Hi all. Anyone else from a "traditional" pen testing background getting in to DevSecOps?
Joe Durbin
・1 min read
Joe Durbin
・1 min read
Read next
[Discuss] Enterprise security best practices for managing vulnerabilities at scale
Liran Tal -
[Discuss] 10 React security best practices
SnykCommunity -
[Community Contributed] Create Pipeline with Terraform & Setup Container Image Scans with Snyk in AWS CodeBuild
Lukonde Mwila -
31 Days of Security Awareness in DevSecOps - DAY 31
Alyssa Miller -
Discussion
Yes, did this a few years ago! Took some reading and going to the right conferences, listening to podcasts etc. Totally worth it 🙂
Tbh I have always been coding in university/spare time, which helps
Let me know if you need advice on something specific
Hi Chris. I'm getting a handle on it. I've started by generalizing and getting the basic certs in AWS, Azure, GCP. Ive been living and breathing docker and kubernetes since the begging of covid. I've also been running a gitlab server and practicing CI/CD pipelines and getting runners configured etc. Ive also been on multiple cloud pentesting engagements so I have a good handle on the deployment environments.
Im trying to formulate an attack plan on which technologies I should be focused on
And as I'm not a developer I'm trying to work out how to get exposure to these types of environments to see where I can add value in terms of security guidance
I think my next hire will be a seasoned DevOps or DevSecOps engineer to bring some more resource in house
This post was originally asked in the DevSecCon Slack
If you haven't yet done so, you can join here.
I'm sure you have a lots of good materials, and i can recommend the hacker playbook3, with the Hands on Penetration Testing AWS with kali linux. And i've just started "Securing DevOps."
All have labs, the AWS pentesting has the most cloud specific things (the first few chapters include some aws introduction and use setting up your own lab as an example).
Derby 2019 also had a talk about deploying cobaltstrike to the cloud (not what it was called) and was more about using the cloud to pentest then it was about pentesting the cloud. (edited)
i didn't remember the derby talk correctly, but this is the one i was thinking of irongeek.com/i.php?page=videos/der...
If you find a good resource for Azure i'd love to get the recomendation
Only just catching up with Slack. Thanks for your suggestions.