Security automation is the automatic handling of software security assessments tasks. Introduction to DevSecOps is a comprehensive hands-on course designed to provide you with the skills needed to help you build your security automation framework to scan for vulnerabilities without human intervention. This course will teach you to adopt security automation techniques to continuously improve your entire software development and security testing, learning about and working with open source tools and techniques to integrate security testing tools directly into your CI/CD framework.
Throughout this course, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this course will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this course, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.
This course is approximately 50% hands-on, combining expert lecture, real-world demonstrations and group discussions with machine-based practical labs and exercises. Our engaging instructors and mentors are highly experienced practitioners who bring years of current "on-the-job" experience into every classroom.
Working in a hands-on learning environment led by our expert practitioner attendees will learn how to:
- Secure and automate techniques to protect web, mobile or cloud services
- Automate secure code inspection with open source tools and effective secure code scanning suggestions
- Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
- Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
- Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework
- Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
- Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
- Integrate various types of security testing tool results from a single project into one dashboard
Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional DevSecOps, DevOps, Security, Testing, Programming and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.
This hands-on course is geared for attendees with Intermediate IT skills who wish to get guide to automating infrastructure security using DevOps and DevSecOps.
To be successful in this course, attendees should possess these skills:
- Basic to Intermediate IT Skills.
- Basic Python scripting skills. Attendees without a programming background like Python may view labs as follow along exercises or team with others to complete them.
- Good foundational mathematics or logic skills
- Basic Linux skills, including familiarity with command-line options such as ls, cd, cp, and su
Please see the Related Courses tab for specific Pre-Requisite courses, Related Courses that offer similar skills or topics, and next-step Learning Path recommendations.
Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We will work with you to tune this course and level of coverage to target the skills you need most.
The Scope and Challenges of Security Automation
- The purposes and myths of security automation
- The required skills and suggestions for security automation
- General environment setup for coming labs
Integrating Security and Automation
- The domains of automation testing and security testing
- Automation frameworks and techniques
- Automating existing security testing
- Security testing with an existing automation framework
Secure Code Inspection
- Case study – automating a secure code review
- Secure coding patterns for inspection
- Quick and simple secure code scanning tools
- Case study – XXE security
- Case study – deserialization security issue
Sensitive Information and Privacy Testing
- The objective of sensitive information testing
- Case study – weak encryption search
- Case study – searching for a private key
- Case study – website privacy inspection
Security API and Fuzz Testing
- Automated security testing for every API release
- Building your security API testing framework
- Web Application Security Testing
- Case study – online shopping site for automated security inspection
- Case 1 – web security testing using the ZAP REST API
- Case 2 – full automation with CURL and the ZAP daemon
- Case 3 – automated security testing for the user registration flow with Selenium
Android Security Testing
- Android security review best practices
- Secure source code review patterns for Android
- Privacy and sensitive information review
- General process of APK security analysis
- Static secure code scanning with QARK
- Automated security scanning with MobSF
- The scope of infrastructure security
- Secure configuration best practices
- Network security assessments with Nmap
- CVE vulnerability scanning
- HTTPS security check with SSLyze
- Behavior-driven security automation – Gauntlt
BDD Acceptance Security Testing
- Security testing communication
- What is BDD security testing?
- Adoption of Robot Framework with sqlmap
- Testing framework – Robot Framework with ZAP
Project Background and Automation Approach
- Case study – introduction and security objective
- Selecting security and automation testing tools
- Automated security testing frameworks
- Environment and tool setup
Automated Testing for Web Applications
- Case 1 – web security scanning with ZAP-CLI
- Case 2 – web security testing with ZAP & Selenium
- Case 3 – fuzz XSS and SQLi testing with JMeter
Automated Fuzz API Security Testing
- Fuzz testing and data
- API fuzz testing with Automation Frameworks
Automated Infrastructure Security
- WebGoat with OWASP dependency check
- Secure communication scan with SSLScan
- NMAP security scan with BDD framework
Managing and Presenting Test Results
- Managing and presenting test results
- Approach 1 – integrate the tools with RapidScan
- Approach 2 – generate a professional pentest report with Serpico
- Approach 3 – security findings management DefectDojo
Summary of Automation Security Testing Tips
- Automation testing framework
- Secure code review
- API security testing
- Web security testing
- Android security testing
- Infrastructure security
- BDD security testing by Robot Framework
Each student will receive a Student Guide with course notes, code samples, software tutorials, step-by-step written lab instructions, diagrams and related reference materials and links (as applicable). Students will also receive the project files (or code, if applicable) and solutions required for the hands-on work.
Lab Setup Made Simple. All course labs and solutions, data sets, Tableau course software (limited version, for course use only), detailed courseware, lab guides and resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants.