DevSecOps Training

This is our classic Specialist Course for DevSecOps.

This 2-day intermediate course will show you how to automate security into a fast-paced DevOps environment using various open-source tools and scripts. We have delivered this training for Virtual OWASP AppSec Days Conference to an overwhelming positive response.

The course is available directly from Claranet Cyber Security or you can book through one of our partners. The course is now available as live, online training and can be delivered for you individually or for your company. Contact us below with your requirements.


2021 Edition


2 day practical class


Available by Partners


Live, online available


Hack-Lab available


Advanced

Course Overview

Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology by introducing practices such Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring (CM) and Infrastructure as Code(IaC).

DevSecOps extends DevOps by introducing security into each of these practices giving a level of security assurance in the final product. In this course, we will demonstrate using our state-of-the-art DevSecOps Lab how to effectively inject security in CI, CD, CM and IaC.

Every delegate will be provided a personalized cloud setup of our DevSecOps lab for hands-on implementation of various security tools in the CI/CD/CM pipeline. Attendees will receive the DevSecOps Lab built using Vagrant and Ansible comprising the same tools and scripts as a takeaway.

Course Details

You will be able to:

  • Access to cloud DevSecOps-Lab for 24 hours post end of the training for further hands-on practice to each delegate.
  • The attendees will also receive a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.

You will receive:

A full understanding of how to tackle security issues and a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.

What you can take away from the course:

  • Understand how to tackle security issues in a fast-moving DevOps environment
  • Identify tools/solutions and develop processes to create a secure by default infrastructure
  • In-depth understanding of various tools that can be used for security automation
  • Utilize the integration scripts and tools provided in the DevSecOps Lab to create your own DevSecOps pipeline

Details of the course content:

LAB SETUP

  • Online Lab Setup
  • Offline Lab Instructions

INTRODUCTION TO DEVOPS

  • What is DevOps?
    • Lab: DevOps Pipeline

INTRODUCTION TO DEVSECOPS

  • Challenges for Security in DevOps
  • DevOps Threat Model
  • DevSecOps – Why, What and How?
  • Vulnerability Management

CONTINUOUS INTEGRATION

  • Pre-Commit Hooks
    • Introduction to Talisman
    • Lab: Running Talisman
    • Lab: Create your own regexes for Talisman
  • Secrets Management
    • Introduction to HashiCorp Vault
    • Demo: Vault Commands

CONTINUOUS DELIVERY

  • Software Composition Analysis (SCA)
    • Introduction to Dependency-Check
    • Lab: Run Dependency-Check pipeline
    • Lab: Fix issues reported by Dependency-Check
  • Static Analysis Security Testing (SAST)
    • Introduction to Semgrep
    • Lab: Run Semgrep pipeline
    • Lab: Create your own Semgrep Rules
    • Lab: Fix Issues reported by Semgrep
  • Dynamic Analysis Security Testing (DAST)
    • Introduction to OWASP ZAP
    • Demo: Creating ZAP Context File
    • Lab: Run ZAP in pipeline

INFRASTRUCTURE AS CODE

  • Vulnerability Assessment (VA)
    • Introduction to OpenVAS
    • Lab: Run OpenVAS pipeline
  • Container Security (CS)
    • Introduction to Trivy
    • Lab: Run Trivy in Pipeline
    • Lab: Improvise Docker base image
  • Compliance as Code (CaC)
    • Introduction to Inspec
    • Lab: Run Inspec in Pipeline
    • Lab: Improvise Docker compliancy controls

CONTINUOUS MONITORING

  • Logging
    • Introduction to the ELK Stack
    • Lab: View Logs in Kibana
  • Alerting
    • Introduction to ElastAlert and ModSecurity
    • Lab: View Alerts in Kibana
  • Monitoring
    • Lab: Create Attack Dashboards in Kibana

DEVSECOPS IN AWS

  • DevOps on Cloud Native AWS
  • AWS Threat Landscape
  • DevSecOps in Cloud Native AWS

DEVSECOPS CHALLENGES AND ENABLERS

  • Challenges with DevSecOps
  • Building DevSecOps Culture
  • Security Champions
  • Case Studies
  • Where do we Begin?
  • DevSecOps Maturity Model

Prerequisites

Who Should Take This Class?

DevOps engineers, security and solutions architects, system administrators will strongly benefit from this course as it will give you a holistic approach towards application security.

If you have a background in IT or related to software development, whether a developer or a manager, you can attend this course to get an insight about DevOps and DevSecOps.

You will need:

You should bring a laptop with a minimum 12 GB RAM and 40 GB of extra space and also have administrator privileges. In order to access our labs you'll need an unfiltered direct connection to the internet. Our labs will not be accessible from behind a proxy or a firewalled internet connection

How to book

This course is available directly from Claranet Cyber Security, please use the form alongside.

The course is also available from our partners listed below


QA training


Checkpoint training

Courses and webinars

DevSecOps Training

Course Information

You can download a copy of the course information below.

In addition you will also be provided with a student pack, handouts and cheat-sheets if appropriate.

Download the course information

Your Training Roadmap

Offensive Classes

Hacking training for all levels: new to advanced. Ideal for those preparing for certifications such as CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST as well as infrastructure / web application penetration testers wishing to add to their existing skill set.

Defensive Classes

Giving you the skills needed to get ahead and secure your business by design. We specialise in application security (both secure coding and building security testing into your software development lifecycle) and cloud security. Build security capability into your teams enabling you to move fast and stay secure.

Testimonials

Marvellous training."

Delegate, DevSecOps Course

Thank you team for a wonderful DevSecOps Course!"

Delegate, Nullcon 2021

The tools presented are excellent. It was good that there had obviously been a lot of work done on finding good tools for each piece of the course."

Delegate, AppSecOps Course

Thank you @notsosecure and @nullcon for the extensive training on DevSecops. Really engaging and a great learning session. Worth mentioning the material and the hands on-lab. Kudos to the team and their hard work for a smooth experience."

Delegate, Nullcon 2021

Thanks NotSoSecure for such a great DevSecOps course!"

Delegate, CheckPoint - DevSecOps Course

As the speed and frequency of releases increase, DevSecOps is a must to introduce security earlier in the software development life cycle (SDLC). It is a key for DevOps teams to deliver secure applications with speed and quality. Attended a 4 day training on DevSecOps - Automating Security in DevOps conducted by NullCon. A big thanks to NotSoSecure | part of Claranet Cyber Security for conducting the insightful sessions. Had a very enriching experience."

Delegate, Nullcon 2021