DevSecOps: Security in the CI/CD Pipeline

The hands-on training DevSecOps is aimed for software developers, DevOps engineers or architects and teaches the theoretical and practical basics of tool-supported “Early Security Testing”.

Fixing security vulnerabilities after software has been released is expensive. Compared to fixing the vulnerability at the time of development, the costs must be assumed to be multiple times higher. As a result, early detection of vulnerabilities (ideally directly at implementation phase) is one of the most important goals for secure and yet cost-efficient software development (shift-left). By integrating automated security testing tools into the CI/CD pipeline, certain security problems can be detected and fixed very early in the development cycle.

In our hands-on DevSecOps seminar, the speaker provides the domain knowledge necessary for a Secure Software Development Life Cycle (SSDLC). Based on this, participants will be enabled to integrate various security testing tools into the CI/CD pipeline based on our years of practical experience. Recommended security testing tools from the following categories will be presented using practical hands-on exercises and showcases, and their best practices usage will be explained:

  • Software Composition Analysis (SCA)
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • Interactive Application Security Testing (IAST)
  • Compliance as Code (CaC)
  • Infrastructure as Code (IaC)

Content

  • Basics
    • The need for DevSecOps
    • What is Web Application Security
    • Basic Terms of IT-Security
  • Secure Coding / SSDLC
    • Security by Design
    • Finding the right protection level
    • DevSecOps – Tools and Phases
    • Sourcecode Analysis
    • Hand-On Training: SAST/DAST
  • Build and Deployment
    • Supply Chain Attacks
    • Dependency Confusion
    • Handling of 3rd Party Libraries
    • Docker (Attack vectors, Image Security, Container Security)
    • Hands-On Training: SCA
    • Showcase: IaC
    • Showcase: CaC
  • Operations
    • Known Vulnerabilities
    • Information Disclosure
    • Countermeasures on Infrastructure Level

Target audience

  • Software developer
  • DevOps engineer
  • Architect

Duration

2 days or individually tailored

Prerequisites

none

Trainer

DevSecOps: Security in the CI/CD Pipeline Robin Herrmann
Security consultant in many software projects

Our training courses are aimed at companies and organisations. A training course can be economical with just three or more participants. The trainings take place at your premises or is organised by us in your desired environment.

DevSecOps: Security in the CI/CD Pipeline

Your Contact:

Dr.-Ing. Benjamin Kellermann

Contact us via email.
Or call us or use our special contact form.