This module is one of the two modules where students get to practice information security concepts learned in the classroom with more hands-on experience. Students work in a group to learn, discuss, develop, analyze, and fix the security of applications. This module is aligned with an emerging paradigm of DevSecOps.
This module is trying to help students in applying information security concepts in the software development process. Students are expected to discuss and analyze an application development along with the security concepts related to the deployment of the application. Then, students work in a group to develop the application and fix the security threats/holes of that application. Project activities include proposing and discussing (i.e., pitching) ideas for application development and security solution, developing/testing basic applications, and analyzing/fixing the security vulnerability of the application using open-source tools.
After completing this module, students should gain confidence and experience in participating and contributing to a team in developing an application and analyzing the security vulnerability of that application. They should also have better knowledge and deeper experience in applying various information security concepts and practices in a real-world scenario and environment.
Project and Assignment – 100
Syllabus | Source |
---|---|
Part 1: Introduction to DevOps (Week 1 – 3) | |
What is DevOps? | |
DevOps principles – Culture, Automation, Measurement and Sharing (CAMS) | |
DevOps and software development lifecycle (SDLC) | |
Continuous Integration (CI) and Continuous Deployment (CD) | |
Part 2: DevOps for Software Development with Open-Source Tools (Week 4 – 7) | |
Open source is essential for DevOps-based software development | |
Compliance requirements (automation, unit testing, ...) at DevOps scale | |
Working with development environment | |
Platform/application definition and configuration management | |
Part 3: Introduction to Platform/Application Security (Week 8 – 10) | |
What is Pentesting and vulnerability assessment? | |
What is secure SDLC? | |
Open-source security and risk analysis | |
DevSecOps Maturity Model (DSOMM) | |
Part 4: Securing Platform/Application DevOps (Week 11 – 13) | |
Infrastructure as a Code (IaaC) and its security | |
Securing open-source component (library and dependency) | |
Using tools of the trade to secure activities in CI/CD | |
Embedding security as part of CI/CD pipeline | |
SCA, SAST and DAST Techniques in CI/CD pipeline |
Week | Tasks | Assignment |
---|---|---|
Week 1-2 | Topic and group member selection | None |
Week 3-4 | Planning and task definition/assignment | Project Design Documentation |
Week 5-7 | Development phase and demo | |
Week 8-10 | Security Testing and Analysis | |
Week 11-13 | Fixing the security issue and Final report |
- CTF Platform with centralized/federated authentication (Team-A)
- Streaming Bot to Generate Video Streaming Activity (Team-B)
- Web Server to Provide Web-based Virtual Desktop (Team-C)
- Email Bot to Generate Email-related Activity (Team-D)