The GIAC Cloud Security Automation (GCSA) certification is a highly respected credential that demonstrates proficiency in automating security for cloud and DevOps environments.

The GCSA covers methodologies to secure and automate the cloud and DevOps toolchain per DevOps culture. Earning the GCSA helps security pros gain expertise to implement robust cloud security programs.

Overview

As organizations adopt cloud computing and DevOps, security teams can struggle to integrate controls into deployment pipelines. Without pipeline security, visibility into production changes decreases.

The GIAC Cloud Security Automation (GCSA) certification demonstrates proficiency in automating security for cloud and DevOps.

The GCSA covers methodologies to secure and automate the cloud and DevOps toolchain per DevOps culture. Earning the GCSA helps security pros gain expertise to implement robust cloud security programs.

Exam Format

  • Questions : 75 multiple-choice
  • Exam duration : 2 hours
  • Passing score : 61%

Topics Covered

The GCSA exam covers a wide range of topics, including cloud security fundamentals, automation tools and techniques, and DevOps practices.

Cloud Security

Identity and Access Policies

  • Identity and Access Management (IAM) roles and policies aimed at restricting access to cloud resources
  • Resource-based and identity-based policies used to grant access to cloud resources

Cloud Security Monitoring

  • Metrics and monitoring tools needed to inform security efforts in cloud and DevOps environments
  • Using CloudTrail to monitor API calls
  • Parsing cloud-based log files

Container Security

  • Docker container security issues and attack surface
  • Hardening container images
  • Container orchestration tools such as Kubernetes
  • Running container workloads in the cloud

Data Protection and Secrets Management

  • Cloud facilities used for storing and securing data at rest and data in motion
  • Encryption configurations with AWS KMS, Azure Key Vault, and other tools
  • Key management options for cloud environments
  • Secrets management practices in the Continuous Delivery and Continuous Integration (CI/CD) pipeline

DevOps

CI/CD Security Controls

  • Stages of the DevOps deployment pipeline
  • Security considerations for each step of the CI/CD processes

Secure Infrastructure-as-Code

  • Setting up and managing cloud infrastructure via code with Terraform, CloudFormation, and other tools
  • Cloud-native and third-party tools used to manage cloud infrastructure resources

Content Delivery Protection

  • Deployment patterns, such as canary and blue/green deployment processes
  • Content Delivery Networks (CDNs) such as AWS CloudFront
  • Methods to safely bypass the Same Origin Policy

Microservice Security

  • Microservice architecture attack surface
  • Security controls with API gateways
  • Appropriate security controls used in service mesh environments

Application Security

Code Scanning

  • Configuring Static Application Security Testing (SAST) tools like semgrep to scan code for security vulnerabilities
  • Dependency scanning tools like OWASP dependency-check to scan for vulnerable dependencies
  • Integrating SAST and SCA tools into the CI/CD pipeline

Runtime Security Automation

  • RASP and IAST tools used to scan applications for security vulnerabilities while they are running
  • Configuring Web Application Firewall (WAF) services to protect against common website attacks

How to Prepare for the Exam

The best way to prepare for the GCSA exam is to study the exam topics in a detailed course. It is important to gain hands-on experience with cloud security automation tools and techniques.

If you are curious about taking the GCSA exam, you can take a demo of the SEC540 course on the SANS website.

Resources

Books

  • Securing DevOps: Security in the Cloud (2018) by Julien Vehent
  • Cloud Security Automation: Get to grips with automating your cloud security on AWS and OpenStack (2018) by Prashant Priyam
  • Cloud Computing with Security: Concepts and Practices (2019) by Naresh Sehgal, Pramod Bhatt, and John Acken
  • Practical Cloud Security: A Guide for Secure Design and Deployment (2023) by Chris Dotson
  • Hands-On Security in DevOps: Ensure continuous security, deployment, and delivery with DevSecOps (2018) by Tony Hsu
  • Security and Microservice Architecture on AWS: Architecting and Implementing a Secured, Scalable Solution (2021) by Gaurav Raje
  • Learning DevSecOps: A Practical Guide to Processes & Tools (2024) by Steve Suehring

Courses

  • SEC540: Cloud Security and DevSecOps Automation by SANS Institute
  • DevSecOps Essentials by A Cloud Guru
  • Introduction to DevSecOps for Cloud by A Cloud Guru
  • Get Ahead in DevSecOps by LinkedIn Learning
  • Performing DevSecOps Automated Security Testing by Pluralsight
  • Continuous Security on AWS: The DevSecOps on AWS Series by O’Reilly Media

Podcasts

  • Cloud Ace Podcast by SANS Institute
  • Cloud Security Podcast by Google Cloud

Code Repositories

  • DevSecOps Lab by Peter Mosmans
  • DevSecOps Class by Chris Jackson
  • Ultimate DevSecOps library by Marek Šottl
  • DevSecOps Playbook by Paul McCarty

Sample Questions

  1. Which open source tool can be used to scan Infrastructure-as-Code (IaC) templates for security misconfigurations?
    • A. Puppet
    • B. Checkov
    • C. Terraform
    • D. Ansible
  2. What phase of the CI/CD pipeline should security scanning tools such as SAST, DAST, etc. be implemented?
    • A. Development
    • B. Testing
    • C. Deployment
    • D. Pre-Commit
  3. Which security testing technique is used to scan an application while it is running?
    • A. SAST
    • B. DAST
    • C. Penetration testing
    • D. IAST

More Info