DevSecOps Training

This is our classic Specialist Course for DevSecOps.

This 2-day intermediate course will show you how to automate security into a fast-paced DevOps environment using various open-source tools and scripts. We have delivered this training for Virtual OWASP AppSec Days Conference to an overwhelming positive response.

The course is available directly from Claranet Cyber Security or you can book through one of our partners. The course is now available as live, online training and can be delivered for you individually or for your company. Contact us below with your requirements.


2 day practical class


Available by Partners


Live, online available


Hack-Lab available


Advanced

Course Overview

Keep up with DevOps modernization and widen your career prospects. This practical 2-day course will help you build your own DevSecOps pipeline so you can make products secure by design. Get your hands dirty with our popular virtual labs and learn from experienced, practicing penetration testers with a legacy of training at Black Hat. Learn how to use and automate the most popular and effective security tools and practices, overcome common DevSecOps challenges, instill security culture within your team, and more...

Interested

Interested?

1. Our courses are available directly from us; through our training partners or at worldwide technical conferences.

2. You can find course dates and prices on the Courses and Webinars page.
Click here for course dates, prices and content

3. Take a look below at a few of the upcoming courses for this specific training.

4. For more information including private course requests, complete the short form below.

Courses and webinars

Booking enquiries

Select the course from the Courses and Webinars Page.

Click here for course dates and prices

For private course delivery enquiries or other information, please use the form alongside.

The course is also available from our partners listed below.


QA training

If booked through Check Point, Cyber-Security Leraning Credits are accepted for this course.


Checkpoint training

For security and IT decision makers

What’s the real impact of training your team through NotSoSecure?

Shift your organisation’s security left, make it a less attractive target to attackers, and help it resist attacks by building a team that can develop resilient applications and systems using secure processes. Trained delegates can:

  • Implement security tools and build and automate secure processes within their DevOps pipelines.
  • Secure any DevOps environment, from development and staging to production.
  • Securely deploy all the latest DevSecOps technologies which are covered in the course.
  • Understand the business impact of DevSecOps principles and articulate this to key stakeholders.
  • Solve business and development problems with a security mindset.
  • Take on greater responsibility in the team and become an advocate of security in the wider business.

Course Details

You will be able to:

Our interactive course format enables you to get hands on throughout the session, including:

  • Running different tools and testing them against realistic use cases in your own dedicated lab
  • Automating code reviews to check software for vulnerabilities
  • Modelling a Secure by Design environment module by module
  • Discussing how to embed the human and cultural aspects of DevSecOps

You will receive:

This course uses a Defense by Offence methodology based on real world offensive research (nottheory). That means everything we teach has been tried and tested, either on a live environment or inour labs, and can be applied (by you) once the course is over. By the end of the course, you’ll know:

  • How cyber criminals and penetration testers exploit insecure DevOps practices
  • Exactly where to start when shifting from DevOps to DevSecOps
  • How to use Talisman to create pre-commit hooks to lower the chance of credentials and other secrets being exposed during development
  • How to automate security into a fast-paced DevOps environment using various opensource tools and scripts that don’t slow down delivery
  • How to secure your methodology for managing and delivering Infrastructure as Code (IaC)
  • How to use the Elastic (ELK) Stack to monitor your applications’ behaviors with logs and alerts
  • How to achieve DevSecOps in cloud native AWS
  • What challenges to expect when moving to a DevSecOps model and how to overcome them
  • How to mature your DevSecOps approach over time

Why it is relevant

This course was met with an incredible response when we delivered it at OWASP’s 2022 AppSec Days Developer Security Summit. Despite growing awareness around the need to shift security left, speed of development is still taking precedent over risk in many organizations, leaving security behind with every deploy. Moving from DevOps to DevSecOps without slowing down is a real challenge. You need to know which tools to use, what processes to put in place and how to govern them, and how change the culture of development at the people level. Maybe most importantly, you need to know where to start.

Our DevSecOps course syllabus responds to that challenge by:

  • Covering the most recognized (and effective) DevSecOps tools, so you can put them into practice.
  • Showing you how you to maintain automation and speed without compromising security.
  • Addressing the challenges that teams often come up against, so you can prepare to do the same.
  • Tackling DevSecOps in the cloud to help you adapt your approach for different environments.
  • Acknowledging and responding to the security skills gap that exists in most development teams.
  • Covering everything that DevSecOps stakeholders need to know (not just the development aspect)

What you can take away from the course:

  • Hands-on experience with DevSecOps tools to help you learn what they do and how to use them
  • Working knowledge of how to implement these security tools and other practices in your DevOps pipeline
  • An offline lab setup, which you can replicate on your own computer to create and practice in the same environment in your own time (we will provide a folder and instructions for setup on Linux/MAX or Windows)

Details of the course content:

LAB SETUP

  • Online Lab Setup
  • Offline Lab Instructions

INTRODUCTION TO DEVOPS

  • What is DevOps?
  • Lab: DevOps Pipeline

INTRODUCTION TO DEVSECOPS

  • Security challenges in DevOps
  • Threat modelling for DevOps
  • DevSecOps – why you need it, how you use it, and what it is
  • Vulnerability management

CONTINUOUS INTEGRATION

  • Pre-Commit Hooks
  • Introduction to Talisman
  • Lab: Running Talisman
  • Lab: Create your own regexes for Talisman
  • Secrets management
  • Introduction to HashiCorp Vault
  • Demo: Vault commands

CONTINUOUS DELIVERY

  • Software Composition Analysis (SCA)
  • Introduction to OWASP Dependency-Check
  • Lab: Run OWASP Dependency-Check pipeline
  • Lab: Fix issues reported by Dependency-Check
  • Static Analysis Security Testing (SAST)
  • Introduction to Semgrep
  • Lab: Run Semgrep pipeline
  • Lab: Create your own Semgrep rules
  • Lab: Fix issues reported by Semgrep
  • Dynamic Analysis Security Testing (DAST)
  • Introduction to OWASP ZAP
  • Demo: Creating OWASP ZAP Context File
  • Lab: Run OWASP ZAP in pipeline

