Public Schedule

DevSecOps Bootcamp

  • Courses
  • DevSecOps Bootcamp

Information Technology

Leadership

Business Analysis

Certifications

Project Management

Public Schedule

Our Blogs

Get Course Information

Connect for information with us at info@velocityknowledge.com

How would you like to learn?*

Duration: 5 days instructor-led

Course Description

This 5-day instructor-led DevSecOps Bootcamp is designed for development, security, and operations professionals who want to build, integrate, and scale security into modern DevOps workflows. The course covers the practical implementation of DevSecOps principles using real-world tools and practices. Participants will learn how to automate security across the CI/CD pipeline, conduct code and dependency scanning, apply runtime protections, and respond to incidents. The course combines lectures with hands-on labs using GitHub Actions, Docker, Kubernetes, SAST, DAST, and infrastructure-as-code security tools.

Target Audience

  • DevOps engineers
  • Security engineers and analysts
  • Cloud engineers
  • Site Reliability Engineers (SREs)
  • Software developers with CI/CD responsibilities

Prerequisites

  • Familiarity with Git and CI/CD concepts
  • Basic knowledge of Docker and containerization
  • Understanding of core security concepts (encryption, IAM, vulnerabilities)
  • Recommended: exposure to cloud platforms (AWS, Azure, or GCP)

Key Objectives

By the end of the course, participants will be able to:

  • Understand DevSecOps fundamentals and tooling strategies
  • Secure code from commit to production in automated pipelines
  • Perform static and dynamic code analysis
  • Scan dependencies, containers, and infrastructure-as-code
  • Integrate security testing into CI/CD workflows
  • Respond to security events with alerts and automation

Course Takeaways

  • Hands-on experience implementing DevSecOps in real environments
  • Prebuilt templates for security integration into CI/CD
  • Lab-ready GitHub repositories and automation scripts
  • Actionable security checklists for DevSecOps teams

Module 1: DevSecOps Foundations and Secure SDLC

Section 1.1: Introduction to DevSecOps

  • What is DevSecOps
  • Shifting security left
  • DevSecOps vs traditional AppSec
  • Security as code and policy as code

Section 1.2: Secure SDLC and Threat Modeling

  • Secure design patterns and architecture
  • Common threats in modern delivery pipelines
  • STRIDE threat modeling in DevOps workflows

Hands-On Labs

  • Lab 1: Build a threat model using OWASP Threat Dragon
  • Lab 2: Review a sample app architecture and identify DevSecOps entry points
  • Lab 3: Create a simple CI/CD workflow in GitHub Actions for a sample app

Module 2: Code and Dependency Scanning

Section 2.1: Static Application Security Testing (SAST)

  • Secure coding best practices
  • SAST tool overview (Semgrep, SonarQube, CodeQL)
  • Integrating SAST into pipelines

Section 2.2: Software Composition Analysis (SCA)

  • Managing open-source risk
  • Detecting vulnerable libraries and licenses
  • Tools overview: Snyk, OWASP Dependency-Check, Trivy

Hands-On Labs

  • Lab 4: Run Semgrep on a Python or Node.js project and fix findings
  • Lab 5: Integrate Snyk into GitHub Actions for automatic dependency scanning
  • Lab 6: Configure SonarQube for secure code quality gates

Module 3: Container and Infrastructure Security

Section 3.1: Docker Security Fundamentals

  • Writing secure Dockerfiles
  • Image scanning and validation
  • Secrets management in containers

Section 3.2: Infrastructure as Code (IaC) Security

  • Securing Terraform, CloudFormation, and Kubernetes YAML
  • Detecting misconfigurations and policy violations
  • Tools: Checkov, TFLint, kube-bench, OPA Gatekeeper

Hands-On Labs

  • Lab 7: Scan Docker images with Trivy and implement hardening changes
  • Lab 8: Use Checkov to analyze a Terraform file and enforce policies
  • Lab 9: Apply OPA Gatekeeper policies in a Kubernetes cluster

Module 4: Dynamic and Runtime Security

Section 4.1: Dynamic Application Security Testing (DAST)

  • Differences between DAST and SAST
  • OWASP ZAP and Burp Suite basics
  • Integrating DAST into staging and production pipelines

Section 4.2: Runtime Security and Observability

  • Monitoring containers and services
  • Runtime threat detection with Falco
  • Logging and alerting best practices

Hands-On Labs

  • Lab 10: Run OWASP ZAP against a staging environment and generate a report
  • Lab 11: Use Falco to detect abnormal container behavior
  • Lab 12: Configure log-based alerting for suspicious events in CI/CD

Module 5: DevSecOps in CI/CD and Incident Response Automation

Section 5.1: Security Automation in CI/CD Pipelines

  • GitHub Actions, GitLab CI, and Azure DevOps integration
  • Implementing security gates and approvals
  • Secrets scanning with Gitleaks and automation triggers

Section 5.2: Responding to Security Events

  • Building event-driven workflows
  • Automated patching and rollback
  • Integrating Slack, Jira, or email alerts into pipelines

Final Capstone Lab

  • Lab 13: Build a complete CI/CD pipeline that:
    • Runs SAST, SCA, DAST, and IaC scans
    • Fails builds on high-risk findings
    • Sends alerts to a Slack channel and creates a ticket
    • Applies runtime detection on deployed containers

Contact us to customize this course for your team and for your organization.

Contact Us?
Close

Search

Interested?
DevSecOps Bootcamp

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.