Introduction to DevSecOps (TTDV8400)

 

Course Overview

Security automation is the automatic handling of software security assessments tasks. Introduction to DevSecOps is a comprehensive hands-on course designed to provide you with the skills needed to help you build your security automation framework to scan for vulnerabilities without human intervention. This course will teach you to adopt security automation techniques to continuously improve your entire software development and security testing, learning about and working with open source tools and techniques to integrate security testing tools directly into your CI/CD framework.

Throughout this course, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this course will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this course, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Who should attend

This hands-on course is geared for attendees with Intermediate IT skills who wish to get guide to automating infrastructure security using DevOps and DevSecOps.

Prerequisites

To be successful in this course, attendees should possess these skills:

  • Basic to Intermediate IT Skills.
  • Basic Python scripting skills. Attendees without a programming background like Python may view labs as follow along exercises or team with others to complete them.
  • Good foundational mathematics or logic skills
  • Basic Linux skills, including familiarity with command-line options such as ls, cd, cp, and su

Course Objectives

This course combines expert lecture, real-world demonstrations and group discussions with machine-based practical labs and exercises. Our engaging instructors and mentors are highly experienced practitioners who bring years of current "on-the-job" experience into every classroom.

Working in a hands-on learning environment led by our expert practitioner attendees will learn how to:

  • Secure and automate techniques to protect web, mobile or cloud services
  • Automate secure code inspection in C++, Java, Python, and JavaScript
  • Automate secure code inspection with open source tools and effective secure code scanning suggestions
  • Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
  • Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
  • Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework
  • Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
  • Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
  • Integrate various types of security testing tool results from a single project into one dashboard

Outline: Introduction to DevSecOps (TTDV8400)

1. The Scope and Challenges of Security Automation

  • The purposes and myths of security automation
  • The required skills and suggestions for security automation
  • General environment setup for coming labs

2. Integrating Security and Automation

  • The domains of automation testing and security testing
  • Automation frameworks and techniques
  • Automating existing security testing
  • Security testing with an existing automation framework

3. Secure Code Inspection

  • Case study – automating a secure code review
  • Secure coding patterns for inspection
  • Quick and simple secure code scanning tools
  • Case study – XXE security
  • Case study – deserialization security issue

4. Sensitive Information and Privacy Testing

  • The objective of sensitive information testing
  • Case study – weak encryption search
  • Case study – searching for a private key
  • Case study – website privacy inspection

5. Security API and Fuzz Testing

  • Automated security testing for every API release
  • Building your security API testing framework

6. Web Application Security Testing

  • Case study – online shopping site for automated security inspection
  • Case 1 – web security testing using the ZAP REST API
  • Case 2 – full automation with CURL and the ZAP daemon
  • Case 3 – automated security testing for the user registration flow with Selenium

7. Android Security Testing

  • Android security review best practices
  • Secure source code review patterns for Android
  • Privacy and sensitive information review
  • General process of APK security analysis
  • Static secure code scanning with QARK
  • Automated security scanning with MobSF

8. Infrastructure Security

  • The scope of infrastructure security
  • Secure configuration best practices
  • Network security assessments with Nmap
  • CVE vulnerability scanning
  • HTTPS security check with SSLyze
  • Behavior-driven security automation – Gauntlt

9. BDD Acceptance Security Testing

  • Security testing communication
  • What is BDD security testing?
  • Adoption of Robot Framework with sqlmap
  • Testing framework – Robot Framework with ZAP

10. Project Background and Automation Approach

  • Case study – introduction and security objective
  • Selecting security and automation testing tools
  • Automated security testing frameworks
  • Environment and tool setup

11. Automated Testing for Web Applications

  • Case 1 – web security scanning with ZAP-CLI
  • Case 2 – web security testing with ZAP & Selenium
  • Case 3 – fuzz XSS and SQLi testing with JMeter

12. Automated Fuzz API Security Testing

  • Fuzz testing and data
  • API fuzz testing with Automation Frameworks

13. Automated Infrastructure Security

  • Scan For known JavaScript vulnerabilities
  • WebGoat with OWASP dependency check
  • Secure communication scan with SSLScan
  • NMAP security scan with BDD framework

14. Managing and Presenting Test Results

  • Managing and presenting test results
  • Approach 1 – integrate the tools with RapidScan
  • Approach 2 – generate a professional pentest report with Serpico
  • Approach 3 – security findings management DefectDojo

15. Summary of Automation Security Testing Tips

  • Automation testing framework
  • Secure code review
  • API security testing
  • Web security testing
  • Android security testing
  • Infrastructure security
  • BDD security testing by Robot Framework

Prices & Delivery methods

Online Training

Duration
4 days

Price
  • US$ 2,895
Classroom Training

Duration
4 days

Price
  • United States: US$ 2,895

Schedule

Currently there are no training dates scheduled for this course.