Azure Kubernetes Services
4. AWS EC2 DNS Routing
5. AWS ALB Weighted Target Groups
6. AWS Elastic Container Service Swapping

Secure Content Delivery

1. Azure Content Delivery Network (CDN)
2. Azure CDN Token Authentication & Policies
3. AWS CloudFront
4. AWS CloudFront Origin Access Identities (OAID)
5. AWS CloudFront Signing
6. CDN Cross-Origin Resource Sharing Policies

Microservice Security

1. Microservice Architecture Attack Surface
2. Microservice Security Controls
3. Identity Federation & Open ID Connect (OIDC)
4. JSON Web Token (JWT) Security & Best Practices
5. Service Mesh Security Controls
6. Azure API Management
7. Azure API Management Custom Security Policies
8. Azure API Management Request Throttling
9. AWS API Gateway
10. AWS API Gateway Custom Authorizers
11. AWS API Gateway Request Throttling & Data Tracing

Serverless Security

1. Overview of Serverless Computing
2. Serverless Functions Security Implications
3. Deploying Functions in CI / CD Pipelines
4. Azure Functions
5. AWS Lambda

Compliance as Code

Overview

Section 5 wraps up the journey with students learning to leverage cloud services to automate security compliance. Starting with Cloud Security Posture Management (CSPM) solutions students detect security issues in their cloud infrastructure. Next, using cloud-native Web Application Firewall (WAF) services, students enable monitoring, attack detection, and active defense capabilities to catch and block bad actors. The discussion then shifts to working in DevOps and how that affects policy and compliance. Students finish the course learning how to write policy as code for automated remediation using Cloud Custodian, and how to detect and correct cloud configuration drift.

Exercises

• Cloud Security Posture Management (CSPM) with Prowler and Microsoft Defender for Cloud
• Blocking Attacks with WAF
• Automated Remediation with Cloud Custodian
• CloudWars (Section 5): Cloud & DevOps Security Bonus Challenges

Continuous Compliance

1. Continuous Compilance in DevSecOps
2. DevOps Audit Defense Toolkit
3. DevOps versus ITIL & PCI
4. Automate compliance and security policy scanning
5. Cloud Security Guardrails with InSpec, AWS Service Control Policies (SCP), and Azure Policy
6. Cloud Native Cloud Security Posture Management (CSPM) Services
7. Microsoft Defender for Cloud Workload Protection
8. AWS Security Hub
9. AWS Prowler

Runtime Security Protection

1. Cloud Web Application Firewalls
2. AWS and Azure WAF
3. AWS Security Automations Project
4. Writing a WAF as Code Custom Rules
5. RASP/IAST

Automated Remediation

1. Azure Event Grid
2. Amazon EventBridge
3. Automated Blocking of Bad Bots and Scanners
4. Microsoft Defender for Cloud Automation
5. AWS Security Hub Automated Response & Remediation
6. Automated Playbooks
7. Enforce cloud configuration policies with Cloud Custodian