Certified courses

DevSecOps Boot Camp

Teach your teams how to improve the DevSecOps practice

17 Oct 2022 Live-Online New York 3 days Early bird $2450 +VAT Make enquiry Book Course Make enquiry

Course Timings

This training course runs from 09:00 to 17:00 each day.

All times given are in the local timezone for the date of the course.

Course Overview

Led by a senior expert, teach your teams how to improve the DevSecOps practice – from guiding principles to daily technical execution.

This DevSecOps training boot camp is the most practical, in-depth educational solution for teams who want to understand, apply, and improve their skills on “shifting left” in IT security. This expert-led boot camp focuses on the principles, processes, and technical skills necessary to make security and risk profiling a front-end priority: embracing a “quality first” mindset. Teams will leave class understanding that they have a responsibility for how applications and IT services perform when they are complete and in production…even if they are involved primarily in design, development or testing applications. For IT teams primarily on the end of the operations of the spectrum, this class will teach them how to shift left and collaborate on the upstream work that ultimately impacts the IT security environment, the organisation’s risk management, and their own daily jobs.

Course Content

Part 1: DevOps, Security, and DevSecOps: Definitions

1. DevOps

2. Security

3. Risk

4. Culture

5. Agility

6. Testing

7. Continuous Integration

8. Continuous Delivery

Part 2: Where do we start with security?

1. Risk review

2. Policy

3. Roles

4. Compliance, regulatory and GRC

5. The Pipeline Model

6. Exercise A: Value Stream Mapping

Part 3: Security as a DevOps practice

1. Traditional vs. “DevOps” security

2. Tools vs. processes

3. Security, not compliance

4. Prioritizing testing for risk

5. Reducing source code footprint

6. Static analysis for secure code

7. Feature toggles for security

  • Toggle points
  • Toggle router
  • Toggle configuration

8. DevSecOps and technical debt management

Part 4: DevSecOps and “requirements”

1. Designing for security

2. Assessing risk appetite

3. Modeling threats

4. Product architecture

5. Use cases, antipatterns, and abuse cases

6. Dataflows and trust boundaries

7. Exercise B: Threat Modeling

Part 5: Secure development patterns

1. Secure code overview

2. OWASP review

3. Tools for automating OWASP

  • OWASP dependency checkers
  • OWASP Zap during regular functional tests

4. Developer guidelines & checklists

5. Tools to use

6. Coding Standards (top 5 languages)

7. Common pitfalls

8. Identifying Unsafe Code

Part 6: Security Testing in the Pipeline

1. Testing before commit

2. Scanning for secrets

3. Hook examples

4. Application security testing

  • Static
  • Dynamic

5. Testing dependencies

6. How to treat manual testing

7. Performance Testing

  • Testing for load
  • Testing for stress
  • Soak tests
  • Spike testing

8. Testing in parallel

9. Staging

10. Mutation testing and tools for performing it

11. User role testing

Part 7: Identity and Access Management (IAM)

1. IAM overview

2. Identity profiles

3. Using IAM for automation

4. IAM practices in the cloud

5. IAM as an application building block

6. IAM antipatterns

7. Guided discussion: IAM in a Microservices use case

Part 8: Deployment patterns for security

1. Canary candidates

2. Dark launches

3. Streamlining libraries and dependencies

4. Keeping packages up to date

5. Keeping deploys repeatable and reliable

6. OpenSCAP for scanning baselines before and after deployments

7. Scanning web server configuration

8. Database exploitation through applications

9. Infrastructure scanning

  • OpenVAS
  • NMAP

10. Scanning web applications

  • W3AF
  • Wapiti

Part 9: DevSecOps and Operations

1. Where does Ops security begin and end?

2. Infrastructure as Secure Code

3. Incident response planning and emergency drills

4. Release Archives

5. OS Protections:

  • Address Space Layout Randomization
  • Non-Executable Stacks
  • W^X
  • Data Execution Prevention
  • SELinux

7. Monitoring, logging and intelligent alerts

  • Splunk mini-tour: A transformative tool for analyzing machine data, operational risk, and application health

