The shift to DevSecOps has become essential as organizations prioritize secure software delivery without sacrificing speed. Integrating security practices into the DevOps workflow is critical to reducing vulnerabilities early in the development lifecycle, ensuring compliance, and managing risk proactively.
This live DevSecOps course teaches technical leaders and teams how to implement a robust DevSecOps pipeline. Covering core tools and practices like OWASP guidelines, Snyk, SonarQube, and ZAP, as well as testing methods such as SAST, DAST, and IAST, this course prepares participants to secure applications effectively from code to deployment.
Skills Gained
- Identify and remediate common vulnerabilities early through secure coding practices aligned with the OWASP Top 10
- Implement Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) using tools like SonarQube and OWASP ZAP
- Automate vulnerability detection and software composition analysis (SCA) in CI/CD workflows with Snyk
- Understand and apply Interactive Application Security Testing (IAST) for continuous, runtime security monitoring
- Design and deploy an automated, end-to-end security pipeline that enforces compliance and drives a continuous improvement approach to application security
Prerequisites
All attendees must have:
- Familiarity with CI/CD and version control (e.g., Git and GitHub or GitLab).
- Proficiency in programming (e.g., JavaScript, Python).
- Experience with application deployment and containerization is helpful but not required.
Materials
All DevSecOps training attendees receive comprehensive courseware.
Software Needed on Each Student PC
Attendees will not need to install any software on their computers for this class. The class will be conducted in a remote environment that Accelebrate will provide; students will only need a local computer with a web browser and a stable Internet connection. Any recent version of Microsoft Edge, Mozilla Firefox, or Google Chrome will work well.
Introduction to DevSecOps
Understanding DevSecOps Principles and Culture
- DevOps vs. DevSecOps: Shifting Security Left
- Integrating Security into CI/CD pipelines
- The DevSecOps toolchain and ecosystem
Overview of Key DevSecOps Tools and Frameworks
- Introduction to OWASP and Top 10 vulnerabilities
- Overview of Snyk, SonarQube, ZAP, and other essential tools
Static Application Security Testing (SAST)
What is SAST?
- Difference between SAST, DAST, and IAST
- Integrating SAST into CI/CD pipelines
SAST Tools
- Setting up and configuring SonarQube for code quality and security
- Using Snyk for static analysis of open-source vulnerabilities
Coding for Security
Secure Coding Best Practices
- Common coding vulnerabilities and how to avoid them
- OWASP Top 10 and real-world examples
- Introduction to OWASP Secure Coding Practices
Dynamic Application Security Testing (DAST)
What is DAST?
- Overview of Dynamic Analysis and how it complements SAST
- Introduction to OWASP ZAP as a DAST tool
ZAP
- Setting up ZAP for automated scans
- Exploring ZAP’s Spidering, Active Scanning, and Fuzzing functionalities
Vulnerability Scanning and Software Composition Analysis (SCA)
What is SCA and its Role in DevSecOps?
- Introduction to software composition analysis (SCA) for open-source dependencies
- Snyk for SCA
Snyk for Vulnerability Scanning
- Identifying and remediating vulnerabilities in dependencies
- Integrating Snyk with CI/CD and setting up real-time monitoring
Security Policy and Compliance
Creating Security Policies and Compliance Checks
- Defining security policies based on OWASP and NIST guidelines
- Configuring SonarQube quality gates for compliance enforcement
Interactive Application Security Testing (IAST)
Introduction to IAST
- How IAST differs from SAST and DAST, benefits in a DevSecOps context
- IAST tools overview (e.g., Contrast Security, Veracode, or AppScan)
IAST Tools
- Setting up an IAST environment and testing applications
- Integrating IAST into CI/CD pipelines for continuous monitoring
Security Orchestration and Automation
Security Automation in DevSecOps
- Using Jenkins, GitHub Actions, or GitLab CI for automated security testing
- Orchestrating SAST, DAST, SCA, and IAST in a unified pipeline
Automating Response and Reporting
- Creating alerts and reports for vulnerabilities
- Using security orchestration tools (e.g., XSOAR)
Threat Modeling and Continuous Improvement
Introduction to Threat Modeling
- Overview of threat modeling and its role in DevSecOps
- Using OWASP Threat Dragon
Implementing SAST in a CI/CD Pipeline
- Integrating SonarQube and Snyk with GitHub or GitLab CI/CD
- Analyzing and interpreting results: Remediation strategies for common vulnerabilities
Refactoring Code for Security
- Identifying vulnerabilities using SAST results
- Hands-on refactoring exercises to remediate security issues
Integrating ZAP into CI/CD Pipelines
- Configuring automated ZAP scans within a CI/CD pipeline
- Reviewing ZAP reports and interpreting scan results
Analyzing Open-Source Dependencies
- Reviewing and resolving dependency vulnerabilities using Snyk
Compliance Automation
- Setting up SonarQube quality gates and Snyk policies in the pipeline
- Using compliance results to enforce security requirements
Running and Interpreting IAST Results
- Reviewing vulnerabilities identified by IAST
- Discussion on remediation approaches and CI/CD integration
Building an Automated Security Pipeline
- Designing a pipeline with integrated SAST, DAST, SCA, and IAST scans
- Generating automated reports and triggering notifications on findings
Threat Modeling
- Identifying potential threats and mitigations for a sample application
- Incorporating threat modeling insights into DevSecOps practices
Conclusion