4 Days


A 4-Day practical hands-on training to understand application security vulnerabilities and how to automate the defenses for the same.

Class Overview

AppSecOps is a 4-Day practical hands-on training to understand application security vulnerabilities and how to automate the defenses for the same. Provides insights into the latest security vulnerabilities such as host header injection, XML external entity injection, attacks on JWT tokens, SSRF Attacks, deserialization vulnerabilities etc... Attendees will learn how to defend themselves against such attacks and learn how to integrate the defenses by creating a DevSecOps environment.

The DevSecOps environment will be shown implemented by injecting security into Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring (CM) and Infrastructure as Code (IaC) . A Short preview of the DevSecOps portion of the course is available for viewing here.

Authored by: NotSoSecure, part of Claranet Cyber Security.

Delivered by: NotSoSecure’s world-leading security experts are at the cutting edge of capability and train Fortune 500 and start-up companies around the globe. As one of the largest training providers at Black Hat they provide practical, hands-on, lab-based hacking for both on-site and via LIVE remote delivery.  NotSoSecure Trainers are all professional penetration testers who bring real-life experience into the classroom, and have training experience at Black Hat and many other leading international security conferences. WE HACK.WE TEACH.

Class Details

Course Takeaway

  • Understand OWASP Top 10 2017 with practical demonstrations and deeper insight.
  • Understand the financial repercussions of different vulnerabilities.
  • Get on the same page with the security team while discussing vulnerabilities.
  • Understand how to tackle security issues in a fast- moving DevOps environment
  • Identify tools/solutions and develop processes to create a secure by default infrastructure
  • Utilize the integration scripts and tools provided in the DevSecOps Lab to create your own DevSecOps pipeline


Course Objectives

  • Covers industry standards such as OWASP top 10 with a practical demonstration of vulnerabilities complemented with hands-on lab practice.
  • Provides insights into the latest security vulnerabilities (such as host header injection, XML external entity injection, attacks on JWT tokens, known-plaintext attacks, deserialization vulnerabilities).
  • Offers thorough guidance on best security practices (Introduction to various security frameworks and tools and techniques for secure application development).
  • Makes real-world analogies for each vulnerability explained (Understand and appreciate why Facebook would pay $33,000 for XML Entity Injection vulnerability?).
  • Provides online labs for hands-on practice during and after the course (7 Days)
  • Create a security culture/mindset amongst the already integrated “DevOps” team.
  • Find and fix security bugs as early in SDLC as possible i.e. understand the “Shift Left” methodology.
  • The culture promotes the philosophy “Security is everyone’s problem”.
  • Integrate all security software centrally and utilize the results more effectively.
  • Measure and shrink the attack surface.


Delegates Receive

Apart from the various tools and content around the training Students will be provided with a 7 day lab access where they can practice all the exercises/demos shown during the training.

They shall also be provided with our custom built DevSecOps-Lab VM containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.

Application Security Basics

Understanding the HTTP Protocol

Security Misconfigurations

Insufficient Logging and Monitoring

Authentication Flaws

Authorization Bypass Techniques

Cross-Site Scripting (XSS)

Cross-Site Request Forgery Scripting

Server-Side Request Forgery (SSRF)

SQL Injection

XML External Entity (XXE) Attacks

Unrestricted File Uploads

Deserialization Vulnerabilities

Client-Side Security Concerns

Source Code Review

Introduction to DevOps

Introduction to DevSecOps

Continuous Integration

Continuous Delivery

Infrastructure As Code

Continuous Monitoring

DevSecOps in AWS

DevSecOps Challenges and Enablers


Who Should Take This Class?

This class is ideal for Web/API developers who work day-in-day out building full-stack web applications
or web APIs. Anyone who is looking to develop a skillset into web application security and identify web application flaws can also benefit from this course.

DevOps engineers, security and solutions architects, system administrators and anybody who is a fan of automation will also strongly benefit from this course as it’ll give them a holistic approach towards application security.

Student Requirements

Anybody with a background in IT or related to software development whether a developer or a manager can attend this course to get an insight about Web Application Security vulnerabilities, DevOps and DevSecOps.

A Laptop with minimum 4 GB RAM and 1 GB of extra space. Currently the tools provided by us support only Windows, MacOS and Debian operating systems.

How to book

    What courses are you interested in?


    Training Events

    Hacking Training Classes

    Lab-Based Training - Written by BlackHat Trainers - Available Globally

    NotSoSecure classes are ideal for those preparing for CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST and other similar industry certifications, as well as those who perform Penetration Testing on infrastructure / web applications as a day job & wish to add to their existing skill set.

    Download the Hacking Classes Brochure

    NotSoSecure Training Journey:

    Beginner Friendly

    Hacking 101

    The Art of Hacking

    2020 Edition

    The Art of Hacking

    2020 Edition

    Infrastructure Hacking

    2020 Edition

    Web Hacking

    Specialist Offensive Classes

    2020 Edition

    Advanced Infrastructure Hacking

    2020 Edition

    Advanced Web Hacking


    Hacking and Securing Cloud Infrastructure

    Specialist Defence Classes

    2020 Edition

    AppSec for Developers