8. Log management

9. Penetration Testing

10. Exercise C: Profiling a DevSecOps Hybrid model

Part 10: Policy, Governance, and Audit

1. GRC review

2. Coding for compliance

3. DevOps and the “segregation of duties”

4. Tooling example: Chef InSpec

5. Change management and policy

6. Exercise D: Automated vs. Manual, to comply with Audit requirements

Part 11: Change management and DevSecOps

1. Three types of “change”

2. When and why to use CAB boards

3. Peer review vs. change management

4. Automating change management

ITIL in 2020

Part 12: Measurement and metrics

1. The core toolkit of metrics

2. The best way to institute alerts

3. Managing alerts

4. Proactive vs. reactive metrics

5. Measurement antipatterns

Part 13: More advice on the cultural factors

1. Security fails and breakdowns

2. Incentive, fear, and reward

3. Getting outside IT

4. How to shift left

5. Building security in

6. Cost and the business case for proactive security

7. Overcoming conventions of the past

8. Bridging silos – why and how

9. Exercise E: Rearranging incentives

Part 14: Putting it all together

1. Class recap and final questions

2. What will you do differently when you return to work?

Learning Objectives

In this class you will learn how to:

  • Assess, specify and automate much of the work associated with application security
  • Bridge the typical functional silos in IT that prevent proactive security practices
  • Translate common risks into technical use cases and software requirements
  • Apply “security first” engineering and testing practices throughout the entire application pipeline
  • Use static analysis, broader unit test coverage, and code quality reviews specifically for security
  • Translate the OWASP risks into practical, actionable software development best practices
  • Deploy for security
  • Tie secure development practices and automated engineering to GRC and audit requirements
  • Try new approaches to change management for increased speed, automation, and security
  • Use DevOps-style metrics to measure and monitor security practices and performance
  • Promote the cultural practices that lead to improved responsibility for security outcomes


This DevSecOps training is for those who have at least an introductory-level understanding of DevOps and Agile topics.

Professionals who may benefit include:

  • Anyone in an IT Leadership role
  • CIOs / CTOs /CSO
  • Security Administrators
  • Any Security Staff
  • System Administrators
  • IT Operations Staff
  • Release Engineers
  • Configuration Managers
  • Anyone involved with IT infrastructure
  • Developers and Application Team leads
  • ScrumMasters
  • Software Managers and Team Leads
  • IT Project & Program Managers
  • Product Owners and Managers


Students should have an introductory level understanding of DevOps and Agile Topics before taking this course.

Course Preparation

This course does not require any pre-course preparation.

Certifying Bodies & Exams

This course does not include a formal certification or exam.

What You Receive

Three days (24 hours) of high-quality instruction from one of our experienced trainers. Also included are:

  • Course Materials

Online Details

We use Zoom video conferencing to host our live online courses via a virtual classroom. We recommend that before registering participants run a zoom test meeting and check system requirements to ensure they are able to connect. Participants will also use our digital workspace, Mural and our Agile Tools Mobile app for collaboration with the class and completing exercises for the duration of the course. You’ll find links below to test and explain requirements for each of these tools.

Zoom requirements


Zoom test meeting


Mural requirements (if relevant)


Miro requirements (if relevant)


Agile Tools Mobile App


On registration full information will be provided via joining instructions to each partcipant with instructions on how to acess the virtual classroom and additional tools.

Still unsure? Talk to our team of friendly learning advisors, they are here to assist before, during and after your class if you have any questions.

Refine your search
22 Aug 2022 Live-Online New York | 3 days Early bird $2450 +VAT
22 Aug 2022

Teach your teams how to improve the DevSecOps practice

Live-Online New York 3 days
Early bird $2450 +VAT
Book Course
21 Sep 2022 Live-Online New York | 3 days Early bird $2450 +VAT
21 Sep 2022

Teach your teams how to improve the DevSecOps practice

Live-Online New York 3 days
Early bird $2450 +VAT
Book Course
17 Oct 2022 Live-Online New York | 3 days Early bird $2450 +VAT
17 Oct 2022

Teach your teams how to improve the DevSecOps practice

Live-Online New York 3 days
Early bird $2450 +VAT
Book Course
16 Nov 2022 Live-Online New York | 3 days Early bird $2450 +VAT
16 Nov 2022

Teach your teams how to improve the DevSecOps practice

Live-Online New York 3 days
Early bird $2450 +VAT
Book Course
07 Dec 2022 Live-Online New York | 3 days Early bird $2450 +VAT
07 Dec 2022

Teach your teams how to improve the DevSecOps practice

Live-Online New York 3 days
Early bird $2450 +VAT
Book Course

Why train with Radtac?

Copyright © Radtac 2022     |     All rights reserved     |     Registered in England ∓ Wales No. 03600183