Bill Reyor
Workshop: Introduction to DevSecOps Workshop
Bio:
Bill Reyor - Bill is Director of Security Consulting at Modus Create and leads a department of individuals who specialize in Cloud Security, DevSecOps, Penetration Testing and Security Operations. He is an organizer at BSides CT and a contributor to Modus thought leadership team on AI and AI security.
Abstract:
Introduction to DevSecOps Workshop provides BSides PR participants with an introduction to DevSecOps using GitHub and open source tools.
Attendees will learn about setting up a local development environment including pre-commit hooks and other preventative measures. Students will then progress into building out a simple CI/CD pipeline that uses free and open source tooling.
A Short Description:
Introduction (15 mins)
Discussing the purpose of shifting left and security in software development
Pre-setup Phase
Students will be guided through:
● Setting up a GitHub user account
● Fork and Clone the example code repository
Security within the IDE (30 mins)
Attendees will learn to integrate security measure into their local development environment to
act as a preventative mechanism:
● Setting up pre-commit hooks will be explored. This includes tools such as Talisman.
● Git ignores. Git ignore files are a useful mechanism for preventing config files containing
secrets, or other files such as .zips being committed to a repository.
Scanning the Repository (60 mins)
Students will build a simple CI/CD pipeline which demonstrates techniques such as secrets
scanning and vulnerability detection:
● The first topic covered is how to enable branch protection rules and PR gating
mechanisms in GitHub. These can then be integrated with CI/CD tools to create a gating
mechanism. .
● Next a demonstration of how secret scanning can be performed in the source code will
be presented. This includes examples from GitHub and then open source Horusec tool.
● Students are then introduced to the concept of detecting security vulnerabilities (CVEs) in
the source code repository. Horusec and CodeQL will be used to demonstrate these
concepts.
● Finally the subject of dependency analysis and SBOMs will be covered. GitHub’s
dependabot provides a mechanism for analyzing software dependencies associated with
a code base and understanding if they contain CVEs. Here we wrap up with a
walkthrough of dependabot and an overview of SBOMs
Wrap-up (15 mins)
● Recap of what we’ve learned
● Q&A
https://github.com/tweag/bsides-pr-devsecops-2024
Setup Information: