This is our classic Specialist Course for DevSecOps.
This 2-day intermediate course will show you how to automate security into a fast-paced DevOps environment
using various open-source tools and scripts. We have delivered this training for Virtual OWASP AppSec Days
Conference to an overwhelming positive response.
The course is available directly from Claranet Cyber Security or you can book through one of our partners.
The course is now available as live, online training and can be delivered for you individually or for your
company. Contact us below with your requirements.
2 day practical class
Available by Partners
Live, online available
Hack-Lab available
Advanced
Course Overview
Modern enterprises are implementing the technical and cultural changes required to embrace DevOps methodology
by introducing practices such Continuous Integration (CI), Continuous Delivery (CD), Continuous Monitoring
(CM) and Infrastructure as Code(IaC).
DevSecOps extends DevOps by introducing security into each of these practices giving a level of security
assurance in the final product. In this course, we will demonstrate using our state-of-the-art DevSecOps Lab
how to effectively inject security in CI, CD, CM and IaC.
Every delegate will be provided a personalized cloud setup of our DevSecOps lab for hands-on implementation
of various security tools in the CI/CD/CM pipeline. Attendees will receive the DevSecOps Lab built using
Vagrant and Ansible comprising the same tools and scripts as a takeaway.
Upcoming courses
Enquire about your training
We provide training directly (live, online or in person) and also work with a range of training partners in different locations around the globe for classroom or live, online training. Please contact us with details of your requirement and we will recommend the best route to access our amazing training.
The course can also be booked directly through our accredited training partners.
If booked through Check Point, Cyber-Security Learning Credits are accepted for this course.
For security and IT decision makers
What’s the real impact of training your team through NotSoSecure?
Shift your organisation’s security left, make it a less attractive target to attackers, and help it resist
attacks by building a team that can develop resilient applications and systems using secure processes. Trained
delegates can:
- Implement security tools and build and automate secure processes within their DevOps pipelines.
- Secure any DevOps environment, from development and staging to production.
- Securely deploy all the latest DevSecOps technologies which are covered in the course.
- Understand the business impact of DevSecOps principles and articulate this to key stakeholders.
- Solve business and development problems with a security mindset.
- Take on greater responsibility in the team and become an advocate of security in the wider business.
Course Details
You will be able to:
- Access to cloud DevSecOps-Lab for 24 hours post end of the training for further hands-on practice to
each delegate. - The attendees will also receive a DevSecOps-Lab VM (designed by the NotSoSecure team) containing all
the code, scripts and tools that are used for building the entire DevSecOps pipeline.
You will receive:
A full understanding of how to tackle security issues and a DevSecOps-Lab VM (designed by the NotSoSecure team)
containing all the code, scripts and tools that are used for building the entire DevSecOps pipeline.
What you can take away from the course:
- Understand how to tackle security issues in a fast-moving DevOps environment
- Identify tools/solutions and develop processes to create a secure by default infrastructure
- In-depth understanding of various tools that can be used for security automation
- Utilize the integration scripts and tools provided in the DevSecOps Lab to create your own DevSecOps
pipeline
Details of the course content:
LAB SETUP
- Online Lab Setup
- Offline Lab Instructions
INTRODUCTION TO DEVOPS
- What is DevOps?
- Lab: DevOps Pipeline
INTRODUCTION TO DEVSECOPS
- Challenges for Security in DevOps
- DevOps Threat Model
- DevSecOps – Why, What and How?
- Vulnerability Management
CONTINUOUS INTEGRATION
- Pre-Commit Hooks
- Introduction to Talisman
- Lab: Running Talisman
- Lab: Create your own regexes for Talisman
- Secrets Management
- Introduction to HashiCorp Vault
- Demo: Vault Commands
CONTINUOUS DELIVERY
- Software Composition Analysis (SCA)
- Introduction to Dependency-Check
- Lab: Run Dependency-Check pipeline
- Lab: Fix issues reported by Dependency-Check
- Static Analysis Security Testing (SAST)
- Introduction to Semgrep
- Lab: Run Semgrep pipeline
- Lab: Create your own Semgrep Rules
- Lab: Fix Issues reported by Semgrep
- Dynamic Analysis Security Testing (DAST)
- Introduction to OWASP ZAP
- Demo: Creating ZAP Context File
- Lab: Run ZAP in pipeline
INFRASTRUCTURE AS CODE
- Vulnerability Assessment (VA)
- Introduction to OpenVAS
- Lab: Run OpenVAS pipeline
- Container Security (CS)
- Introduction to Trivy
- Lab: Run Trivy in Pipeline
- Lab: Improvise Docker base image
- Compliance as Code (CaC)
- Introduction to Inspec
- Lab: Run Inspec in Pipeline
- Lab: Improvise Docker compliancy controls
CONTINUOUS MONITORING
- Logging
- Introduction to the ELK Stack
- Lab: View Logs in Kibana
- Alerting
- Introduction to ElastAlert and ModSecurity
- Lab: View Alerts in Kibana
- Monitoring
- Lab: Create Attack Dashboards in Kibana
DEVSECOPS IN AWS
- DevOps on Cloud Native AWS
- AWS Threat Landscape
- DevSecOps in Cloud Native AWS
DEVSECOPS CHALLENGES AND ENABLERS
- Challenges with DevSecOps
- Building DevSecOps Culture
- Security Champions
- Case Studies
- Where do we Begin?
- DevSecOps Maturity Model
Prerequisites
Who Should Take This Class?
DevOps engineers, security and solutions architects, system administrators will strongly benefit from this
course as it will give you a holistic approach towards application security.
If you have a background in IT or related to software development, whether a developer or a manager, you can
attend this course to get an insight about DevOps and DevSecOps.
You will need:
You should bring a laptop with a minimum 12 GB RAM and 40 GB of extra space and also have administrator
privileges. In order to access our labs you'll need an unfiltered direct connection to the internet. Our labs
will not be accessible from behind a proxy or a firewalled internet connection
Course Information
You can download a copy of the course information below.
In addition you will also be provided with a student pack, handouts and cheat-sheets if appropriate.
Your Training Roadmap
Offensive Classes
Hacking training for all levels: new to advanced. Ideal for those preparing for certifications such as CREST
CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST as well as infrastructure / web application penetration
testers wishing to add to their existing skill set.
Defensive Classes
Giving you the skills needed to get ahead and secure your business by design. We specialise in application
security (both secure coding and building security testing into your software development lifecycle) and cloud
security. Build security capability into your teams enabling you to move fast and stay secure.
Testimonials
Marvellous training."
Delegate, DevSecOps Course
Thank you team for a wonderful DevSecOps Course!"
Delegate, Nullcon 2021
The tools presented are excellent. It was good that there had obviously been a lot of work done on
finding good tools for each piece of the course."Delegate, AppSecOps Course
Thank you @notsosecure and @nullcon for the extensive training on DevSecops. Really engaging and a great
learning session. Worth mentioning the material and the hands on-lab. Kudos to the team and their hard
work for a smooth experience."Delegate, Nullcon 2021
Thanks NotSoSecure for such a great DevSecOps course!"
Delegate, CheckPoint - DevSecOps Course
As the speed and frequency of releases increase, DevSecOps is a must to introduce security earlier in the
software development life cycle (SDLC). It is a key for DevOps teams to deliver secure applications with
speed and quality. Attended a 4 day training on DevSecOps - Automating Security in DevOps conducted by
NullCon. A big thanks to NotSoSecure | part of Claranet Cyber Security for conducting the insightful
sessions. Had a very enriching experience."Delegate, Nullcon 2021