Draft AIS 2026 - up1/training-courses GitHub Wiki

1. Container & Cloud-Native Security

  • 2 days

Outline

Module 1

  • Container design patterns
  • Container Security
    • Image security
      • Scanning for vulnerabilities (CVEs) in base images
      • Best practices for building image
        • Write Doockerfile
        • Multi-stage builds
        • Use Distroless images
    • Runtime security
      • Kernel isolation : Understanding Namespaces and Cgroups
      • Limiting privileges
    • Registry Security
      • Implementing Private Registries with Role-Based Access
      • Image signing and integrity verification using Cosign/Sigstore
    • Workshop

Module 2

  • Kubernetes Security
    • Identity & Access (RBAC)
      • The Principle of Least Privilege in K8s clusters
    • Network Policies
      • Implementing Micro-segmentation
    • Secrets Management
      • HashiCorp Vault and AWS Secrets Manager
    • Workshop

Module 3

  • Supply Chain Security – Securing the Pipeline
    • Shift Left Security
    • Integrating SAST (Static Analysis)
    • Integrating DAST (Dynamic Analysis)
  • Software Bill of Materials (SBOM)
    • Generating and auditing SBOMs to track third-party dependencies
    • Tools
      • OWASP Dependency check
      • Dependency track
  • Workshop

Module 4

  • Zero Trust for Cloud-Native
    • Identity-Based Security
    • Service Mesh Integration
      • Mutual TLS (mTLS) for encrypted inter-service communication
      • Fine-grained traffic authorization using Istio or Linkerd
    • Continuous Verification and Monitoring

2. API Security

  • 2 days

Outline

  • Introduction Secure Coding with API Security
    • Secure Coding Practice Guidelines
    • Best practices for design API with more secure
  • OWASP Top 10
    • Web Application Security
    • API Security
  • OWASP Top 10 API Security (2023)
    • Broken Object Level Authorization
    • Broken Authentication
    • Broken Object Property Level Authorization
    • Unrestricted Resource Consumption
    • Broken Function Level Authorization
    • Unrestricted Access to Sensitive Business Flows
    • Server Side Request Forgery
    • Improper Inventory Management
    • Unsafe Consumption of APIs
  • Secure Checklist
    • Input and Output Validation
    • Output Encoding
    • Authentication And Password Management
    • Secure Handling Of Credentials
    • Session Management
    • Access Control
    • Cryptographic Practices
    • Error Handling And Logging
    • Data Protection
    • Communication Security
    • File Management
    • Memory Management
  • Workshop

3. DevSecOps

  • 2 days

Outline

  • Secure in Software Development Life Cycle (SDLC)
  • Introduction to DevSecOps
    • People
    • Process
    • Technology and Tools
  • DevSecOps Principles
    • Culture
    • Automation
    • Measurement
    • Sharing
  • DevSecOps tools
    • Software Component Analysis(SCA)
    • Static Application Security Testing(SAST)
    • Dynamic Application Security Testing(SAST)
    • Infrastructure as Code and its security
    • Compliance as code
    • Vulnerability Management
  • DevSecOps Mindset & Secure Design
    • Moving from "Gatekeeper" security to "Guardrail" security
    • Threat Modeling from OWASP Top 10 (Web and API)
      • Identifying risks before writing code
    • Workshop
  • Secure Coding & Local Analysis
    • Authentication & Authorization
    • Static Application Security Testing(SAST)
    • Secret Management
    • Workshop
  • Shielding the Pipeline & Runtime Defense
    • Software Component Analysis(SCA)
    • Container Security
    • Dynamic Application Security Testing(SAST)
    • Workshop
  • Infrastructure & Monitoring
    • API Gateway Security (Rate limiting, WAF (Web Application Firewall) integration, and IP whitelisting)
    • Logging, Monitoring & Auditing
    • Continuous Compliance & Reporting
    • Workshop

4. DevSecOps & CI/CD Pipeline Security

  • 2 days

Outline

  • Introduction to DevSecOps
    • Shift-Left Security mindset
  • Secure Pipelines & Policy-as-Code
    • Design your pipeline with security
      • Scan code
      • Scan secret
      • Scan image
      • Dependency check and Software Bill of Material(SBOM)
      • SAST(Static Application Security Testing)
      • DAST(Dynamic Application Security Testing)
      • IAST(Interactive Application Security Testing)
    • Workshop
  • Workshop to build pipeline
    • Write your pipeline as code with Jenkins
  • Policy-as-Code (PaC)
    • Using tools like Open Policy Agent (OPA) or checkov to enforce security rules
  • Compliance with OWASP Top 10
    • Web
    • API
  • Workshop