Businesses that have been actively involved in software development in recent years, have increasingly adopted practices that combine software development and IT operations which follow the key principles defined by shared ownership, workflow automation, and rapid feedback.
The ability to deploy changes more quickly comes with the increased emphasis on making sure the delivery is secure as well. Many businesses turn to security companies such as Syndis to perform security tests, but for most of these companies, that activity is performed in the later stages of development and in some cases after deployment which can result in great cost or even harm to the business.
SecDevOps is the process of integrating security best practices and methodologies into development and processes which DevOps makes possible. Syndis has developed a security training course for developers in the form of short lectures and hands-on problem solving performed through Syndis’ own security testing and teaching platform.
The training covers 15 common types of security vulnerabilities. These topics include OWASP’s top ten list of web application security risks, as well as other less common risks. Each vulnerability is defined, the impact it can cause is discussed and guidelines for prevention are presented.
To reinforce the understanding of these topics and complement their discussion in the lectures, Syndis also provides a platform for developers to step into the hacker’s shoes and exploit vulnerabilities in the form of challenges.
The purpose of these exercises is to solidify the information presented in the lectures and give developers a deeper understanding of each vulnerability, by demonstrating how they can occur in a realistic setting. The challenges also allow developers to understand the impact each vulnerability can have.
The challenges are presented in a competition style, where users score points by solving challenges and can spend points to receive hints. This usually fosters a healthy competitive spirit during the course’s run, and can also be used for incentivization, e.g. by rewarding those that complete all the challenges.
In addition to covering common security topics, the training also includes an overview of tools commonly used in the security industry, such as Burp Suite and sqlmap. The intent is to present developers with the same tools used by security researchers and hackers during real security testing engagements, in order for them to gain a new perspective of their applications when developing and provide a basis for implementing security into the development and deployment processes.
The training is divided into four two-hour sessions, with each session being devoted to 4 or 5 topics. The recommended schedule is to have two sessions per week for two consecutive weeks; e.g., Monday and Wednesday afternoons for two weeks in a row.
Training materials, including challenges and lecture slides, will be available for at least two months from the start of the training.
A demo of the platform and sample slides are available at https://demo.syndis.training.
What to expect
- Hands-on lab assignments
- Training with local knowledge
- Connects security issues with real events
- Entertaining for developers, with exercises presented in a capture-the-flag style