Course Outline
1. Foundations of DevSecOps: Security by Design
🔍 Learn: Core DevSecOps principles & secure SDLC practices
🛠️ Demo: Comparative analysis of legacy versus modern secure pipelines
🔧 Lab: Construct your initial DevSecOps-enabled pipeline template
2. OWASP ZAP Security Testing Intensive
💣 Breach Simulation:
- Deploy a vulnerable application featuring SQLi & XSS vulnerabilities
- Utilize OWASP ZAP to identify and mitigate threats
⚙️ Defense Strategies:
- Automated scanning using ZAP
- CI/CD integration through the ZAP API
🧪 Lab: Customize ZAP baseline scans and attack rules
🎯 Challenge: "Locate the hidden admin panel within 10 minutes"
3. Dependency Challenges: Supply Chain Defense
💣 Breach Simulation:
- Inject a malicious npm package containing CVEs
🛡️ Defense Strategies:
- Monitor vulnerabilities using OWASP Dependency-Track
- Implement policy gates that halt builds upon detecting critical CVEs
🧪 Lab: Develop vulnerability policies & alert workflows
⚠️ Shocking Demo: "How a single compromised dependency can compromise your infrastructure"
4. Vulnerability Management Operations Center
💣 Breach Simulation:
- Exploit unpatched container vulnerabilities
🛡️ Defense Strategies:
- Centralize reporting with OWASP DefectDojo
- Scan containers using Trivy
🧪 Lab: Build real-time dashboards for CISO/executive reporting
🏁 Competition: "Triage 50 findings faster than your peers"
5. Secrets & Configuration Emergency Drill
💣 Breach Simulation:
- Exfiltrate secrets from Git history using truffleHog
🛡️ Defense Strategies:
- Implement pre-commit hooks to block patterns like
password=.* - Use ZAP’s configuration spider to reveal dangerous settings
🧪 Lab: Implement GitHub Actions secrets scanning
🚨 Reality Check: "Your database password is currently exposed in Slack"
6. Wrap-Up: DevSecOps Battle Plan
🧭 OWASP Integration Roadmap:
- Plan your DefectDojo, Dependency-Track, and ZAP adoption
📋 Personal Action Plan:
- Draft your 30-day security checklist
- Define your DevSecOps KPIs & reporting dashboards
Requirements
Basic software development and SDLC experience
Target Audience
DevOps, Security & Cloud Engineers who prefer practical skills over theoretical discussions
Testimonials (2)
Craig was extremely involved in the training, always making sure we are paying attention, adapted the examples to our day-to-day activities and always provided an answer when asked, even if the information was not added in the presentation.
Ecaterina Ioana Nicoale - BOOKING HOLDINGS ROMANIA SRL
Course - DevOps Foundation®
High level of commitment and knowledge of the trainer