HemSök efter kurserIntegrated DevSecOps

Integrated DevSecOps


DevSecOps is the integration of security practices and principles into the DevOps process, with the aim of creating a more secure software development lifecycle.

In this 2-day workshop, we will cover tips and tricks on how to increase security of software delivery supply chains and existing infrastructure.


2 dagar

899 €

Course outline: Integrated DevSecOps

Day 1

Introduction to DevSecOps

  • Definition of DevSecOps; the role of security in DevOps
  • Introduction into threat modeling, attack surface, vulnerability and risk management
  • Overview of DevSecOps tools and practices

Software supply chain security

  • Definition and importance of supply chain security
  • Supply chain elements: software packages/updates, CI/CD pipelines, external vendors, SaaS vendors
  • Software vendor management, compliance and regulatory requirements, incident response and recovery
  • Threats and risk management to supply chain security
  • Practical exercise: Conduct a supply chain risk assessment for a sample software product and develop a risk mitigation plan
  • Practical exercise: Develop an incident response plan for a supply chain security incident

Software Bill of Materials (SBOM)

  • Definition and purpose of SBOM in supply chain security
  • Overview of SBOM formats (e.g. SPDX, CycloneDX)
  • SBOM generation tools (e.g. OWASP Dependency-Track)
  • Practical exercise: Generate an SBOM for a sample software product using a SBOM generation tool and analyze it to identify potential security risks.

SIEM and log management

  • Introduction to security information and event management (SIEM)
  • SIEM components and architecture
  • Types of logs and log management
  • Log analysis and correlation
  • Real-time monitoring and alerting
  • Overview of popular SIEM tools (e.g. Splunk, ELK, LogRhythm)
  • Practical exercise: Install and configure a SIEM tool (ELK) and perform log analysis and correlation to identify potential security incidents.

Container and Orchestrator Security

  • Overview of containers and containerization
  • Container security risks
  • Secure container deployment
  • Container orchestration security
  • Popular container security tools (e.g. Aqua, Sysdig, Twistlock)
  • Practical exercise: Build and deploy a containerized application using a secure container platform (e.g. Docker , Kubernetes) and apply container security best practices.

Day 2

Secret Management

  • Definition of secrets and their importance in security
  • Types of secrets (e.g. passwords, API keys, certificates)
  • Best practices for secret management (e.g. encryption, rotation, access control)
  • Secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager)
  • Integration of secret management in CI/CD pipelines
  • Practical exercise: Implement a simple secret management solution using a tool like HashiCorp Vault and integrate it into a CI/CD pipeline.

Secure software development

  • Secure coding practices, secure software development lifecycle (SSDL) and threat modeling
  • Code scanners for security problems, integration of security scanners into CI/CD pipelines
  • Practical exercise: Develop a sample application and apply secure coding practices, perform threat modeling, and integrate security testing in a CI/CD pipeline.


  • Overview of the OWASP Top Ten security threats
  • A1: Injection flaws
  • A2: Broken authentication and session management
  • A3: Cross-site scripting (XSS)
  • A4: Security misconfigurations
  • A5: Insecure direct object references
  • A6: Cross-site request forgery (CSRF)
  • A7: Using components with known vulnerabilities
  • A8: Insufficient logging and monitoring
  • Other security risks
  • Practical exercise: Perform a hands-on assessment of a web application, identify and exploit at least one OWASP Top Ten vulnerability.

Open-Source Security

  • Open-source software security risks
  • Vulnerability management in open-source software
  • Popular open-source security tools (e.g. OWASP Dependency-Check, SonarQube)
  • Practical exercise: Perform a hands-on assessment of an open-source software package using an open-source vulnerability scanner (e.g. OWASP Dependency-Check) and integrate static code analysis using an open-source tool (e.g. SonarQube).

Version Control Security

  • Git commit signing and verification
  • Git permissions models
  • Practical exercise: Configure Git commit signing with GPG and sign and verify Git commits.