This is our classic Specialist Course for DevSecOps.
This 2-day intermediate course will show you how to automate security into a fast-paced DevOps environment using various open-source tools and scripts. We have delivered this training for Virtual OWASP AppSec Days Conference to an overwhelming positive response.
The course is available directly from Claranet Cyber Security or you can book through one of our partners. The course is now available as live, online training and can be delivered for you individually or for your company. Contact us below with your requirements.
2 day practical class
Available by Partners
Live, online available
For security and IT decision makers
What’s the real impact of training your team through NotSoSecure?
Shift your organisation’s security left, make it a less attractive target to attackers, and help it resist attacks by building a team that can develop resilient applications and systems using secure processes. Trained delegates can:
- Implement security tools and build and automate secure processes within their DevOps pipelines.
- Secure any DevOps environment, from development and staging to production.
- Securely deploy all the latest DevSecOps technologies which are covered in the course.
- Understand the business impact of DevSecOps principles and articulate this to key stakeholders.
- Solve business and development problems with a security mindset.
- Take on greater responsibility in the team and become an advocate of security in the wider business.
Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology by introducing practices such Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring (CM) and Infrastructure as Code(IaC).
DevSecOps extends DevOps by introducing security into each of these practices giving a level of security assurance in the final product. In this course, we will demonstrate using our state-of-the-art DevSecOps Lab how to effectively inject security in CI, CD, CM and IaC.
Every delegate will be provided a personalized cloud setup of our DevSecOps lab for hands-on implementation of various security tools in the CI/CD/CM pipeline. Attendees will receive the DevSecOps Lab built using Vagrant and Ansible comprising the same tools and scripts as a takeaway.
You will be able to:
- Access to cloud DevSecOps-Lab for 24 hours post end of the training for further hands-on practice to each delegate.
- The attendees will also receive a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.
You will receive:
A full understanding of how to tackle security issues and a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.
What you can take away from the course:
- Understand how to tackle security issues in a fast-moving DevOps environment
- Identify tools/solutions and develop processes to create a secure by default infrastructure
- In-depth understanding of various tools that can be used for security automation
- Utilize the integration scripts and tools provided in the DevSecOps Lab to create your own DevSecOps pipeline
Details of the course content:
- Online Lab Setup
- Offline Lab Instructions
INTRODUCTION TO DEVOPS
- What is DevOps?
- Lab: DevOps Pipeline
INTRODUCTION TO DEVSECOPS
- Challenges for Security in DevOps
- DevOps Threat Model
- DevSecOps – Why, What and How?
- Vulnerability Management
- Pre-Commit Hooks
- Introduction to Talisman
- Lab: Running Talisman
- Lab: Create your own regexes for Talisman
- Secrets Management
- Introduction to HashiCorp Vault
- Demo: Vault Commands
- Software Composition Analysis (SCA)
- Introduction to Dependency-Check
- Lab: Run Dependency-Check pipeline
- Lab: Fix issues reported by Dependency-Check
- Static Analysis Security Testing (SAST)
- Introduction to Semgrep
- Lab: Run Semgrep pipeline
- Lab: Create your own Semgrep Rules
- Lab: Fix Issues reported by Semgrep
- Dynamic Analysis Security Testing (DAST)
- Introduction to OWASP ZAP
- Demo: Creating ZAP Context File
- Lab: Run ZAP in pipeline
INFRASTRUCTURE AS CODE
- Vulnerability Assessment (VA)
- Introduction to OpenVAS
- Lab: Run OpenVAS pipeline
- Container Security (CS)
- Introduction to Trivy
- Lab: Run Trivy in Pipeline
- Lab: Improvise Docker base image
- Compliance as Code (CaC)
- Introduction to Inspec
- Lab: Run Inspec in Pipeline
- Lab: Improvise Docker compliancy controls
- Introduction to the ELK Stack
- Lab: View Logs in Kibana
- Introduction to ElastAlert and ModSecurity
- Lab: View Alerts in Kibana
- Lab: Create Attack Dashboards in Kibana
DEVSECOPS IN AWS
- DevOps on Cloud Native AWS
- AWS Threat Landscape
- DevSecOps in Cloud Native AWS
DEVSECOPS CHALLENGES AND ENABLERS
- Challenges with DevSecOps
- Building DevSecOps Culture
- Security Champions
- Case Studies
- Where do we Begin?
- DevSecOps Maturity Model
Who Should Take This Class?
DevOps engineers, security and solutions architects, system administrators will strongly benefit from this course as it will give you a holistic approach towards application security.
If you have a background in IT or related to software development, whether a developer or a manager, you can attend this course to get an insight about DevOps and DevSecOps.
You will need:
You should bring a laptop with a minimum 12 GB RAM and 40 GB of extra space and also have administrator privileges. In order to access our labs you'll need an unfiltered direct connection to the internet. Our labs will not be accessible from behind a proxy or a firewalled internet connection
Courses and webinars
Sorry, there are no specific public courses for this module in the immediate future. Please come back later as we are adding them all the time, view all our courses or check with one of our partners.
You can download a copy of the course information below.
In addition you will also be provided with a student pack, handouts and cheat-sheets if appropriate.
Your Training Roadmap
Hacking training for all levels: new to advanced. Ideal for those preparing for certifications such as CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST as well as infrastructure / web application penetration testers wishing to add to their existing skill set.
Giving you the skills needed to get ahead and secure your business by design. We specialise in application security (both secure coding and building security testing into your software development lifecycle) and cloud security. Build security capability into your teams enabling you to move fast and stay secure.
Delegate, DevSecOps Course
Thank you team for a wonderful DevSecOps Course!"
Delegate, Nullcon 2021
The tools presented are excellent. It was good that there had obviously been a lot of work done on finding good tools for each piece of the course."
Delegate, AppSecOps Course
Thank you @notsosecure and @nullcon for the extensive training on DevSecops. Really engaging and a great learning session. Worth mentioning the material and the hands on-lab. Kudos to the team and their hard work for a smooth experience."
Delegate, Nullcon 2021
Thanks NotSoSecure for such a great DevSecOps course!"
Delegate, CheckPoint - DevSecOps Course
As the speed and frequency of releases increase, DevSecOps is a must to introduce security earlier in the software development life cycle (SDLC). It is a key for DevOps teams to deliver secure applications with speed and quality. Attended a 4 day training on DevSecOps - Automating Security in DevOps conducted by NullCon. A big thanks to NotSoSecure | part of Claranet Cyber Security for conducting the insightful sessions. Had a very enriching experience."
Delegate, Nullcon 2021