Course Catalog  > DevOps and CI/CD
WA3619

Fundamentals of DevSecOps Training

This DevSecOps course teaches technical leaders and teams how to implement a robust DevSecOps pipeline. Covering core tools and practices like OWASP guidelines, Snyk, SonarQube, and ZAP, as well as testing methods such as SAST, DAST, and IAST, this course prepares participants to secure applications effectively from code to deployment.

Request Information
Request On-Site or Customized Course Info

The shift to DevSecOps has become essential as organizations prioritize secure software delivery without sacrificing speed. Integrating security practices into the DevOps workflow is critical to reducing vulnerabilities early in the development lifecycle, ensuring compliance, and managing risk proactively.

Course Details

Duration

2 days

Prerequisites

  • Familiarity with CI/CD and version control (e.g., Git and GitHub or GitLab)
  • Proficiency in programming (e.g., JavaScript, Python)
  • Experience with application deployment and containerization is helpful but not required

Skills Gained

  • Identify and remediate common vulnerabilities early through secure coding practices aligned with the OWASP Top 10
  • Implement Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) using tools like SonarQube and OWASP ZAP
  • Automate vulnerability detection and software composition analysis (SCA) in CI/CD workflows with Snyk
  • Understand and apply Interactive Application Security Testing (IAST) for continuous, runtime security monitoring
  • Design and deploy an automated, end-to-end security pipeline that enforces compliance and drives a continuous improvement approach to application security
Course Outline
  • Introduction to DevSecOps
    • Understanding DevSecOps Principles and Culture
      • DevOps vs. DevSecOps: Shifting Security Left
      • Integrating Security into CI/CD pipelines
      • The DevSecOps toolchain and ecosystem
    • Overview of Key DevSecOps Tools and Frameworks
      • Introduction to OWASP and Top 10 vulnerabilities
      • Overview of Snyk, SonarQube, ZAP, and other essential tools
  • Static Application Security Testing (SAST)
    • What is SAST?
      • Difference between SAST, DAST, and IAST
      • Integrating SAST into CI/CD pipelines
    • SAST Tools
      • Setting up and configuring SonarQube for code quality and security
      • Using Snyk for static analysis of open-source vulnerabilities
  • Coding for Security
    • Secure Coding Best Practices
      • Common coding vulnerabilities and how to avoid them
      • OWASP Top 10 and real-world examples
      • Introduction to OWASP Secure Coding Practices
  • Dynamic Application Security Testing (DAST)
    • What is DAST?
      • Overview of Dynamic Analysis and how it complements SAST
      • Introduction to OWASP ZAP as a DAST tool
    • ZAP
      • Setting up ZAP for automated scans
      • Exploring ZAP’s Spidering, Active Scanning, and Fuzzing functionalities
  • Vulnerability Scanning and Software Composition Analysis (SCA)
    • What is SCA and its Role in DevSecOps?
      • Introduction to software composition analysis (SCA) for open-source dependencies
      • Snyk for SCA
    • Snyk for Vulnerability Scanning
      • Identifying and remediating vulnerabilities in dependencies
      • Integrating Snyk with CI/CD and setting up real-time monitoring
  • Security Policy and Compliance
    • Creating Security Policies and Compliance Checks
      • Defining security policies based on OWASP and NIST guidelines
      • Configuring SonarQube quality gates for compliance enforcement
  • Interactive Application Security Testing (IAST)
    • Introduction to IAST
      • How IAST differs from SAST and DAST, benefits in a DevSecOps context
      • IAST tools overview (e.g., Contrast Security, Veracode, or AppScan)
    • IAST Tools
      • Setting up an IAST environment and testing applications
      • Integrating IAST into CI/CD pipelines for continuous monitoring
  • Security Orchestration and Automation
    • Security Automation in DevSecOps
      • Using Jenkins, GitHub Actions, or GitLab CI for automated security testing
      • Orchestrating SAST, DAST, SCA, and IAST in a unified pipeline
    • Automating Response and Reporting
      • Creating alerts and reports for vulnerabilities
      • Using security orchestration tools (e.g., XSOAR)
  • Threat Modeling and Continuous Improvement
    • Introduction to Threat Modeling
      • Overview of threat modeling and its role in DevSecOps
      • Using OWASP Threat Dragon
  • Implementing SAST in a CI/CD Pipeline
    • Integrating SonarQube and Snyk with GitHub or GitLab CI/CD
    • Analyzing and interpreting results: Remediation strategies for common vulnerabilities
  • Refactoring Code for Security
    • Identifying vulnerabilities using SAST results
    • Hands-on refactoring exercises to remediate security issues
  • Integrating ZAP into CI/CD Pipelines
    • Configuring automated ZAP scans within a CI/CD pipeline
    • Reviewing ZAP reports and interpreting scan results
  • Analyzing Open-Source Dependencies
    • Reviewing and resolving dependency vulnerabilities using Snyk
  • Compliance Automation
    • Setting up SonarQube quality gates and Snyk policies in the pipeline
    • Using compliance results to enforce security requirements
  • Running and Interpreting IAST Results
    • Reviewing vulnerabilities identified by IAST
    • Discussion on remediation approaches and CI/CD integration
    • Building an Automated Security Pipeline
    • Designing a pipeline with integrated SAST, DAST, SCA, and IAST scans
    • Generating automated reports and triggering notifications on findings
  • Threat Modeling
    • Identifying potential threats and mitigations for a sample application
    • Incorporating threat modeling insights into DevSecOps practices