AppSecOps Training

This is a 4-Day practical hands-on training combining our DevSecOps and AppSec for Developers courses to allow you to fully understand application security vulnerabilities and how to automate your defenses.

We will provide insights into the latest security vulnerabilities such as host header injection, XML external entity injection, attacks on JWT tokens, SSRF Attacks, deserialization vulnerabilities etc. and you will learn how to defend yourself against such attacks and develop a DevSecOps environment.

2021 Edition

Fast track available

4 day course

Live, online available

Hack-Lab is available


Course Overview

Application Security testing (Also known as whitebox testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and is often too late to be able to influence fundamental changes in the way code is written.

We will show you how to implement a DevSecOps environment by injecting security into Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring (CM) and Infrastructure as Code (IaC). You will be provided with a personalized cloud setup of our DevSecOps lab for hands-on implementation of various security tools in the CI/CD/CM pipeline.

Course Details

You will be able to:

  • Understand industry standards such as OWASP top 10 with a practical demonstration of vulnerabilities complemented with hands-on lab practice.
  • Gain insight into the latest security vulnerabilities (such as host header injection, XML external entity injection, attacks on JWT tokens, known-plaintext attacks, deserialization vulnerabilities).
  • Understand best security practices and an introduction to various security frameworks, tools and techniques for secure application development.
  • Make real-world analogies for each vulnerability explained. See why Facebook would pay $33,000 for XML Entity Injection vulnerability.
  • Create a security culture/mindset amongst your already integrated “DevOps” team.
  • Find and fix security bugs as early in SDLC as possible and understand the “Shift Left” methodology.
  • Integrate all security software centrally and utilize the results more effectively.
  • Measure and shrink the attack surface.

You will receive:

Apart from the various tools and content around the training, you will be provided with a 7 day lab access where you can practice all the exercises/demos shown during the training as well as access to cloud DevSecOps-Lab for 24 hours post end of the training for further hands-on practice. You will also receive a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.

What you can take away from the course:

You will gain a full understanding of bringing security into the DevOps methodology and this will get you on the same page with your security team when discussing vulnerabilities and know how to tackle security issues in a fast-moving DevOps environment. The extended Hack-Lab allows you time to go through the practical demonstrations with a deeper insight whether you need to understand the OWASP Top 10 or the financial repurcussions of different vulnerabilities.

Details of the course content:

  • Application Security Basics
  • Understanding the HTTP Protocol
  • Security Misconfigurations
  • Insufficient Logging and Monitoring
  • Authentication Flaws
  • Authorization Bypass Techniques
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery Scripting
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • XML External Entity (XXE) Attacks
  • Unrestricted File Uploads
  • Deserialization Vulnerabilities
  • Client-Side Security Concerns
  • Source Code Review
  • Introduction to DevOps
  • Introduction to DevSecOps
  • Continuous Integration
  • Continuous Delivery
  • Infrastructure As Code
  • Continuous Monitoring
  • DevSecOps in AWS
  • DevSecOps Challenges and Enablers


Who Should Take This Class?

This class is ideal for Web/API developers who work day-in-day out building full-stack web applications or web APIs. Anyone who is looking to develop a skillset into web application security and identify web application flaws can also benefit from this course.

DevOps engineers, security and solutions architects, system administrators and anybody who is a fan of automation will also strongly benefit as it will give you a holistic approach towards application security.

If you are a developer who requires mitigation strategies or fails to understand issues like Cross-Site Scripting, XML, External Entity attacks, Deserialization issues, Content-Security Policy and many more application security vulnerabilities and their remediation, then this class is for you!

If you are Manager responsible for handling a development team and would like to give a good dose of security knowledge so that you can avoid application security bugs in your code, then you are at the right place!

If you are a DevOps engineer wondering how to automate security into your pipeline, then this course will teach you how to metamorphose your DevOps to DevSecOps. If you would like to avoid breaches like that of Equifax, then find out more now!

You will need:

A laptop with minimum 4 GB RAM and 1 GB of extra space. Currently the tools provided by us support only Windows, MacOS and Debian operating systems. In order to access our labs you’ll need an unfiltered direct connection to the internet. Our labs will not be accessible from behind a proxy or a firewalled internet connection.

It is recommended that you complete one of the following courses before taking this course:

The Art of Hacking

Infrastructure Hacking

How to book

Courses and webinars

Sorry, there are no specific public courses for this module in the immediate future. Please come back later as we are adding them all the time, view all our courses or check with one of our partners.

All upcoming courses

Basic Web Hacking

Course Information

You can download a copy of the course information below.

In addition you will also be provided with a student pack, handouts and cheat-sheets if appropriate.

Download the course information

Your Training Roadmap

Offensive Classes

Hacking training for all levels: new to advanced. Ideal for those preparing for certifications such as CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST as well as infrastructure / web application penetration testers wishing to add to their existing skill set.

Defensive Classes

Giving you the skills needed to get ahead and secure your business by design. We specialise in application security (both secure coding and building security testing into your software development lifecycle) and cloud security. Build security capability into your teams enabling you to move fast and stay secure.


The instructor had very good real life examples from his own experience."

Delegate, AppSecOps Course

The tools presented are excellent. It was good that there had obviously been a lot of work done on finding good tools for each piece of the course."

Delegate, AppSecOps Course

These trainings from NotSoSecure are world class (Black Hat Level) and truly worth it."

Delegate, Black Hat AppSecOps Course

Marvellous training."

Delegate, DevSecOps Course

The content was really interesting and I like the real-world examples of what was being explained."

Delegate, AppSecOps Course

Took this course as the 4-day was full, and was prepared for a fast-paced nightmare! On the contrary this course was well planned for the timescales. Happy with the solution."

Delegate, Black Hat USA