Course Outline
1. DevSecOps Foundations: Security by Design
🔍 Learn: Core DevSecOps principles and secure SDLC practices
🛠️ Demo: Side-by-side comparison of legacy versus modern secure pipelines
🔧 Lab: Construct your first DevSecOps-enabled pipeline template
2. OWASP ZAP Security Testing Bootcamp
💣 Breach Simulation:
- Deploy a vulnerable application featuring SQLi and XSS
- Utilise OWASP ZAP to detect and mitigate threats
⚙️ Defense Tactics:
- Automated scanning using ZAP
- CI/CD integration via the ZAP API
🧪 Lab: Customise ZAP baseline scans and attack rules
🎯 Challenge: 'Locate the hidden admin panel within 10 minutes'
3. Dependency Hell: Supply Chain Defense
💣 Breach Simulation:
- Inject a malicious npm package containing CVEs
🛡️ Defense Tactics:
- Monitor vulnerabilities using OWASP Dependency-Track
- Enforce policy gates that fail builds upon detecting critical CVEs
🧪 Lab: Create vulnerability policies and alert workflows
⚠️ Shocking Demo: 'How one bad dependency can own your infrastructure'
4. Vulnerability Management War Room
💣 Breach Simulation:
- Exploit unpatched container vulnerabilities
🛡️ Defense Tactics:
- Centralise reporting with OWASP DefectDojo
- Scan containers using Trivy
🧪 Lab: Build real-time dashboards for CISO and executive reporting
🏁 Competition: 'Triage 50 findings faster than your rivals'
5. Secrets and Configuration Fire Drill
💣 Breach Simulation:
- Exfiltrate secrets from Git history using truffleHog
🛡️ Defense Tactics:
- Implement pre-commit hooks to block patterns like
password=.* - Utilise ZAP’s config spider to surface dangerous settings
🧪 Lab: Implement GitHub Actions secrets scanning
🚨 Reality Check: 'Your database password is in Slack right now'
6. Wrap-Up: DevSecOps Battle Plan
🧭 OWASP Integration Roadmap:
- Plan your adoption of DefectDojo, Dependency-Track, and ZAP
📋 Personal Action Plan:
- Draft your 30-day security checklist
- Define your DevSecOps KPIs and reporting dashboards
Requirements
Foundational software development and SDLC experience
Audience
DevOps, Security, and Cloud Engineers who disdain theoretical security lectures
Testimonials (2)
Craig was extremely involved in the training, always making sure we are paying attention, adapted the examples to our day-to-day activities and always provided an answer when asked, even if the information was not added in the presentation.
Ecaterina Ioana Nicoale - BOOKING HOLDINGS ROMANIA SRL
Course - DevOps Foundation®
High level of commitment and knowledge of the trainer