Skip to content
logo

Integrated DevSecOps

*****

DevSecOps is the integration of security practices and principles into the DevOps process, with the aim of creating a more secure software development lifecycle. In this 2-day workshop, we will cover tips and tricks on how to increase security of software delivery supply chains and existing infrastructure.

course logo
Book NowCheck DatescalendarNext public session18.4.2024clock08:00 GMT09:00 CET10:00 EET

What's Inside

Day 1

  • Introduction to DevSecOps
  • Definition of DevSecOps; the role of security in DevOps
  • Introduction into threat modeling, attack surface, vulnerability and risk management
  • Overview of DevSecOps tools and practices
  • Software supply chain security
  • Definition and importance of supply chain security
  • Supply chain elements: software packages/updates, CI/CD pipelines, external vendors, SaaS vendors
  • Software vendor management, compliance and regulatory requirements, incident response and recovery
  • Threats and risk management to supply chain security
  • Practical exercise: Conduct a supply chain risk assessment for a sample software product and develop a risk mitigation plan
  • Practical exercise: Develop an incident response plan for a supply chain security incident
  • Software Bill of Materials (SBOM)
  • Definition and purpose of SBOM in supply chain security
  • Overview of SBOM formats (e.g. SPDX, CycloneDX)
  • SBOM generation tools (e.g. OWASP Dependency-Track)
  • Practical exercise: Generate an SBOM for a sample software product using a SBOM generation tool and analyze it to identify potential security risks.
  • SIEM and log management
  • Introduction to security information and event management (SIEM)
  • SIEM components and architecture
  • Types of logs and log management
  • Log analysis and correlation
  • Real-time monitoring and alerting
  • Overview of popular SIEM tools (e.g. Splunk, ELK, LogRhythm)
  • Practical exercise: Install and configure a SIEM tool (ELK) and perform log analysis and correlation to identify potential security incidents.
  • Container and Orchestrator Security
  • Overview of containers and containerization
  • Container security risks
  • Secure container deployment
  • Container orchestration security
  • Popular container security tools (e.g. Aqua, Sysdig, Twistlock)
  • Practical exercise: Build and deploy a containerized application using a secure container platform (e.g. Docker , Kubernetes) and apply container security best practices.

Day 2

  • Secret Management
  • Definition of secrets and their importance in security
  • Types of secrets (e.g. passwords, API keys, certificates)
  • Best practices for secret management (e.g. encryption, rotation, access control)
  • Secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager)
  • Integration of secret management in CI/CD pipelines
  • Practical exercise: Implement a simple secret management solution using a tool like HashiCorp Vault and integrate it into a CI/CD pipeline.
  • Secure software development
  • Secure coding practices, secure software development lifecycle (SSDL) and threat modeling
  • Code scanners for security problems, integration of security scanners into CI/CD pipelines
  • Practical exercise: Develop a sample application and apply secure coding practices, perform threat modeling, and integrate security testing in a CI/CD pipeline.
  • OWASP
  • Overview of the OWASP Top Ten security threats
  • A1: Injection flaws
  • A2: Broken authentication and session management
  • A3: Cross-site scripting (XSS)
  • A4: Security misconfigurations
  • A5: Insecure direct object references
  • A6: Cross-site request forgery (CSRF)
  • A7: Using components with known vulnerabilities
  • A8: Insufficient logging and monitoring
  • Other security risks
  • Practical exercise: Perform a hands-on assessment of a web application, identify and exploit at least one OWASP Top Ten vulnerability.
  • Open-Source Security
  • Open-source software security risks
  • Vulnerability management in open-source software
  • Popular open-source security tools (e.g. OWASP Dependency-Check, SonarQube)
  • Practical exercise: Perform a hands-on assessment of an open-source software package using an open-source vulnerability scanner (e.g. OWASP Dependency-Check) and integrate static code analysis using an open-source tool (e.g. SonarQube).
  • Version Control Security
  • Git commit signing and verification
  • Git permissions models
  • Practical exercise: Configure Git commit signing with GPG and sign and verify Git commits.

What You Get

gem

Unique content - "real-life use cases, modern infrastructure, security principles shown in practice."

certificate

Certificate of attendance - "you will get a shareable online certificate."

exam

Exam after the course - "you may pass an optional 1-hour exam and " get your score printed on the certificate.

video-call

Workshop happens online - "join from the convenience of your office or home."

video-recording

Video recordings will be available after the course - "you can revisit some topics later."

live

Live and interactive - "you can ask questions in the chat or over audio and " get live clarifications.

qa

Q&A session in the end of each day - "you will to get answers to more " complex questions in a 1-hour long Q&A session.

quiz

Quizzes and polls during the course - "learning should be fun!"

cloud-lab

Practical exercises with solutions - "lots of simple and not-so-simple " tasks to practice with during the course; Solutions will be provided afterwards.

home

Additional home work - "for those who want to practice more after the course;" Homework will be reviewed and supplemented by constructive feedback.

email

Lifetime e-mail support - "you can get answers on anything related to the" course content as well as advice based on your company specific situation.

Andrey Adamovich

trainer-lightAbout the trainer

Andrey works as a free-lance DevOps consultant offering his expertise in implementing DevOps initiatives, selecting automation tooling, switching to infrastructure-as-code and immutable infrastructure and constructing software delivery pipelines.

Ask a question

When Does it Happen

calendar28-29 February, 2024sold out
calendar18-19 April, 2024
calendar12-13 September, 2024

Pricing

Individual

discounted1199899per attendee 
Book Now

Team Player

discounted1099799per attendeewhen registering 3 and more
Book Now

Company

 8500per teamof up to 20 attendees
Book Now

VAT charges may apply.

All training courses are a subject to the cancellation policy.

Book NowAsk a question
course logo