Do I need a security background for this course?

No dedicated security background is needed. The course is designed for developers, DevOps engineers, and system administrators who want to integrate security into their existing workflows. Basic familiarity with CI/CD pipelines and Linux is helpful.

What security tools will I get hands-on experience with?

You'll work with ELK (SIEM), HashiCorp Vault (secrets), OWASP Dependency-Check, SonarQube (static analysis), SBOM generators (CycloneDX, SPDX), Docker/Kubernetes security tools, and GPG for Git commit signing.

Does this course cover the OWASP Top 10?

Yes. A full module is dedicated to the OWASP Top 10 security threats, including injection flaws, XSS, CSRF, broken authentication, and more. You'll perform a hands-on assessment to identify and exploit vulnerabilities.

How does this course differ from a traditional security training?

This course is specifically focused on integrating security into the DevOps pipeline — supply chain security, SBOM, secret management in CI/CD, container security, and automated security scanning. It's practical and developer-oriented, not theoretical.

Is the course delivered live or is it pre-recorded?

The course is delivered live and online. You can interact with the instructor in real-time, ask questions via chat or audio, and participate in hands-on exercises. Video recordings are provided after the course for review.

Will I receive a certificate after completing the course?

Yes, all participants receive a shareable online certificate of attendance. You can also take an optional 1-hour exam, with your score printed on the certificate.

Integrated DevSecOps Workshop

About the Integrated DevSecOps Course

DevSecOps is the integration of security practices and principles into the DevOps process, with the aim of creating a more secure software development lifecycle. In this 2-day workshop, we will cover tips and tricks on how to increase security of software delivery supply chains and existing infrastructure.

What You'll Learn in This workshop

Integrate security practices into DevOps pipelines and CI/CD workflows
Assess and mitigate software supply chain risks with SBOM and vulnerability scanning
Implement secret management, container security, and SIEM monitoring
Apply OWASP Top 10 knowledge to identify and remediate application vulnerabilities

Integrated DevSecOps Outline

1. Day 1

• Introduction to DevSecOps
• Definition of DevSecOps; the role of security in DevOps
• Introduction into threat modeling, attack surface, vulnerability and risk management
• Overview of DevSecOps tools and practices
• Software supply chain security
• Definition and importance of supply chain security
• Supply chain elements: software packages/updates, CI/CD pipelines, external vendors, SaaS vendors
• Software vendor management, compliance and regulatory requirements, incident response and recovery
• Threats and risk management to supply chain security
• Practical exercise: Conduct a supply chain risk assessment for a sample software product and develop a risk mitigation plan
• Practical exercise: Develop an incident response plan for a supply chain security incident
• Software Bill of Materials (SBOM)
• Definition and purpose of SBOM in supply chain security
• Overview of SBOM formats (e.g. SPDX, CycloneDX)
• SBOM generation tools (e.g. OWASP Dependency-Track)
• Practical exercise: Generate an SBOM for a sample software product using a SBOM generation tool and analyze it to identify potential security risks.
• SIEM and log management
• Introduction to security information and event management (SIEM)
• SIEM components and architecture
• Types of logs and log management
• Log analysis and correlation
• Real-time monitoring and alerting
• Overview of popular SIEM tools (e.g. Splunk, ELK, LogRhythm)
• Practical exercise: Install and configure a SIEM tool (ELK) and perform log analysis and correlation to identify potential security incidents.
• Container and Orchestrator Security
• Overview of containers and containerization
• Container security risks
• Secure container deployment
• Container orchestration security
• Popular container security tools (e.g. Aqua, Sysdig, Twistlock)
• Practical exercise: Build and deploy a containerized application using a secure container platform (e.g. Docker , Kubernetes) and apply container security best practices.

2. Day 2

• Secret Management
• Definition of secrets and their importance in security
• Types of secrets (e.g. passwords, API keys, certificates)
• Best practices for secret management (e.g. encryption, rotation, access control)
• Secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager)
• Integration of secret management in CI/CD pipelines
• Practical exercise: Implement a simple secret management solution using a tool like HashiCorp Vault and integrate it into a CI/CD pipeline.
• Secure software development
• Secure coding practices, secure software development lifecycle (SSDL) and threat modeling
• Code scanners for security problems, integration of security scanners into CI/CD pipelines
• Practical exercise: Develop a sample application and apply secure coding practices, perform threat modeling, and integrate security testing in a CI/CD pipeline.
• OWASP
• Overview of the OWASP Top Ten security threats
• A1: Injection flaws
• A2: Broken authentication and session management
• A3: Cross-site scripting (XSS)
• A4: Security misconfigurations
• A5: Insecure direct object references
• A6: Cross-site request forgery (CSRF)
• A7: Using components with known vulnerabilities
• A8: Insufficient logging and monitoring
• Other security risks
• Practical exercise: Perform a hands-on assessment of a web application, identify and exploit at least one OWASP Top Ten vulnerability.
• Open-Source Security
• Open-source software security risks
• Vulnerability management in open-source software
• Popular open-source security tools (e.g. OWASP Dependency-Check, SonarQube)
• Practical exercise: Perform a hands-on assessment of an open-source software package using an open-source vulnerability scanner (e.g. OWASP Dependency-Check) and integrate static code analysis using an open-source tool (e.g. SonarQube).
• Version Control Security
• Git commit signing and verification
• Git permissions models
• Practical exercise: Configure Git commit signing with GPG and sign and verify Git commits.

What's Included

Unique content - "real-life use cases, modern infrastructure, security principles shown in practice."

Certificate of attendance - "you will get a shareable online certificate."

Exam after the course - "you may pass an optional 1-hour exam and " get your score printed on the certificate.

Workshop happens online - "join from the convenience of your office or home."

Video recordings will be available after the course - "you can revisit some topics later."

Live and interactive - "you can ask questions in the chat or over audio and " get live clarifications.

Q&A session in the end of each day - "you will to get answers to more " complex questions in a 1-hour long Q&A session.

Quizzes and polls during the course - "learning should be fun!"

Practical exercises with solutions - "lots of simple and not-so-simple " tasks to practice with during the course; Solutions will be provided afterwards.

Additional home work - "for those who want to practice more after the course;" Homework will be reviewed and supplemented by constructive feedback.

Lifetime e-mail support - "you can get answers on anything related to the" course content as well as advice based on your company specific situation.