Course Outline
1. DevSecOps Essentials: Secure by Design
🔍 Learn: Fundamental DevSecOps principles and secure SDLC practices
🛠️ Demo: Side-by-side comparison of legacy versus modern secure pipelines
🔧 Lab: Construct your initial DevSecOps-enabled pipeline template
2. OWASP ZAP Security Testing Intensive
💣 Breach Simulation:
- Deploy a vulnerable application featuring SQLi and XSS
- Utilize OWASP ZAP to identify and mitigate threats
⚙️ Defense Tactics:
- Automated scanning using ZAP
- CI/CD integration through the ZAP API
🧪 Lab: Customize ZAP baseline scans and attack rules
🎯 Challenge: "Locate the hidden admin panel within 10 minutes"
3. Supply Chain Defense: Tackling Dependency Issues
💣 Breach Simulation:
- Inject a malicious npm package containing CVEs
🛡️ Defense Tactics:
- Monitor vulnerabilities using OWASP Dependency-Track
- Implement policy gates that halt builds upon detecting critical CVEs
🧪 Lab: Establish vulnerability policies and alert workflows
⚠️ Shocking Demo: "How a single compromised dependency can compromise your infrastructure"
4. Vulnerability Management War Room
💣 Breach Simulation:
- Exploit unpatched container vulnerabilities
🛡️ Defense Tactics:
- Centralize reporting with OWASP DefectDojo
- Scan containers using Trivy
🧪 Lab: Build real-time dashboards for CISO and executive reporting
🏁 Competition: "Triage 50 findings faster than your competitors"
5. Secrets & Configuration Crisis Drill
💣 Breach Simulation:
- Extract secrets from Git history using truffleHog
🛡️ Defense Tactics:
- Implement pre-commit hooks to block patterns such as
password=.* - Leverage ZAP’s configuration spider to uncover dangerous settings
🧪 Lab: Implement GitHub Actions secret scanning
🚨 Reality Check: "Your database password is currently exposed in Slack"
6. Conclusion: Developing Your DevSecOps Battle Plan
🧭 OWASP Integration Roadmap:
- Plan your adoption strategy for DefectDojo, Dependency-Track, and ZAP
📋 Personal Action Plan:
- Draft your 30-day security checklist
- Define your DevSecOps KPIs and reporting dashboards
Requirements
Basic software development and SDLC experience
Target Audience
DevOps, Security, and Cloud Engineers who dislike theoretical security lectures
Testimonials (2)
Craig was extremely involved in the training, always making sure we are paying attention, adapted the examples to our day-to-day activities and always provided an answer when asked, even if the information was not added in the presentation.
Ecaterina Ioana Nicoale - BOOKING HOLDINGS ROMANIA SRL
Course - DevOps Foundation®
High level of commitment and knowledge of the trainer
