Sec|DevOps 101 —Strengthen the Basics
The Glossary of Foundational Knowledge Objects
This article is meant to provide a quick overview as well as deeper links into research. Everything SecDevOps related… This might become a living document and/or transform into a series of related content.
DevOps = LineCooks
The “working in a kitchen” stories run wildly through the executive ranks of corporate as well as the backgrounds of entrepreneurs. In the visual below we can see a simple linear visual outlining the process from taking an input and transforming it into an output.
To establish DevOps experience, you must touch, understand, and support each vertical between Initiation & Production.
A few years ago I met Anant Shrivastava from NotSoSecure. He was hosting the Advanced Infrastructure Hacking Course at BlackHat.
Their Achieving DevSecOps with Open-Source Tools post from April 2019 (link is directly below) provides a great visual of the targeted cross-section of between the triad of disciplines.
Sec|DevOps / Dev|SecOps falls right in the middle.
The call-to-action for you, the reader, is to dive into the NotSoSecure article to understand the core concepts & phases. Just Note: there are many tools which can fill each phase of the product-development pipeline.
DEV|Development
Development is the Dev side of SecDevOps|DevSecOps. This primarily spans across the Code/Build/Test/QA columns. Let’s get started with Git…
Git
Understanding how to obtain the latest codebase and navigate around codebase is a required skill. Don’t know about Git/Github then dive into the learning lab.
IDE’s
There are many great tools to use & learn development. Pick up a copy of Jetbrains or VSCode. Eclipse is also a historical favorite yet Jetbrains provides custom products for multiple languages. A great set of tools for the toolbox if you can grab the student edition for free.
Otherwise VSCode is a decent alternative…
Simple Scripting — Shell, Python, & Containerization
Both Kali and Commando can be used to host containerized systems & applications. They both have Shells to learn/use. Curiously of Carlos Perez — here’s the DarkOperator’s powershell basics.
Powershell Basics
Shell Scripting basics
Creating a virtual environment for Python Dependencies
Programs, at times, have specific dependencies. You can create virtual development environments & isolate the dependencies in many languages
Docker / Containerization
Ever heard of microservices? The goal is to create small reproducible bundles of application logic & isolate them into “microservices” then deploy them with docker containers.
We also need to cover some Tooling and Testing.
Behavior Driven Development Test Frameworks
Also known as BDD. Many languages have a Behavior-driven-development test framework. Gherkin is a primary example in PHP. Cucumber in Java, and Pytest-bdd in python.
Once we have some code created we want to start committing that code to our Repo. We can use a tool like CircleCI, Jenkins, or other tools to perform the Continuous Integration Testing.
Terraform
Now we start diving into Provisioning. Given Terraform is codebase, we also need to have any updates of the terraform manifests / codebase tested. A simply way of doing that is using CircleCi hook to perform the Terraform testing. Here’s an intro into terraform as well as a link to the CircleCi/Terraform github example the CyberRange used as it’s initial baseline.
Looking for some more additional learning, review the learning tools in Scott Lowe’s repo…
Vagrant:
Looking to Dive Deeper?
DevSecOps awesome-devsecops
A tools/lab reference repository w/ Topics around: Guidelines, Presentations, Initiatives, Keeping Informed, Wardley Maps for Security, Labs, Vulnerable Test Targets, Conferences, Podcasts, Books, Dashboards, Automation, Hunting, Testing, Alerting, Threat Intelligence, Attack Modeling, Secret Management, Red Team, Visualization, Sharing, ChatOps
AWS DevOps Labs — Traditional CI/CD:
Embedding Security into your CICD Pipeline With Burp Automation and Behavioral Tests with BDD Security.
Also browse through the full gammit of system & application classifications.
How about an arsenal of well-known aws security tools?
At this point, you are aiming beyond 101-level reading. Your next steps are to continue reading and learning this material then build exercises to reinforce, expand, and update your capabilities.