INFRASTRUCTURE AS CODE

  • Vulnerability Assessment (VA)
  • Introduction to OpenVAS
  • Lab: Run OpenVAS pipeline
  • Container Security (CS)
  • Introduction to Trivy
  • Lab: Run Trivy in Pipeline
  • Lab: Improvise Docker base image
  • Compliance as Code (CaC)
  • Introduction to Chef Inspec
  • Lab: Run Chef Inspec in Pipeline
  • Lab: Improvise with Docker compliancy controls

CONTINUOUS MONITORING

  • Logging – why to do it, how, and what logs to collect.
  • Introduction to the ELK Stack
  • Lab: View Logs in Kibana
  • Alerting – how to create alerts that help you prioritize.
  • Introduction to ElastAlert and ModSecurity
  • Lab: View Alerts in Kibana
  • Monitoring – how to track and learn from malicious activity.
  • Lab: Create Attack Dashboards in Kibana

DEVSECOPS IN AWS

  • What does DevOps on Cloud Native AWS look like?
  • AWS Threat Landscape
  • Shifting to DevSecOps in Cloud Native AWS

DEVSECOPS CHALLENGES AND ENABLERS

  • Challenges with DevSecOps
  • How to build a DevSecOps culture
  • Security champions – how to create DevSecOps advocates across your team.
  • Case study: how organizations use automation to implement development security best practice
  • Where do we Begin?
  • DevSecOps Maturity Model

What you will get

  • Certificate of completion
  • Your own offline lab setup to use after the course
  • 8 Continuing Professional Education (CPE) credits awarded per day of training fulfilled.
  • Learning pack, including question & answer sheets, setup documents, and command cheat sheets

Course highlights

What delegates love:

  • Offensive angle: you’ll learn from practicing penetration testers and red teamers with working knowledge of the latest and most common software hacks.
  • Browser based:the course has no software dependency and requires no installations, making it fast to get set up and easier to get security clearance (all you need is internet access and a GitHub account)
  • Multiple mitigations: for every vulnerability covered, you’ll explore 3 to 4 remediations, helping you develop a versatile approach.
  • Technology focus: almost two full days spent testing the industry’s preferred DevSecOps tools, for free.
  • Real-world learning: in an industry where most of the leading cybersecurity training courses are based on theory, our scenario-led, research-based approach ensures you learn how real threat actors think and act.

Outcomes for budget holders

This course is designed to equip all the relevant stakeholders for the shift from DevOps to DevSecOps without losing speed or efficiency, helping to:

  • Increase the frequency and consistency of secure (vulnerability-free) software releases
  • Lower the cost of remediation by identifying vulnerabilities before software is deployed
  • Manage the likelihood and impact of security incidents originating from insecure code and development practices
  • Identify security issues that need dedicated, in-depth security testing (e.g., business logic issues) to validate the risk they pose and recommend remediation measures
  • Develop the organization’s competitive advantage for security-conscious customers
  • Test the effectiveness of tools before committing to investment
  • Nurture and retain passionate, highly skilled, and security conscious employees
  • Demonstrate commitment to security through training and change management

Prerequisites

Who Should Take This Class?

  • Developers
  • DevOps/DevSecOps engineers
  • Application security engineers
  • Ops teams
  • CISOs

This course is suitable for organizations and teams with a DevOps pipeline already in place, as well as those planning to implement one. The syllabus has been designed to help different key stakeholders improve their skills and knowledge across different security practices and embed “security by design” as the way of working. Putting these learnings to use will lead to improvements in the overall security posture of your applications over time.

You will need:

You should bring a laptop with a minimum 12 GB RAM and 40 GB of extra space and also have administrator privileges. In order to access our labs you'll need an unfiltered direct connection to the internet. Our labs will not be accessible from behind a proxy or a firewalled internet connection

DevSecOps Training

Course Information

You can download a copy of the course information below.

In addition you will also be provided with a student pack, handouts and cheat-sheets if appropriate.

Download the course information

Your Training Roadmap

Offensive Classes

Hacking training for all levels: new to advanced. Ideal for those preparing for certifications such as CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST as well as infrastructure / web application penetration testers wishing to add to their existing skill set.

Defensive Classes

Giving you the skills needed to get ahead and secure your business by design. We specialise in application security (both secure coding and building security testing into your software development lifecycle) and cloud security. Build security capability into your teams enabling you to move fast and stay secure.

Testimonials

Marvellous training."

Delegate, DevSecOps Course

Thank you team for a wonderful DevSecOps Course!"

Delegate, Nullcon 2021

The tools presented are excellent. It was good that there had obviously been a lot of work done on finding good tools for each piece of the course."

Delegate, AppSecOps Course

Thank you @notsosecure and @nullcon for the extensive training on DevSecops. Really engaging and a great learning session. Worth mentioning the material and the hands on-lab. Kudos to the team and their hard work for a smooth experience."

Delegate, Nullcon 2021

Thanks NotSoSecure for such a great DevSecOps course!"

Delegate, CheckPoint - DevSecOps Course

As the speed and frequency of releases increase, DevSecOps is a must to introduce security earlier in the software development life cycle (SDLC). It is a key for DevOps teams to deliver secure applications with speed and quality. Attended a 4 day training on DevSecOps - Automating Security in DevOps conducted by NullCon. A big thanks to NotSoSecure | part of Claranet Cyber Security for conducting the insightful sessions. Had a very enriching experience."

Delegate, Nullcon 2021