DevSecOps

Course & Training

Seamlessly integrate security into your DevOps pipelines and implement it practically.

Discover in this two-day workshop how to successfully integrate security into your DevOps processes. From the fundamentals of the shift-left approach to advanced container security techniques – learn hands-on how to build secure CI/CD pipelines and implement automated security testing.

In-House Course:

We are happy to conduct tailored courses for your team - on-site, remotely or in our course rooms.

Request In-House Course

Public Course Schedule:

➡️ No suitable date? Sign up for the waiting list.

Marc Herren

Content:

In this workshop, you will learn how to seamlessly integrate security into your DevOps processes and establish a comprehensive DevSecOps culture in your team. You will discover practical techniques for automating security testing, container scanning, and vulnerability management.
Thanks to hands-on exercises and real-world scenarios, you will develop the ability to implement secure CI/CD pipelines and identify security risks early.
We start with DevSecOps fundamentals and then delve into advanced topics such as container security, policy management, and automated compliance checks.

Day 1:
– Welcome, Setup & Lab Environment
– DevSecOps Principles:
... - Why does security matter?
... - From DevOps to DevSecOps
... - Shift-Left Approach
... - Automation Principles
... - Security as Code
... - Vulnerability Databases and Identifiers
– Securing Software Development:
... - Code Analysis and Scanning
... - Introduction to Static Code Analysis (SCA)
... - Implementing and Automating Scanning with SonarQube
... - Static Application Security Testing (SAST) with GitLab
... - Software Bill of Materials (SBOMs)
... - Why are Visibility and Traceability important?
... - Creating SBOMs with Syft
... - Tracking SBOMs with Dependency Tracker
... - Automating SBOM Generation and Tracking with GitLab
... - Environment-specific Scanners
... - Programming language-specific environments (Go vuln scan, npm audit, pip-audit)
– Securing Containerized Pipelines:
... - Building Secure Containers
... - Concepts and Best Practices
... - Scanning Containers with Trivy
... - Automating Container Scanning and Tracking with GitLab

Day 2:
– Securing Containerized Pipelines (continued):
... - Container Signing with Sigstore/Cosign
... - Automatic Container Signing with GitLab
... - Container Artifact Storage
... - Artifact Scanning
... - Retrieval Policies
– Securing Deployed Orchestration:
... - Deployment Configuration Scanning with Trivy
... - Implementing Pod Security Standards
... - Kubernetes Policy Management with OPA (Open Policy Agent)
– Security Issue Tracking:
... - Creating automated tickets for security findings within GitLab
... - Exclusions and Exceptions
– Outlook:
... - Next Steps: Automated Remediation and Beyond

Disclaimer: The actual course content may vary from the above, depending on the trainer, implementation, duration and constellation of participants.

Whether we call it training, course, workshop or seminar, we want to pick up participants at their point and equip them with the necessary practical knowledge so that they can apply the technology directly after the training and deepen it independently.

Goal:

After this course, you will be able to successfully integrate security into your DevOps processes and establish a comprehensive DevSecOps culture. You will acquire practical skills in implementing automated security testing, container scanning, and vulnerability management. From static code analysis to SBOM generation to Kubernetes policy management - you'll learn to implement security as an integral part of your CI/CD pipelines.
Through hands-on exercises and realistic scenarios, you'll develop the competence to create secure container images, scan deployment configurations, and implement automated security issue tracking. You'll master the shift-left approach and be able to effectively use both traditional and modern security tools.

Form:

The course is well structured and consists of theoretical explanations and practical exercises. You will be accompanied by an experienced trainer who can answer questions.

Target Audience:

This course is designed for DevOps engineers, software developers, system administrators, and security engineers who want to successfully integrate security into their CI/CD pipelines.

Requirements:

Basic knowledge of DevOps practices and CI/CD pipelines.
Experience with Git, Docker, and basic Linux knowledge.
Laptop with local installation rights recommended.

Preparation:

Every participant will receive a questionnaire and a preparation checklist after registration. We provide a comprehensive laboratory environment for each participant, so that all participants can directly implement their own experiments and even complex scenarios.

Request In-House Course:

In-House Kurs Anfragen

Waitinglist for public course:

Sign up for the waiting list for more public course dates. Once we have enough people on the waiting list, we will determine a date that suits everyone as much as possible and schedule a new session. If you want to participate directly with two colleagues, we can even plan a public course specifically for you.

Waiting List Request

More about DevSecOps

DevSecOps is the evolution of DevOps that integrates security as a fundamental component throughout the entire software development lifecycle. Instead of treating security as an afterthought, it is embedded from the beginning into development and deployment pipelines.

The shift-left approach is central to this: security testing and controls are implemented as early as possible in the development process to identify and fix vulnerabilities during the development phase, rather than discovering them in production.

Further resources:

SonarQube: Code Quality and Security

Trivy: Container and Infrastructure Scanning

Syft: SBOM Generation Tool

Dependency-Track: SBOM Analysis

Sigstore: Container Signing

Open Policy Agent: Policy Management

History

DevSecOps emerged as a natural evolution of the DevOps movement when organizations realized that security could no longer be a separate, downstream process. Increasing digitalization and the frequency of cyber attacks made it necessary to integrate security into development processes from the beginning.

Modern tools such as container scanners, SAST/DAST tools, and policy-as-code solutions now enable seamless integration of security into CI/CD pipelines. The Cloud Native Computing Foundation (CNCF) and other organizations are driving the development of open-source security tools specifically designed for cloud-native environments.

The term "Security as Code" describes the approach of defining and managing security policies and controls as code, enabling automation, versioning, and reusability.