About The Training
Goa 2025 | Trainings
- AI Security: Terminating The Terminator
- Advanced Infrastructure Security Assessment
- Attack and Defend Software Supply Chains
- Azure Cloud Attacks for Red and Blue Teams
- Blocking the Storm: A Hands-On Guide to Hardening and Securing Kubernetes Clusters
- DevSecOps - A Hands-on Experience
- Efficient Malware Analysis: Comprehensive Approach
- HackTheWeb: Pentesting Beyond Basics
- Hacking Android Applications
- IoT Security Bootcamp GOA Edition
- Rapid Threat Model Prototyping (RTMP) - Agile Threat Modeling Mastery including Cloud and AI
- Slaying the RE Dragon: Mastering Reverse Engineering
- The Application Security Tool Stack - How to Discover Vulnerabilities in Software
DevSecOps - A Hands-on Experience
Start Date: Feb 26, 2025
End Date: Feb 28, 2025
Venue: TBA
Keep up with DevOps modernization and widen your career prospects. This practical 3-day course will help you build your own DevSecOps pipeline so you can make products secure by design. Get your hands dirty with our popular virtual labs and learn from experienced, practicing penetration testers with a legacy of training at Black Hat. Learn how to use and automate the most popular and effective security tools and practices, overcome common DevSecOps challenges, instill security culture within your team, and more...
Intermediate - Advanced
What’s in the syllabus: Note: our syllabuses are subject to change based on new vulnerabilities found and exploits released.
LAB SETUP
- Online lab setup
- Offline lab instructions
INTRODUCTION TO DEVOPS
- What is DevOps?
- Lab: Creating a DevOps pipeline
INTRODUCTION TO DEVSECOPS
- Security challenges in DevOps
- Threat modeling for DevOps
- DevSecOps – why you need it, how you use it, and what it is
- Vulnerability management
CONTINUOUS INTEGRATION
- Pre-commit hooks
- Introduction to Talisman
- Lab: Running Talisman
- Lab: Create your own regexes for Talisman
- Secrets management
- Introduction to HashiCorp Vault
- Demo: Vault commands
CONTINUOUS DELIVERY
- Software Composition Analysis (SCA)
- Introduction to OWASP Dependency- Check
- Lab: Run OWASP Dependency- Check pipeline
- Lab: Fix issues reported by Dependency- Check
- Static Analysis Security Testing (SAST)
- Introduction to Semgrep
- Lab: Run Semgrep pipeline
- Lab: Create your own Semgrep rules
- Lab: Fix issues reported by Semgrep
- Dynamic Analysis Security Testing (DAST)
- Introduction to OWASP ZAP
- Demo: Creating OWASP ZAP Context File
- Lab: Run OWASP ZAP in the pipeline
INFRASTRUCTURE AS CODE
- Vulnerability Assessment (VA)
- Introduction to OpenVAS
- Lab: Run OpenVAS pipeline
- Container Security (CS)
- Introduction to Trivy
- Lab: Run Trivy in Pipeline
- Lab: Improvise Docker base image
- Compliance as Code (CaC)
- Introduction to Chef Inspec
- Lab: Run Chef Inspec in the pipeline
- Lab: Improvise with Docker compliance controls
CONTINUOUS MONITORING
- Logging – why to do it, how, and what logs to collect.
- Introduction to the ELK Stack
- Lab: View Logs in Kibana
- Alerting – how to create alerts that help you prioritize
- Introduction to ElastAlert and ModSecurity
- Lab: View alerts in Kibana
- Monitoring – how to track and learn from malicious activity
- Lab: Create Attack Dashboards in Kibana
DEVSECOPS IN AWS
- What does DevOps on Cloud Native AWS look like?
- AWS threat landscape
- Shifting to DevSecOps in Cloud Native AWS
DEVSECOPS CHALLENGES AND ENABLERS
- Challenges with DevSecOps
- How to build a DevSecOps culture
- Security champions – how to create DevSecOps advocates across your team
- Case study: how organizations use automation to implement development security best practice
- Where to begin
- DevSecOps maturity model
The attendees will need a laptop with admin privileges and unfiltered access to the internet.
- The course is browser based and hence having a chrome/firefox browser will be needed in the laptops.
- Additionally the attendees need their own GitHub account
- Developers
- DevOps/DevSecOps engineers
- Application security engineers
- Ops teams
- CISOs
This course is suitable for organizations and teams with a DevOps pipeline already in place, as well as those planning to implement one. The syllabus has been designed to help different key stakeholders improve their skills and knowledge across different security practices and embed “security by design” as the way of working. Putting these learnings to use will lead to improvements in the overall security posture of your applications over time.
This course uses a Defense by Offence methodology based on real world offensive research (not theory). That means everything we teach has been tried and tested, either on a live environment or in our labs, and can be applied (by you) once the course is over. By the end of the course, you’ll know:
- How cyber criminals and penetration testers exploit insecure DevOps practices
- Exactly where to start when shifting from DevOps to DevSecOps
- How to use Talisman to create pre-commit hooks to lower the chance of credentials and other secrets being exposed during development
- How to automate security into a fast-paced DevOps environment using various open-source tools and scripts that don’t slow down delivery
- How to secure your methodology for managing and delivering Infrastructure as Code (IaC)
- How to use the Elastic (ELK) Stack to monitor your applications’ behaviors with logs and alerts
- How to achieve DevSecOps in cloud native AWS
- What challenges to expect when moving to a DevSecOps model and how to overcome them
- How to mature your DevSecOps approach over time
- Certificate of completion.
- Your own offline lab setup to use after the course.
- 8 Continuing Professional Education (CPE) credits awarded per day of training fulfilled.
- Learning pack: question & answer sheets, setup documents, and command cheat sheet.
The course is focused on DevSecOps using open-source tools. We will not be covering comparisons of paid tools or endorsing commercial tools.
YASH Roongta
After gaining a Bachelor’s degree in Commerce, Yash passed a post-grad diploma in Cybersecurity in 2016 and joined HappiestMinds as a Security Analyst. Over the next few years, he completed a number of certifications including OSCP and OSWP and acquired experience in numerous business sectors, including banking, finance, telecoms, and ecommerce. He also gained team leading experience managing the Cybersecurity team of one of India’s leading telecoms companies, which involved developing attack scenarios and defence capabilities to detect and counter them. In his spare time, he leads the Mumbai chapter of OWASP, which aims to spread awareness around Cybersecurity issues and hosts information security sessions in the Mumbai region. In 2024, Yash completed his Master in Cyber Security. Yash delivers multiple training courses for NotSoSecure both for private clients and at conferences.
Karan joined NotSoSecure in 2019 and works with clients operating across a broad range of business sectors, including banking, e-commerce, and software development. Working as part of a small team of Security Consultants on- and off-site, he carries out various types of Penetration Testing on web applications, mobile applications, and networks. This part of his work also involves providing practical, actionable reports and being responsible for ensuring that clients’ secured environments meet required standards. He also delivers NotSoSecure training, such as the Application Security for Developers course, and undertakes various types of research for the company.
Key Skills
Web applications Penetration Testing
Mobile application Penetration Testing
Network Penetration Testing
Source Code Review
API Testing
Thick Client
HTML & Javascript