Remote Training (Dec 7-8) : DevSecOps Masterclass 2020 Discoverer Edition Register Now

DevSecOps & AppSec

Replicate the success of your application security program, in scale.

Training Objective and Course Overview

Incorporating robust and resilient application security practices within a continuous delivery pipeline can be challenging. This is why scalable application security is an essential requirement for any product, especially within mature software delivery environments utilizing DevOps practices.

What attendees will learn

The DevSecOps Masterclass starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations.

The DevSecOps - DAST Automation Edition is a focused training in integrating and automating Dynamic Scanning tools like BurpSuite and OWASP ZAP. You will learn to leverage Test Automation Frameworks to perform fully authenticated and contextually aware scanning of your web applications and web services. In addition, you'll be building custom scripts for OWASP ZAP and BurpSuite to expand your scanning workflows

Training Variants

  • A Quick History of Agile and DevOps
  • The Coming of DevOps
  • The Need for Security in DevOps
  • Security in Continuous Integration
  • Security Integrations for Jenkins and other CI Tools
  • Success Factors for SAST - Tool Focus (FindSecBugs, NodeJSScan, Bandit, Brakeman, MobSF (Mobile SAST)
  • Hands-on Labs - SAST Framework for CI Tools like Jenkins
  • Rolling out custom SAST Workflows – using Abstract Syntax Trees and Regular Expressions
  • Hands-on SAST - Write your own AST checks for SAST
  • Hands-on Labs: Incremental SAST for speed in the SDLC


  • Security Automation Testing using BurpSuite Professional, OWASP ZAP, w3af, Selenium, OpenAPI (Swagger)
  • Security Regression Tests - How to design and write them
  • Hands on Labs - Creating Parameterized Security Automation Testing Scripts for w3af, OWASP ZAP, BurpSuite Pro and Selenium
  • Hands-on Labs: Leveraging Functional Test Automation with multiple frameworks for Security Testing ((Robot Framework,NighwatchJS,Tavern -REST API Testing,Puppeteer/Pyppeteer)
  • Hands on labs - Integrating Custom Security Automation with Jenkins and other CI Tools

  • OWASP ZAP Deep-Dive (Scan Policy / Extensions)
  • Leveraging OWASP ZAP API with Selenium for testing browser-based applications
  • Leveraging OWASP ZAP API and (Tavern/RESTInstance/Chai) to test web services and microservices
  • OWASP ZAP API Testing with OpenAPI Specification
  • Create Active Scan Scripts for Custom Application Vulnerabilities
  • Create Zest Scripts for Authentication
  • BurpSuite 2.0 API Deep-Dive
  • Leveraging Burp 2.x API with Selenium for testing browser-based applications
  • Leveraging Burp 2.x API and (Tavern/RESTInstance/Chai) to test web services and microservices
  • Scan Profiles with Audit and Crawl Profiles
  • BurpSuite Knowledge Definitions
  • Introduction to BurpSuite 2.0 Enterprise
  • Introduction to BDD and ATDD Frameworks
  • Introduction to Robot Framework and its Declarative Syntax
  • Writing Application Security Test Recipes using Robot Framework
  • Hands-on: OWASP ZAP - Robot Framework Integration
  • Creating Parameterized AppSec Automation with Robot Framework, Selenium, OWASP ZAP and BurpSuite Pro
  • Introduction to Source Composition Analysis (SCA)
  • Tools and Approaches to Source Composition Analysis, with Hands-on Labs (IOWASP Dependency Check, NPM Audit, PyUp Safety)
  • Hands-on Labs: Leveraging Robot Framework and Docker to run SCA on Applications in a continuously automated workflow
  • Hands-on Labs: Integrating Source Composition Analysis into the CI Pipeline
  • Software Bill of Materials (SBOM) and Source Composition Analysis
  • Standardizing Software Metadata to identify security issues against Third-Party Libraries
  • Hands-on Labs: Using CycloneDX and OWASP Dependency Track to continuously track and monitor Software components in a CI Pipeline with Jenkins
  • Why IAST? Why RASP? And when to use it
  • A look at the tools for IAST and RASP
  • Hands-on Labs: Deploying HDIV Community (RASP) OR OpenRASP on an Intentionally Vulnerable Java Application
  • Approaches to Application Security Pipelines
  • Ground Truths and Challenges with Security Pipelines
  • Types of Application Security Pipelines
  • Hands-on Labs
  • An Unconventional Approach - Leveraging FaaS and Services to create pipelines
  • Approaches to Application Security Pipelines
  • Ground Truths and Challenges with Security Pipelines
  • Differences between traditional and security pipelines
  • “Breaking the Build” - Myth and Reality
  • False Positive Management
  • Types of Application Security Pipelines
  • Incremental Security Pipeline
  • Approaches to DevSecOps Automation
  • DevOps Pipelines and points of integration
  • Introducing Security in the SDLC
  • Success Factors
  • DAST Automation Options
  • Challenges - DAST Automation
  • Spider - The Dreaded, Inefficient Spider
  • SPAs and Web Services - Automation Challenges
  • OWASP ZAP API Deep-dive
  • BurpSuite API Deep-dive
  • Hands-on Exploration of Burp and ZAP API
  • Introduction to Test Automation - Selenium and E2E Test Automation Frameworks
  • REST API Test Automation Frameworks
  • Parameterized DAST Scanning with Test Automation (OWASP ZAP / BURP)
  • OWASP ZAP Scripting Interface
  • Hands-on OWASP ZAP Scripting
  • Hands-on CI/CD pipelines with DAST and OWASP ZAP
  • Hands-on pipelines with DAST and BurpSuite

