CURRICULUM

May 24, 2016 ยท View on GitHub

Prerequisites

  • Basic Linux skills (Bash scripting, start/stop service, create a user, basis sysadmin)
  • Basic Ruby/Rails (install Ruby, Rails, Gems, write basic Ruby scripts)
  • Networking Basics (common network protocols & ports)

Syllabus Outline

Week 1: Getting Started

  • Introductions
  • What is DevSecOps?
  • Lab Guides

Week 2: Build a Weak App

  • Ruby
  • Rails
  • Bash Scripting
  • AWS CLI
  • AWS SDK
  • Basic AWS Deployment

Week 3: Attack the Weakling

  • Deploy vulnerable app to AWS.
  • Attack the app using different techniques (e.g. OWASP Top 10)
  • Tools of the trade:
    • Nmap
    • Metasploit
    • SQLMap

Week 4: Keeping the Weak Alive

  • Learn tools to detect attacks, instrument app to detect attacks
  • Execute Incident response (contain / burn it down)
  • Keep the app alive (tension of burn-down the compromised one vs service availability)
  • Splunk / Log collection
  • Application Logs

Week 5: Build a Rugged App

  • Developing for Resilience.
  • Service Oriented Architecture (SOA).
  • Stacker
  • Gauntlt
  • AutoScale
  • Least Privileges (IAM, OS hardening, run the app as a non-priv user)
  • CloudWatch
  • Control-Plane Pattern

Week 6: Red FTW!

  • Account Takeover
  • Privilege escalation
  • Horizontal movement
  • Bad patterns (VPN, network layer coupling, tight coupling, etc)

Week 7: Hunt the Attacker

  • Selfie
  • Splunk alerts
  • Incident response in AWS, respond faster

Week 8: Capstone Project

Capstone Project

  • Hack lab โ€“ build an infrastructure from a template, make it better on the fly, keep it alive while others attack it and while attacking others (Capture the Flag).

Week 9: Demos!

  • Demos