Introduction to DevSecOps

Build Your Security Automation Framework, Automate Secure Code Inspection, Integrate with Testing Tools & More

TTDV8400

Intermediate

4 Days

Course Overview

Security automation is the automatic handling of software security assessments tasks. Introduction to DevSecOps is a comprehensive hands-on course designed to provide you with the skills needed to help you build your security automation framework to scan for vulnerabilities without human intervention. This course will teach you to adopt security automation techniques to continuously improve your entire software development and security testing, learning about and working with open source tools and techniques to integrate security testing tools directly into your CI/CD framework.  

Throughout this course, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this course will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this course, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Course Objectives

This course is approximately 50% hands-on, combining expert lecture, real-world demonstrations and group discussions with machine-based practical labs and exercises.  Our engaging instructors and mentors are highly experienced practitioners who bring years of current "on-the-job" experience into every classroom.  

Working in a hands-on learning environment led by our expert practitioner attendees will learn how to:

  • Secure and automate techniques to protect web, mobile or cloud services
  • Automate secure code inspection in C++, Java, Python, and JavaScript
  • Automate secure code inspection with open source tools and effective secure code scanning suggestions
  • Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
  • Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
  • Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework
  • Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
  • Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
  • Integrate various types of security testing tool results from a single project into one dashboard

Need different skills or topics?  If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate.  We offer additional DevSecOps, DevOps, Security, Testing, Programming and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This hands-on course is geared for attendees with Intermediate IT skills who wish to get guide to automating infrastructure security using DevOps and DevSecOps.

To be successful in this course, attendees should possess these skills:

  • Basic to Intermediate IT Skills.
  • Basic Python scripting skills. Attendees without a programming background like Python may view labs as follow along exercises or team with others to complete them.
  • Good foundational mathematics or logic skills
  • Basic Linux skills, including familiarity with command-line options such as ls, cd, cp, and su

Please see the Related Courses tab for specific Pre-Requisite courses, Related Courses that offer similar skills or topics, and next-step Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We will work with you to tune this course and level of coverage to target the skills you need most.

The Scope and Challenges of Security Automation

  • The purposes and myths of security automation
  • The required skills and suggestions for security automation
  • General environment setup for coming labs

Integrating Security and Automation

  • The domains of automation testing and security testing
  • Automation frameworks and techniques
  • Automating existing security testing
  • Security testing with an existing automation framework

Secure Code Inspection

  • Case study – automating a secure code review
  • Secure coding patterns for inspection
  • Quick and simple secure code scanning tools
  • Case study – XXE security
  • Case study – deserialization security issue

Sensitive Information and Privacy Testing

  • The objective of sensitive information testing
  • Case study – weak encryption search
  • Case study – searching for a private key
  • Case study – website privacy inspection

Security API and Fuzz Testing

  • Automated security testing for every API release
  • Building your security API testing framework

 

  1. Web Application Security Testing
  • Case study – online shopping site for automated security inspection
  • Case 1 – web security testing using the ZAP REST API
  • Case 2 – full automation with CURL and the ZAP daemon
  • Case 3 – automated security testing for the user registration flow with Selenium

Android Security Testing

  • Android security review best practices
  • Secure source code review patterns for Android
  • Privacy and sensitive information review
  • General process of APK security analysis
  • Static secure code scanning with QARK
  • Automated security scanning with MobSF

Infrastructure Security

  • The scope of infrastructure security
  • Secure configuration best practices
  • Network security assessments with Nmap
  • CVE vulnerability scanning
  • HTTPS security check with SSLyze
  • Behavior-driven security automation – Gauntlt

BDD Acceptance Security Testing

  • Security testing communication
  • What is BDD security testing?
  • Adoption of Robot Framework with sqlmap
  • Testing framework – Robot Framework with ZAP

Project Background and Automation Approach

  • Case study – introduction and security objective
  • Selecting security and automation testing tools
  • Automated security testing frameworks
  • Environment and tool setup

Automated Testing for Web Applications

  • Case 1 – web security scanning with ZAP-CLI
  • Case 2 – web security testing with ZAP & Selenium
  • Case 3 – fuzz XSS and SQLi testing with JMeter

Automated Fuzz API Security Testing

  • Fuzz testing and data
  • API fuzz testing with Automation Frameworks

Automated Infrastructure Security

  • Scan For known JavaScript vulnerabilities
  • WebGoat with OWASP dependency check
  • Secure communication scan with SSLScan
  • NMAP security scan with BDD framework

Managing and Presenting Test Results

  • Managing and presenting test results
  • Approach 1 – integrate the tools with RapidScan
  • Approach 2 – generate a professional pentest report with Serpico
  • Approach 3 – security findings management DefectDojo

Summary of Automation Security Testing Tips

  • Automation testing framework
  • Secure code review
  • API security testing
  • Web security testing
  • Android security testing
  • Infrastructure security
  • BDD security testing by Robot Framework

Course Materials

Each student will receive a Student Guide with course notes, code samples, software tutorials, step-by-step written lab instructions, diagrams and related reference materials and links (as applicable). Students will also receive the project files (or code, if applicable) and solutions required for the hands-on work.

Lab Setup Made Simple.   All course labs and solutions, data sets, Tableau course software (limited version, for course use only), detailed courseware, lab guides and resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants. 

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

New Site, BIG Savings!
We're celebrating the launch of our lonnngggg awaited new site with with *50% off all 2021 Public Classes* booked by April 30!  Check out our Current Offers for Individuals, Teams and Organizations to Learn for Less!

See our latest Offers and Promotions

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course
Trivera MiniCamps
Gain the skills you need with less time in the classroom with our short course, live-online hands-on events
Trivera QuickSkills: Free Courses and Webinars
Training on us! Keep your skills current with free live events, courses & webinars
Trivera AfterCourse: Coaching and Support
Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More