Ecde and pentest
Hey Fellas!
I want to present some updates on how I’ve been studying lately, not just the AppSec and DevSecOps parts, which yes, are different things, but also the Pentest part, with the help of #Desafio02 from Beco do Exploit. Yes, I’m behind, as the challenge was launched in September 2020, but we’re here, the important thing is to seek knowledge, as ET Bilu always guided us.
ECDE Certification
Recently, in Dec/24, I passed the EC-Council DevSecOps Engineer certification, a new EC certification focused on the DevSecOps part. It’s still in v1, it’s intermediate level, has 100 multiple-choice questions, covering all the topics involved, and the certifying body provides approximately 80 practical labs.
The certification covers a lot. Its official textbook has almost 4,000 pages, distributed across seven modules, which I’ll comment on below.
1-Understanding DevOps Culture: Presents the principles and culture of DevOps, highlighting the importance of collaboration between development and operations teams, showing how within companies and together with the agile model, we can change the concept of development and delivery to our customers. It covers the CI and CD phases in pipelines, on-premises tools like Jenkins, and cloud tools like AWS and Azure.
2-Introduction to DevSecOps: Delves into the fundamental concepts of DevSecOps, emphasizing the integration of security into the DevOps lifecycle. It mainly shows that AppSec is different from DSO, because here we are looking for the automation of security during development and compilation time. It talks about the stages of DSO, culture, best practices, the architecture using cloud or on-premises, also covers the DSOMM (DevSecOps Maturity Model), and adds a new acronym, CS, Continuous Security, joining it with CI/CD.
3-DevSecOps Pipeline – Planning Phase: Addresses the incorporation of security practices during project planning and software development. When we look at security, teams rarely plan its implementation. This module shows its importance and how this stage increases the security maturity of teams, just as OWASP SAMM recommends. It presents guidelines on how to do Threat Modeling, use Atlassian tools for software and security management (Jira, Bitbucket, Confluence - and Bamboo? - etc.), Technical Debt Management, conducting training and awareness on Secure Coding, in addition to talking about tools we can use for each of the topics.
4-DevSecOps Pipeline – Coding Phase: Focuses on the implementation of security measures during code writing, including code reviews and vulnerability analysis. It shows more about plugins that can be used in IDEs, how to use Github’s Code Scanning, how to integrate source code repositories, secrets management, and Software Composition Analysis (SCA).
5-DevSecOps Pipeline – Build and Testing Phase: Discusses the integration of security checks into automated build and testing processes. SAST, DAST, IAST will be evaluated and implemented. You will also be instructed on which tools to use, how to configure them, how to review reports, etc. It ends up being somewhat brief, in my opinion.
6-DevSecOps Pipeline – Release and Deployment Phase: Explores the implementation of security controls during the release and deployment stages. Here, it touches on very interesting topics such as Pentest, Bug Bounty Programs, RASP tools for runtime control and monitoring (e.g., blocking app usage on a ‘rooted’ Android), IaC, and orchestration tools.
7-DevSecOps Pipeline – Operation and Monitoring Phase: In this last module, we see the importance of continuous monitoring and incident response to maintain post-deployment security, such as infrastructure protection, containers. We see a bit about Cyber Kill Chain, SIEM, WAF, Compliance, and feedback.
The content of the modules goes up to approximately page 2,000, and after that, we have the manual for the labs offered by EC. I confess that I used the labs very little, as the environment is quite slow, but the guidelines provided in the manual allow you to create your own lab using container and cloud tools if you prefer.
Tips for the Exam
The exam itself is not difficult, as everything it presents can be found in the material provided. One question or another is not in the textbook, for example, the use of SCA tools like WhiteSource (Mend.io), concepts of Go gems, etc. But if you pay close attention and have some experience with programming languages, Linux, and PowerShell, you’ll ace it. I advise you to focus heavily on the Cloud tools presented and memorize the name of each one, as this ends up being essential for some questions.
It’s a tiring exam, as it has 4 hours of execution time, and you need to stay for at least half of that time. The questions are long, and the answers are short. Some of them are confusing due to incorrect punctuation, so pay close attention.
Conclusion
Well, I think that’s it about the certification. Do things practically; I believe it’s easier to grasp the logic. DevSecOps is not difficult, but it’s important to know many basic day-to-day Dev concepts to do well. Since this has become too long, I’ll come back in another text to talk about my challenges and difficulties doing #Desafio02 of Beco.
I hope that if you are thinking about getting this certification, this brief article can help you, and if anything was disorganized or poorly described, let me know, let’s improve together!