DevSecOps

DevSecOps Study Plan

Milestone-based roadmap to learn how development, security, and operations work together through automation and fast feedback.

DevSecOps is not only adding security tools to CI/CD. It is embedding security into planning, building, testing, delivery, and operations so teams can ship fast and safely.

Expected pace

6-12 months

Entry-level to lateral transition.

What this focuses on

Work closely with developers, SRE/DevOps, and AppSec.

Integrate security checks into pipelines and platforms.

Define secure defaults and guardrails.

Enable teams to move fast with lower risk.

In short

DevSecOps is collaboration, not a separate silo.

Think like a developer, DevOps/SRE engineer, and security engineer.

Be comfortable with CI/CD, containers, and cloud basics.

Know enough AppSec to tune checks and reduce noise.

Automation and feedback loops matter as much as tools.

DevSecOps Fundamentals CI/CD and Automation Basics Security Testing in the Pipeline Cloud, Containers and IaC Security Platform Guardrails and Governance Metrics, Feedback and Culture Books Videos Courses Certifications Interview Questions

Section 1

DevSecOps Fundamentals

3-4 weeks

Understand what DevSecOps is and the delivery problems it solves.

Week 1-2: Evolution and Goals

Dev -> DevOps -> DevSecOps evolution.

Why end-stage security reviews fail in fast delivery models.

Review Application Security study plan.Review Secure SDLC study plan.

Review cloud security study plan based on your platform focus.

Week 3-4: Responsibilities and Shift Left

Shift security left in SDLC and right in production monitoring.

Treat security as part of delivery flow, not post-release blocker.

Build self-service security capabilities for product teams.

Design and maintain security checks in CI/CD.

Define secure defaults with platform/DevOps teams.

Scale AppSec and product security through automation.

Section 2

CI/CD and Automation Basics

3-4 weeks

You cannot do DevSecOps effectively without practical CI/CD understanding.

Week 5-6: Platforms and Stages

Learn one or two CI/CD platforms deeply.

Options: GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI.

Pipeline stage: build.

Pipeline stage: unit and integration tests.

Pipeline stage: security tests.

Pipeline stage: packaging and artifact management.

Pipeline stage: deployment.

Week 7-8: Infrastructure and Practice

Repository and branching strategies.

Environment model: dev, test, stage, and prod.

Pipeline secrets management.

Practice: create simple app with build+test CI pipeline.

Plan where SAST/SCA and other checks should be inserted.

Section 3

Security Testing in the Pipeline

4-6 weeks

Learn what checks can be automated and where each check best fits.

Week 9-11: SAST, SCA and Secrets

SAST strengths and limits: false positives and language coverage.

Run SAST on pull request or merge flows.

Configure baseline rules and quality gates.

SCA for vulnerable dependencies and supply chain risk.

License risk awareness and SBOM basics.

Automate dependency checks and upgrade workflows.

Secrets detection for keys and passwords.

Pre-commit hooks vs pipeline-level secret checks.

Week 12-14: DAST and Container Scanning

DAST and API black-box testing on running services.

Run DAST in pre-production environments.

Container scanning for base image vulnerabilities.

Scan application packages inside container images.

Integrate image scanning into image build workflows.

Match test type to risk and pipeline stage.

Section 4

Cloud, Containers and IaC Security

4-6 weeks

Most DevSecOps work happens in cloud-native environments.

Week 15-17: Containers and Orchestration

Docker basics: images, containers, and Dockerfiles.

Kubernetes basics: pods, services, deployments, namespaces.

Container risks: root runtime, capabilities, and image provenance.

Week 18-20: IaC and Baselines

IaC tools: Terraform, CloudFormation, ARM/Bicep.

IaC value: repeatable and auditable infrastructure.

Typical misconfigs: open groups, public buckets, missing encryption.

Learn provider-native cloud security baseline services.

Integrate image and IaC scanning into CI/CD.

Enforce baseline policies via policy-as-code.

Examples: OPA, Conftest, and admission controllers.

Section 5

Platform Guardrails and Governance

3-4 weeks

DevSecOps includes secure platforms, not only isolated pipelines.

Week 21-24: Guardrails and Governance

Platform engineering fundamentals and internal developer platforms.

Golden paths and service templates.

Secure defaults: logging, monitoring, and baseline controls.

Centralized identity and access patterns.

Network policy and ingress/egress control patterns.

Use approval workflows only where truly needed.

Automate controls so humans handle exceptions.

Define minimum controls with AppSec, product security, and cloud security.

Define risk acceptance and exception handling paths.

Section 6

Metrics, Feedback and Culture

2-3 weeks

People and feedback loops are core DevSecOps outcomes.

Week 25-27: Metrics and Culture

Track findings per pipeline/service and trend direction.

Track MTTR for security issues.

Track adoption of security checks across services.

Make scanner output visible and understandable to developers.

Provide fast feedback on pull requests.

Run security office hours and support channels.

Build security champions in engineering teams.

Train teams to interpret and fix findings.

Reduce friction; avoid always-on hard blockers.

Section 7

Books

Use foundational DevOps, AppSec, and cloud-native security books.

Read a solid DevOps or Continuous Delivery book for core culture and practices.

Read AppSec program books to understand what should be automated.

Read cloud-native and container security books with CI/CD viewpoints.

Section 8

Videos

Use conference and implementation talks for practical architecture patterns.

DevSecOps conference talks from OWASP, DevOpsDays, and KubeCon.

Real-world CI/CD security implementation walkthroughs.

Security automation, policy-as-code, and platform engineering talks.

Section 9

Courses

Pick courses that blend CI/CD, cloud-native, containers, and security automation.

DevSecOps-focused courses covering CI/CD, automation, and security tooling.

Cloud-native security courses with pipeline and platform topics.

Container and Kubernetes security courses integrating checks into pipelines.

Section 10

Certifications

Match certifications to your cloud, DevOps, and security emphasis.

Cloud security certifications for AWS, Azure, or GCP.

DevOps or cloud-native certifications covering CI/CD and containers.

Application security or secure SDLC certifications for stronger security depth.

Section 11

Interview Questions

Be ready to explain automation choices, tradeoffs, and success metrics.

How would you add security checks to an existing CI/CD pipeline without slowing teams too much?

How do you decide what runs on pull requests versus nightly builds?

How would you integrate container and IaC scanning into delivery?

How would you measure DevSecOps success over 6-12 months?