8173  Reviews star_rate star_rate star_rate star_rate star_half

Fundamentals of DevSecOps

The shift to DevSecOps has become essential as organizations prioritize secure software delivery without sacrificing speed. Integrating security practices into the DevOps workflow is critical to...

Read More
Course Code WA3619
Duration 2 days
Available Formats Classroom

The shift to DevSecOps has become essential as organizations prioritize secure software delivery without sacrificing speed. Integrating security practices into the DevOps workflow is critical to reducing vulnerabilities early in the development lifecycle, ensuring compliance, and managing risk proactively. This live DevSecOps course teaches technical leaders and teams how to implement a robust DevSecOps pipeline. Covering core tools and practices like OWASP guidelines, Snyk, SonarQube, and ZAP, as well as testing methods such as SAST, DAST, and IAST, this course prepares participants to secure applications effectively from code to deployment.

Skills Gained

  • Identify and remediate common vulnerabilities early through secure coding practices aligned with the OWASP Top 10
  • Implement Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) using tools like SonarQube and OWASP ZAP
  • Automate vulnerability detection and software composition analysis (SCA) in CI/CD workflows with Snyk
  • Understand and apply Interactive Application Security Testing (IAST) for continuous, runtime security monitoring
  • Design and deploy an automated, end-to-end security pipeline that enforces compliance and drives a continuous improvement approach to application security

Prerequisites

All attendees must have:

  • Familiarity with CI/CD and version control (e.g., Git and GitHub or GitLab).
  • Proficiency in programming (e.g., JavaScript, Python).
  • Experience with application deployment and containerization is helpful but not required.

Course Details

Materials

All DevSecOps training attendees receive comprehensive courseware.

Software Needed on Each Student PC

Attendees will not need to install any software on their computers for this class. The class will be conducted in a remote environment that Accelebrate will provide; students will only need a local computer with a web browser and a stable Internet connection. Any recent version of Microsoft Edge, Mozilla Firefox, or Google Chrome will work well.

Introduction to DevSecOps

Understanding DevSecOps Principles and Culture

  • DevOps vs. DevSecOps: Shifting Security Left
  • Integrating Security into CI/CD pipelines
  • The DevSecOps toolchain and ecosystem

Overview of Key DevSecOps Tools and Frameworks

  • Introduction to OWASP and Top 10 vulnerabilities
  • Overview of Snyk, SonarQube, ZAP, and other essential tools

Static Application Security Testing (SAST)

What is SAST?

  • Difference between SAST, DAST, and IAST
  • Integrating SAST into CI/CD pipelines

SAST Tools

  • Setting up and configuring SonarQube for code quality and security
  • Using Snyk for static analysis of open-source vulnerabilities

Coding for Security

Secure Coding Best Practices

  • Common coding vulnerabilities and how to avoid them
  • OWASP Top 10 and real-world examples
  • Introduction to OWASP Secure Coding Practices

Dynamic Application Security Testing (DAST)

What is DAST?

  • Overview of Dynamic Analysis and how it complements SAST
  • Introduction to OWASP ZAP as a DAST tool

ZAP

  • Setting up ZAP for automated scans
  • Exploring ZAP’s Spidering, Active Scanning, and Fuzzing functionalities

Vulnerability Scanning and Software Composition Analysis (SCA)

What is SCA and its Role in DevSecOps?

  • Introduction to software composition analysis (SCA) for open-source dependencies
  • Snyk for SCA

Snyk for Vulnerability Scanning

  • Identifying and remediating vulnerabilities in dependencies
  • Integrating Snyk with CI/CD and setting up real-time monitoring

Security Policy and Compliance

Creating Security Policies and Compliance Checks

  • Defining security policies based on OWASP and NIST guidelines
  • Configuring SonarQube quality gates for compliance enforcement

Interactive Application Security Testing (IAST)

Introduction to IAST

  • How IAST differs from SAST and DAST, benefits in a DevSecOps context
  • IAST tools overview (e.g., Contrast Security, Veracode, or AppScan)

IAST Tools

  • Setting up an IAST environment and testing applications
  • Integrating IAST into CI/CD pipelines for continuous monitoring

Security Orchestration and Automation

Security Automation in DevSecOps

  • Using Jenkins, GitHub Actions, or GitLab CI for automated security testing
  • Orchestrating SAST, DAST, SCA, and IAST in a unified pipeline

Automating Response and Reporting

  • Creating alerts and reports for vulnerabilities
  • Using security orchestration tools (e.g., XSOAR)

Threat Modeling and Continuous Improvement

Introduction to Threat Modeling

  • Overview of threat modeling and its role in DevSecOps
  • Using OWASP Threat Dragon

Implementing SAST in a CI/CD Pipeline

  • Integrating SonarQube and Snyk with GitHub or GitLab CI/CD
  • Analyzing and interpreting results: Remediation strategies for common vulnerabilities

Refactoring Code for Security

  • Identifying vulnerabilities using SAST results
  • Hands-on refactoring exercises to remediate security issues

Integrating ZAP into CI/CD Pipelines

  • Configuring automated ZAP scans within a CI/CD pipeline
  • Reviewing ZAP reports and interpreting scan results

Analyzing Open-Source Dependencies

  • Reviewing and resolving dependency vulnerabilities using Snyk

Compliance Automation

  • Setting up SonarQube quality gates and Snyk policies in the pipeline
  • Using compliance results to enforce security requirements

Running and Interpreting IAST Results

  • Reviewing vulnerabilities identified by IAST
  • Discussion on remediation approaches and CI/CD integration

Building an Automated Security Pipeline

  • Designing a pipeline with integrated SAST, DAST, SCA, and IAST scans
  • Generating automated reports and triggering notifications on findings

Threat Modeling

  • Identifying potential threats and mitigations for a sample application
  • Incorporating threat modeling insights into DevSecOps practices

Conclusion