top of page

Bill Reyor

Workshop: Introduction to DevSecOps Workshop

Bio:


Bill Reyor - Bill is Director of Security Consulting at Modus Create and leads a department of individuals who specialize in Cloud Security, DevSecOps, Penetration Testing and Security Operations. He is an organizer at BSides CT and a contributor to Modus thought leadership team on AI and AI security.


Abstract:


Introduction to DevSecOps Workshop provides BSides PR participants with an introduction to DevSecOps using GitHub and open source tools.

Attendees will learn about setting up a local development environment including pre-commit hooks and other preventative measures. Students will then progress into building out a simple CI/CD pipeline that uses free and open source tooling.


A Short Description:


Introduction (15 mins)

Discussing the purpose of shifting left and security in software development

Pre-setup Phase

Students will be guided through:

● Setting up a GitHub user account

● Fork and Clone the example code repository

Security within the IDE (30 mins)

Attendees will learn to integrate security measure into their local development environment to

act as a preventative mechanism:

● Setting up pre-commit hooks will be explored. This includes tools such as Talisman.

● Git ignores. Git ignore files are a useful mechanism for preventing config files containing

secrets, or other files such as .zips being committed to a repository.

Scanning the Repository (60 mins)

Students will build a simple CI/CD pipeline which demonstrates techniques such as secrets

scanning and vulnerability detection:

● The first topic covered is how to enable branch protection rules and PR gating

mechanisms in GitHub. These can then be integrated with CI/CD tools to create a gating

mechanism. .

● Next a demonstration of how secret scanning can be performed in the source code will

be presented. This includes examples from GitHub and then open source Horusec tool.

● Students are then introduced to the concept of detecting security vulnerabilities (CVEs) in

the source code repository. Horusec and CodeQL will be used to demonstrate these

concepts.

● Finally the subject of dependency analysis and SBOMs will be covered. GitHub’s

dependabot provides a mechanism for analyzing software dependencies associated with

a code base and understanding if they contain CVEs. Here we wrap up with a

walkthrough of dependabot and an overview of SBOMs

Wrap-up (15 mins)

● Recap of what we’ve learned

● Q&A


https://github.com/tweag/bsides-pr-devsecops-2024


Setup Information:


Bill Reyor
bottom of page