Introduction to DevSecOps

Build Your Security Automation Framework, Automate Secure Code Inspection, Integrate with Testing Tools & More

Course Code: TTDV8400

Skill Level: Intermediate

Duration: 4 Days

Course Overview

Security automation is the automatic handling of software security assessments tasks. Introduction to DevSecOps is a comprehensive hands-on course designed to provide you with the skills needed to help you build your security automation framework to scan for vulnerabilities without human intervention. This course will teach you to adopt security automation techniques to continuously improve your entire software development and security testing, learning about and working with open source tools and techniques to integrate security testing tools directly into your CI/CD framework.

Throughout this course, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this course will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this course, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Course Objectives

This course is approximately 50% hands-on, combining expert lecture, real-world demonstrations and group discussions with machine-based practical labs and exercises. Our engaging instructors and mentors are highly experienced practitioners who bring years of current "on-the-job" experience into every classroom.

Working in a hands-on learning environment led by our expert practitioner attendees will learn how to:

Secure and automate techniques to protect web, mobile or cloud services
Automate secure code inspection in C++, Java, Python, and JavaScript
Automate secure code inspection with open source tools and effective secure code scanning suggestions
Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework
Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
Integrate various types of security testing tool results from a single project into one dashboard

Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional DevSecOps, DevOps, Security, Testing, Programming and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This hands-on course is geared for attendees with Intermediate IT skills who wish to get guide to automating infrastructure security using DevOps and DevSecOps.

To be successful in this course, attendees should possess these skills:

Basic to Intermediate IT Skills.
Basic Python scripting skills. Attendees without a programming background like Python may view labs as follow along exercises or team with others to complete them.
Good foundational mathematics or logic skills
Basic Linux skills, including familiarity with command-line options such as ls, cd, cp, and su

Please see the Related Courses tab for specific Pre-Requisite courses, Related Courses that offer similar skills or topics, and next-step Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We will work with you to tune this course and level of coverage to target the skills you need most.

The Scope and Challenges of Security Automation

The purposes and myths of security automation
The required skills and suggestions for security automation
General environment setup for coming labs

Integrating Security and Automation

The domains of automation testing and security testing
Automation frameworks and techniques
Automating existing security testing
Security testing with an existing automation framework

Secure Code Inspection

Case study – automating a secure code review
Secure coding patterns for inspection
Quick and simple secure code scanning tools
Case study – XXE security
Case study – deserialization security issue

Sensitive Information and Privacy Testing

The objective of sensitive information testing
Case study – weak encryption search
Case study – searching for a private key
Case study – website privacy inspection

Security API and Fuzz Testing

Automated security testing for every API release
Building your security API testing framework

Web Application Security Testing

Case study – online shopping site for automated security inspection
Case 1 – web security testing using the ZAP REST API
Case 2 – full automation with CURL and the ZAP daemon
Case 3 – automated security testing for the user registration flow with Selenium

Android Security Testing

Android security review best practices
Secure source code review patterns for Android
Privacy and sensitive information review
General process of APK security analysis
Static secure code scanning with QARK
Automated security scanning with MobSF

Infrastructure Security

The scope of infrastructure security
Secure configuration best practices
Network security assessments with Nmap
CVE vulnerability scanning
HTTPS security check with SSLyze
Behavior-driven security automation – Gauntlt

BDD Acceptance Security Testing

Security testing communication
What is BDD security testing?
Adoption of Robot Framework with sqlmap
Testing framework – Robot Framework with ZAP

Project Background and Automation Approach

Case study – introduction and security objective
Selecting security and automation testing tools
Automated security testing frameworks
Environment and tool setup

Automated Testing for Web Applications

Case 1 – web security scanning with ZAP-CLI
Case 2 – web security testing with ZAP & Selenium
Case 3 – fuzz XSS and SQLi testing with JMeter

Automated Fuzz API Security Testing

Fuzz testing and data
API fuzz testing with Automation Frameworks

Automated Infrastructure Security

Scan For known JavaScript vulnerabilities
WebGoat with OWASP dependency check
Secure communication scan with SSLScan
NMAP security scan with BDD framework

Managing and Presenting Test Results

Managing and presenting test results
Approach 1 – integrate the tools with RapidScan
Approach 2 – generate a professional pentest report with Serpico
Approach 3 – security findings management DefectDojo

Summary of Automation Security Testing Tips

Automation testing framework
Secure code review
API security testing
Web security testing
Android security testing
Infrastructure security
BDD security testing by Robot Framework

Course Materials

Each student will receive a Student Guide with course notes, code samples, software tutorials, step-by-step written lab instructions, diagrams and related reference materials and links (as applicable). Students will also receive the project files (or code, if applicable) and solutions required for the hands-on work.

Lab Setup Made Simple. All course labs and solutions, data sets, Tableau course software (limited version, for course use only), detailed courseware, lab guides and resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Mix, Match & Master!
2FOR1: Two Courses, One Price!
Enroll in *any* two public courses (for 2023 *OR* 2024 dates!) by December 31, for one price! Learn something new, or share the promo!

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course

Gain the skills you need with less time in the classroom with our short course, live-online hands-on events

Trivera QuickSkills: Free Courses and Webinars

Training on us! Keep your skills current with free live events, courses & webinars

Trivera AfterCourse: Coaching and Support

Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

The instructor was clearly knowledgeable about Java and programming in general. He was very attentive to every student's individual needs and constantly encouraged questions, concerns, student issues to be raised and addressed each one thoroughly.

Mark M

Instructor was beyond phenomenal. He had an in depth knowledge of the course material and always ensured that everyone understood what was being discussed. I really enjoyed the mix of theory and practical examples of each part of the course.

Cillian M

Great job overall. Great communicator and explained complex concepts in a simple, easier to understand format.

Jeremy G

A very good balance of teaching time to lab time. I've done other courses that I found to be much lighter on content and heavy on labs to waste time. This was a refreshing change of pace.

Adam G

Both the instructor and the course material were very thorough - the course material has many helpful references - the labs were well laid out, making it easy to learn from and get done on time

Steve C.

First time in my life I have attended remote class and I find it great. Personally I don't feel there is any area which require improvement!

Rishi M

Excellent detail about the Spring framework which directly relates to my role as a senior engineer. I found the content and style to be very enjoyable, and would encourage me to ask questions where previously I might not have paid much attention, eg. pom version numbers / spring starters being imported. The focus on the different styles of unit testing was also excellent and I would plan to incorporate in day to day work.

Edward K

Excellent training. Even though it was online, I did not have any issues understanding or getting the answers for the questions I had. The lab exercises are interesting to apply what was learnt. Overall very good training. Thank you!

Anitha

Best programming class I've ever been in, head and shoulders above any thing I took in college as part of a computer science degree. The instructor was thorough and very detailed, he was very good abut explaining all possible scenarios a situation would apply to. The way the albs were structured and the class was conducted was very good for interaction and hand on learning.

Danish J

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More