Course Outline
1. DevSecOps Foundations: Integrating Security from the Start
🔍 Learn: Fundamental DevSecOps principles and secure SDLC practices
🛠️ Demo: Comparing legacy pipelines against modern secure architectures
🔧 Lab: Constructing your initial DevSecOps-enabled pipeline template
2. OWASP ZAP Security Testing Intensive
💣 Breach Simulation:
- Deploy an application with intentional SQLi and XSS vulnerabilities
- Utilize OWASP ZAP to identify and neutralize threats
⚙️ Defense Tactics:
- Automated scanning using ZAP
- Integrating ZAP API into CI/CD workflows
🧪 Lab: Customizing ZAP baseline scans and attack rules
🎯 Challenge: "Locate the hidden admin panel within 10 minutes"
3. Dependency Management: Securing the Supply Chain
💣 Breach Simulation:
- Introduce a malicious npm package containing CVEs
🛡️ Defense Tactics:
- Track vulnerabilities using OWASP Dependency-Track
- Implement policy gates that halt builds upon detecting critical CVEs
🧪 Lab: Establishing vulnerability policies and alert workflows
⚠️ Shocking Demo: "How a single flawed dependency can compromise your infrastructure"
4. Vulnerability Management Command Center
💣 Breach Simulation:
- Exploit unpatched container vulnerabilities
🛡️ Defense Tactics:
- Centralize reporting using OWASP DefectDojo
- Scan containers with Trivy
🧪 Lab: Creating executive-level dashboards for CISO reporting
🏁 Competition: "Triage 50 findings faster than your peers"
5. Secrets & Configuration Emergency Response
💣 Breach Simulation:
- Extract secrets from Git history using truffleHog
🛡️ Defense Tactics:
- Deploy pre-commit hooks to block patterns like
password=.* - Use ZAP’s config spider to identify risky settings
🧪 Lab: Implementing GitHub Actions for secrets scanning
🚨 Reality Check: "Your database password is currently exposed in Slack"
6. Conclusion: Your DevSecOps Battle Plan
🧭 OWASP Integration Roadmap:
- Strategize the adoption of DefectDojo, Dependency-Track, and ZAP
📋 Personal Action Plan:
- Develop a 30-day security checklist
- Define your DevSecOps KPIs and reporting dashboards
Requirements
Basic knowledge of software development and the Software Development Life Cycle (SDLC)
Target Audience
DevOps, Security, and Cloud Engineers who dislike theoretical security lectures
Testimonials (2)
Craig was extremely involved in the training, always making sure we are paying attention, adapted the examples to our day-to-day activities and always provided an answer when asked, even if the information was not added in the presentation.
Ecaterina Ioana Nicoale - BOOKING HOLDINGS ROMANIA SRL
Course - DevOps Foundation®
High level of commitment and knowledge of the trainer
