Secure Software Delivery with DevSecOps (2 days)

This intermediate-level course provides engineers with a practical, systems-level understanding of secure software delivery in modern environments. Framed around DevSecOps and real-world breach scenarios, the course walks through the entire software lifecycle — from development to production and incident response — highlighting security controls, common attack vectors, and defensive strategies in CI/CD, cloud, and Kubernetes environments. The course also addresses the growing security implications of integrating Generative AI tools into development workflows, covering data privacy risks, IP concerns, and safe practices for using GenAI within secure pipelines.

Prerequisites

Experience in software development using languages such as Java, C, C++, Python, or Fortran
Basic familiarity with CI/CD pipelines
Awareness of cloud or container technologies is beneficial but not required

Modern Breaches and the DevSecOps Mindset

Understanding how modern software supply chain attacks occur
Common post-breach findings in CI/CD and cloud environments
Defence-in-depth and zero trust principles
Mapping the software delivery lifecycle as an attack surface

Secure Coding and OWASP Principles

Introduction to OWASP Top 10 risks and their real-world impact
Language-specific security risks (Java deserialization, C/C++ memory safety, Python dependency risks)
Input validation, authentication, and secure session handling
Managing third-party dependencies and reducing supply chain risk

CI/CD Pipeline Security

Hardening Jenkins and Harness pipelines
Securing build agents and preventing credential leakage
Static analysis (SAST), Software Composition Analysis (SCA), and interpreting SonarQube alerts effectively
Artifact signing, SBOM generation, and trusted builds

GenAI and the Security of the DevOps Pipeline

Risks of using GenAI tools in development and CI/CD contexts
Data privacy and intellectual property concerns with GenAI
Mitigation strategies for GenAI-related risks in software development
Best practices for integrating GenAI tools securely into CI/CD pipelines

Secrets Management and Identity in Hybrid Environments

Principle of least privilege in developer and service accounts
Managing secrets securely in CI/CD and cloud platforms
IAM models in cloud environments
Preventing token abuse and credential sprawl

Cloud and Kubernetes Security Fundamentals

Shared responsibility model in cloud environments
Container image security and vulnerability scanning
Kubernetes RBAC, network policies, and namespace isolation
Securing Kubernetes secrets and configuration
Runtime protection and pod-level security controls

Threat Modelling and Risk-Based Prioritisation

Applying threat modelling techniques (e.g., STRIDE) to real architectures
Identifying trust boundaries and attack paths
Understanding CVSS vs business risk
Prioritising vulnerabilities from SonarQube and scanners effectively

Detection Engineering and SIEM Awareness

What logs matter in applications and CI/CD environments
Recognising indicators of compromise
Integrating application telemetry with SIEM platforms
Designing software for observability and forensic readiness

Vulnerability Testing and Security Assessments

Understanding Static Application Security Testing (SAST) for identifying vulnerabilities in source code without executing the application
Understanding Dynamic Application Security Testing (DAST) for identifying vulnerabilities in running applications through simulated attacks
Understanding Software Composition Analysis (SCA) for analyzing third-party dependencies and identifying known vulnerabilities in libraries
Understanding container scanning for detecting vulnerabilities and security issues in container images
Fuzz testing and memory safety testing for compiled languages
Security architecture reviews and pre-release assessments
Working effectively with penetration testers