DevSecOps for the Absolute Beginners - Hands On Demos

Explain the roles and responsibilities of a devsecops engineer, from static application security testing and credential scanning to SAST, SCA, DAST, and shift-left in ci/cd pipelines.

Learn what static application security testing (SAST) is and explore commercial and open-source tools like Checkmarx, Fortify OnDemand, SonarQube, and Sneak, including on-prem vs cloud and CI/CD integrations.

perform a manual static application security testing (sast) using Fortify On Demand by uploading a zip of the code, reviewing the results, and understanding false positive analysis.

Explain SBOM and SCA, showing how an SBOM lists first and third party components and how SCA identifies vulnerabilities and license issues in those components.

Learn how software composition analysis using Snyk identifies security vulnerabilities in third-party libraries for a Java Maven project, highlighting critical CVSS scores and fix versions.

Master dynamic application security testing (DAST) and its tools, from OWASP ZAP to Burp and WebInspect, and learn how DAST tests web apps and APIs for vulnerabilities.

this hands-on demo shows performing a dynamic security test with a hosted OWASP ZAP scan on http example.com, generating a PDF report with one medium and one low severity issue.

Learn what containers are, the role of container runtime like Docker Engine, and how to scan for container security vulnerabilities using tools such as Aqua, Prisma Cloud, Snake, and 3v3v.

Install Docker Desktop on Windows, enable Virtual Machine Platform and WSL 2, sign in with Docker Hub, and prepare for hands-on future lectures.

Perform a hands-on container security scan with Snyk, from signing up and installing the Snyk CLI to scanning a Docker image for vulnerabilities and base image upgrade recommendations.

Explore infrastructure as code basics and how IaC security scanning with Chekov, Sneak, and Cloud Exploit identifies misconfigurations and automates provisioning across cloud and on-prem environments.

Learn to perform an IaC security scan with Chekov by setting up Python and Terraform locally, installing Chekov via pip, and scanning a Terraform file for misconfigurations.

Explore infrastructure as code security scanning with Bridge Crew, reviewing Terraform, CloudFormation, and Kubernetes for misconfigurations and vulnerabilities identified in a connected GitHub repo.

Demonstrates infrastructure as code security scanning using snyk iac in a saas model, showing how to identify security misconfigurations in Terraform and CloudFormation templates.

Explore CWE, CVE, and CVSS to see how standardized weakness, vulnerability tracking, and risk scoring guide prioritization in devsecops using log4j examples.

Master false positive analysis to verify security tool findings, distinguish true from false positives, and report only genuine issues to DevSecOps teams, reducing waste and alert fatigue in enterprise environments.

Learn to perform false positive analysis across sast, sca, dast, and iec scans, identify true positives like docker root user and empty passwords, and document remediation in Jira.

Create a Jira account and report security vulnerabilities to the development team. Document security issues in Jira as bugs, note severity, include file paths and references, and track through sprints.

Integrate SonarCloud with Jira to auto-create tickets with a click. Configure the connector, generate a security token, and map bugs, code smells, and hotspots to Jira issues.

Understand the devsecops maturity model, from ad hoc to optimizing, with security integrated into the secure SDLC and OWASP levels 1–4.

Explore the basics of Docker, containers, images, and the Docker Engine, including Docker Hub and Dockerfile, to deploy secure, lightweight applications across environments.

Learn how to run a sast scan with a dockerized SonarQube instance. The hands-on demo covers installing Docker, launching SonarQube, and scanning local code for bugs and security vulnerabilities.

Learn the basics of Git and GitHub, including repositories, commits, branches, merges, and pull requests, and how these tools enable version control and collaboration on shared code.

Install git bash on your local system to clone repos, commit changes, and push to GitHub, with guided setup across Windows, Linux, and Mac and Vim as default editor.

Learn to connect Git Bash with GitHub using either a personal access token or username and token, push local changes to a remote repo, and manage Windows credentials.

Discover how integrated development environment plugins enable static code analysis and code review to identify security issues and improve code quality, with examples like SonarLint, Fortify, and Sneak.

Demonstrate installing and using SonarLint and Snyk IDE plugins in IntelliJ to identify code quality issues and security vulnerabilities early, embracing a shift-left DevSecOps approach.

Explore on-premise and cloud CI/CD tools, including Jenkins, GitLab, Azure DevOps, AWS, GCP, and CircleCI, learning how automated builds, tests, deployments, and rollbacks improve reliability.

Download and install Jenkins on Windows, configure port 9292, ensure Java 11 or 17, set up admin and plugins, and preview a devsecops pipeline with SAST, SCA, DAST.

Implement an end-to-end devsecops pipeline in Jenkins on Windows by integrating SAST, SCA, container security, DAST, and IEC security tools in a hands-on demo.

Terraform uses configuration files in the HashiCorp language to blueprint and manage cloud infrastructure, with plan, apply, and destroy steps across AWS, Azure, Oracle Cloud, and Google Cloud.

Explore broken access control within the OWASP top ten through a hands-on demonstration using the OWASP Juice Shop web app, identifying vulnerabilities and applying remediation steps.

Learn how cryptographic failures from the OWASP top ten risk data in transit and at rest, and apply defenses like TLS with forward secrecy and HSTS.

Learn how injection attacks like SQL injection and cross-site scripting occur when user input isn’t sanitized or parameterized. See practical remediations using prepared statements and input validation.

Learn about insecure design, an OWASP top vulnerability, and its risk of sensitive data exposure. Apply secure software development life cycle practices, threat modeling, and tests.

Discover how security misconfiguration, the fifth OWASP top ten vulnerability, enables unauthorized access through misconfigured cloud policies and missing security headers, with remedies like server hardening, patch management, and containerization.

Explore the vulnerable and outdated components vulnerability in the OWASP top ten and how vulnerable libraries in Node.js apps risk data and servers.

Learn how identification and authentication failures expose applications to data loss and account compromise, including brute force attacks, weak passwords, session IDs, and the importance of multi-factor authentication.

Learn how software and data integrity failures arise from untrusted libraries and insecure CI/CD pipelines, and how to mitigate them with maven/npm repos, code reviews, and digital signatures.

Explore the ninth OWASP top ten vulnerability: security logging and monitoring failures, and learn how proper logging, continuous monitoring, and alerting protect logs, audit trails, and incident response.

Explore server side request forgery (ssrf) and how apps access internal resources. Learn practical controls, including input validation, allow lists, and disabling redirects, plus internal authentication and firewalls.

Learn to identify DevSecOps jobs on platforms like LinkedIn, using security keywords and OWASP top ten to tailor your search and CV.