Ultimate HackiHub DevOps, Security and Cloud education program for you

DevSecOps bootcamp (DSO)

An immersive boot camp for mastering DevSecOps principles and practices:

• What are DevSecOps, GitOps, and SRE?
• DevSecOps Maturity Models and OWASP Top 10 for CI/CD.
• GitOps-based security practices.
• Cultural aspects of DevSecOps: Champion programs and metrics.
• Implementing SAST, SCA, and DAST in CI/CD pipelines.
• Developer-friendly security tools and IDE plugins.
• Supply Chain Security: Attacks, SBOM, Attestation, and SLSA Framework.
• Infrastructure as Code (IaC) Security Automation with Terraform.
• Security for Microservices, Kubernetes, and Docker-based platforms.
• Kubernetes Admission Controllers (e.g., OPA Gatekeeper, Kyverno).
• Image scanning and runtime protection (e.g., Trivy, Clair).
• Security best practices for Kubernetes pod security, network policies, and RBAC.
• Secrets management in pipelines (e.g., HashiCorp Vault, AWS Secrets Manager).
• Dynamic infrastructure scanning and runtime security (e.g., Aqua Security, Falco).
• DevSecOps in Cloud Services.
• Automation patterns and tools for DevSecOps.
• Testing Terraform, Ansible, and other IaC configurations for security flaws.
• Chaos Engineering: Testing production environments and GameDays.

AWS Security (AWSSEC)

• Introduction to Cloud Security: “Security of the Cloud vs. Security in the Cloud.”
• Basics of AWS Global Infrastructure.
• VPC Security: Route 53, Security Groups, and NACLs.
• Load Balancers and their security considerations.
• VPC Flow Logs and Firewalling.
• IAM: Policies, roles, and policy evaluation logic.
• Object Storage Security with Pre-signed URLs.
• AWS Config, AWS CloudWatch, and AWS CloudTrail.
• AWS Threat Intelligence: AWS Detective and AWS GuardDuty.
• Automation patterns for security operations.
• AWS Macie for PII protection.
• Key Management Service (KMS) and key policies.
• AWS Web Application Firewall.
• System Manager and vulnerability scanning with Inspector.
• AWS Security Hub: A unified view of security alerts.
• Introduction to container security in AWS: Elastic Container Registry (ECR).

Extras:

• Serverless Security and OWASP Serverless Top 10.
• Pentesting and vulnerability scanning in AWS.

Secure Development Lifecycle (SSDLC1)

A comprehensive course focusing on secure development practices, including:

• Differences between SAST, SCA, and DAST.
• Threat Modeling and UMLsec.
• OWASP Top 10 from an API perspective.
• Injection types and prevention techniques:
  • SQL Injection: exploitation and defense.
  • Cross-Site Scripting (XSS): types and mitigation.
  • Insecure Deserialization.
• Protecting sensitive data.
• Implementing secure cryptography in applications.
• Supply chain security and dependency testing.
• External Entity Expansion (XXE) attacks.
• Out-of-Band and Server-Side Injection attacks.
• Secure server configuration (HTTP headers, TLS configurations, etc.).
• Tools like Burp Suite and ZAP Proxy for application testing.
• CI/CD pipeline design for DevSecOps integration.
• Web Application Firewall (WAF) usage and implementation.
• Secure coding practices and design patterns.
• Capture the Flag (CTF): An interactive gamified session to apply skills learned.

Threat Modeling (TM)

An advanced course designed to teach effective threat modeling techniques:

• What is Threat Modeling, and how to use it.
• Key elements of a threat model.
• Overview of methodologies: STRIDE, DREAD, PASTA, and LUA.
• Gamification in Threat Modeling using card games and rapid prototyping tools.
• Specialized Threat Modeling for:
  • Cloud and infrastructure.
  • Software components.
  • CI/CD pipelines.
• Hands-on exercises based on real-world scenarios.
• Evaluating the effectiveness of threat models and reassessing assumptions.
• Using tools like OWASP Threat Dragon, Microsoft Threat Modeling Tool, and IRIUS Risk.
• Templates for rapid prototyping and advanced Threat Modeling.