The best part of the training was being able to see automation implemented in a single pipeline

- Neha Malick, ANZ

I found it really enjoyable because there was a lot of new information that we probably wouldn’t have come across in our organisations. It will be to very useful to see how we can implement all the information Abhay has given us to improve our processes and DevSecOps pipeline. And it was really good to see it done in a light-weight and fast manner to keep up with the demands of the agile development. Abhay was really patient with all our questions. I learnt a lot.

Really worthwhile attending

- Peter van Oosterom, Zimbani Pty Ltd

It was a really good show. Very comprehensive covering everything from automation build pipeline to how to do threat modelling in a different way, which has actually resonated well with a lot of the work I do with dev teams today.

This class really opened my eyes in terms of security automation and testing

- Liou Liu, MLC Life Insurance

This training showed me the different ways in which different elements like threat modelling and automation testing go together. The class opened my eyes in terms of what is coming to security automation in the next 2-3 years. I think application of automation is very important with everything moving so fast. I'm going to learn and implement what I learnt from this class.

Conference Features

Our Application Security and Cloud Security programs is a regular feature at marquee application security conferences across the world.

Frequently Asked Questions

Who is this training for?

This program is focused towards delivering application security at scale to organisations. It is therefore aimed at product teams who wish to automate their application security testing to keep pace with product releases in an agile environment.

Does this training program require prior or current usage of any specific tools or platforms?

No. But the course does introduce concepts of DAST, SAST, SCA and Correlation platforms in conjunction with standard engineering platforms such as Jenkins and JIRA which are easier to digest with prior exposure.

Dates Coming Soon !

(On Sale)

2 Days
(14 Hours)


Dates Coming Soon ! 
Get Notified

DAST Automation Edition

0.5 Days
( 4 Hours)


Dates Coming Soon ! 
Get Notified

Would you rather have a private training conducted for your team? Enter your details here

    By checking this box you agree to receive communication on we45's events, product or solution offerings by email to your contact information.

    You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

    By clicking submit below, you consent to allow we45 to store and process your personal data to provide you the requested information.

    Additional Resources

    How to: Automating Burp With Jenkins

    This blog outlines the steps involved in integrating one of the most prominent DAST tools Burp with Jenkins.

    The Three Pillars Of DevSecOps

    Understand our perspective on what it takes to successfully implement DevSecOps in an organization.

    7 Myths of AppSec Automation

    Here is our compilation of common misconceptions aimed at anyone either currently involved in or in the process of adopting DevSecOps in the near future.