We created this Green Belt path for developers coding in Docker with 8 learning modules. Each of our lessons are short and conclude with a brief ten question assessment. The learning module length is purposeful – they are perfect for filling gaps in a developer’s day while code is deploying.
Secure Development Core Lesson Modules
Intro to Secure Development
The definition of secure development and it’s pieces. Each developer has secure development responsibilities. Secure development starts and ends with the developer. Your software, hardware, and infrastructure are only as safe as you make them. Developers are the first line of defense.
The need for secure coding, what are secure coding standards and how does a developer use them, and the potential dangers of Stack Overflow. Languages are complex. Secure coding is about creating code that is correct and secure.
Secure Coding Best Practices: Part 1
Explore the OWASP Proactive Controls, including Define Security Requirements, Leverage Security Frameworks and Libraries, Secure Database Access, Encode and Escape Data, and Validate All Inputs. OWASP Proactive Controls is security information written for developers, by developers.
Secure Coding Best Practices: Part 2
Explore the OWASP Proactive Controls, including Enforce Access Control, Protect Data Everywhere, Implement Security Logging and Monitoring, and Handle All Errors and Exceptions. OWASP Proactive Controls is security information written for developers, by developers.
In this module, we explain how a languages type system is categorized and what the main categories are. We discuss the difference between static and dynamic languages as well as weak and strongly typed languages.
Securing the Development Environment
The threats that your development environment faces, how to reduce development environment risk, and the ten tips to secure your development environment. Development environment threats are real and following simple tips to secure your development environment can significantly reduce your exposure.
Protecting your Code Repository
Why you need to protect your code repository, the security challenges in choosing a repository, the impact of not protecting access credentials and separating secrets in the source code. Your code is your product or application. If it is left unsecured, it could fall into the hands of a competitor.
Producing a Clean, Maintainable, & Secure Code Culture
The sources of complexity in software that led to security vulnerabilities and the twelve laws that act as the foundation for a clean, maintainable, and secure code culture. Developers must strive for secure code. Secure code is both clean and maintainable.
Potential security threats are impacting your release and deployment process and ways to improve the security of your release and deployment process. The release and deployment process is how our code gets delivered to our customers. The introduction of an unauthorized piece of code by an attacker could be devastating.
Designing a Secure App or Product
The four pillars of a secure application or product, secure application or product decisions, and the categories of the design of a secure application or product. A new application or product deserves a secure design. Security becomes a reality through careful design choices.
Thinking Like A Penetration Tester
The tools and methodologies to help a developer think like a penetration tester, how penetration testers use browsers and intercepting proxies, testing, fuzzing, and reverse engineering, and applying the knowledge of these topics to your world as a developer. Developers generally focus on the build; to better secure your applications, products, and systems, think like one who breaks.
Secure Design Principles in Action: Part 1
The economy of mechanism, secure the weakest link, establish trust boundaries, defense in-depth, don’t reinvent the wheel, usable security and default deny. Secure design principles require action to achieve “secure by design.”
Secure Design Principles in Action: Part 2
In this module, we explore secure design principles such as minimizing the attack surface, fail securely, least privileged, separation of duties, do not trust services/ infrastructure, and secure defaults. Employing a common understanding of secure design principles encourages secure design, and secure design equals fewer vulnerabilities.
Introduction to Docker Security
Differences between a virtual machine and a container, explain the Docker high-level architecture and introduce the various Docker security features and functions.
The attack surface that a Docker installation exposes such as the Docker daemon, the Docker REST API, other services running on the Docker host, Docker images, and Docker networking and educate you on how to implement a secure Docker architecture that minimizes attack surface using a host firewall, an infrastructure firewall, and a repeatable host hardening process.
Docker: Threat Landscape, Part One
Various security threats that exist against Docker, explore how these threats could be used to compromise Docker, including host compromise, permissive volume mount, application container escape, network port escape, kernel exploit, accessing other containers via the network, and accessing other resources via the network, and share the reasoning behind why you must harden Docker containers and container infrastructure.
Docker: Threat Landscape, Part Two
Various security threats that exist against Docker, explore how threats could be used to compromise Docker hosts, including network sniffer, malicious payload inserted into a build in the pipeline, a vulnerable third-party package in an image, poisoning of an image in the registry, stealing secrets, and resource starvation, and share the reasoning behind why you must harden Docker containers and container infrastructure.
Docker: Secure Software Supply Chain, Part One
In this two-part module, we explain container image signing and vulnerability scanning, the threats that exist in the build pipeline without image signing and third-party/open-source image vulnerability scanning, how to perform image signing for Docker containers using Docker Content Trust, how to execute third-party/open-source vulnerability scanning for Docker containers and explore the available container vulnerability scanning tools.
Docker: Secure Software Supply Chain, Part Two
In this module, we describe the various security threats that exist against Docker, Explore how threats could be used to compromise Docker hosts, including network sniffer, malicious payload inserted into a build in the pipeline, a vulnerable third-party package in an image, poisoning od an image in the registry, stealing secrets, and resources and resources starvation, and share the reasoning behind why you must harden Docker containers and container infrastructure.
Docker: Best Practices - Engines
Best practices for locking down the Docker engine, including hardening the Docker engine, patching the host and Docker, employing user-defined networks, hardening using standards and tools, using security profiles, limiting resources, setting the logging level to at least INFO, monitoring and auditing containers, and running containers in a sandbox.
Docker: Best Practices - Images
Best practices for working with Docker images, including choosing minimal base images, avoiding the process of building dependencies from source, adopting fixed tags for immutability, employing COPY instead of ADD, utilizing the least privileged user, deploying read-only filesystems and volumes, protecting sensitive information, and employing a strategy of label and lint.