DevSecOps Discipline

Discipline Track | 6 Modules | ~3.5 hours total

Overview

DevSecOps integrates security into the DevOps workflow. Instead of security as a gate at the end, it’s embedded throughout the software development lifecycle.

This track covers the complete DevSecOps journey—from shift-left practices and CI/CD security to supply chain protection and runtime defense—culminating in building a security-first culture.

Prerequisites

Before starting this track:

Security Principles Track — Defense in depth, least privilege
GitOps Track — Modern deployment practices
Basic CI/CD concepts (pipelines, builds, deployments)
Container basics (Docker, registries)

Modules

#	Module	Complexity	Time
4.1	DevSecOps Fundamentals	`[MEDIUM]`	30-35 min
4.2	Shift-Left Security	`[MEDIUM]`	35-40 min
4.3	Security in CI/CD Pipelines	`[COMPLEX]`	40-45 min
4.4	Supply Chain Security	`[COMPLEX]`	40-45 min
—	Supply Chain Defense Guide	Reference	20-25 min
4.5	Runtime Security	`[COMPLEX]`	40-45 min
4.6	Security Culture & Automation	`[MEDIUM]`	30-35 min

Learning Outcomes

After completing this track, you will be able to:

Implement shift-left security — Pre-commit hooks, IDE plugins, secrets detection
Build secure pipelines — SAST, SCA, DAST, container scanning in CI/CD
Protect the supply chain — SBOMs, image signing, SLSA provenance
Defend at runtime — Falco, network policies, Pod Security Standards
Build security culture — Champions programs, metrics, automation

Key Concepts

The Security Pipeline

┌─────────────────────────────────────────────────────────────────┐
│                     DEVSECOPS PIPELINE                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  PRE-COMMIT          BUILD              TEST                    │
│  ┌──────────┐       ┌──────────┐       ┌──────────┐            │
│  │ Secrets  │       │  SAST    │       │  DAST    │            │
│  │ scanning │       │ scanning │       │ scanning │            │
│  ├──────────┤       ├──────────┤       ├──────────┤            │
│  │ Linting  │       │   SCA    │       │   API    │            │
│  │          │       │ (deps)   │       │ security │            │
│  └──────────┘       ├──────────┤       └──────────┘            │
│                     │  Image   │                               │
│                     │ scanning │                               │
│                     └──────────┘                               │
│                                                                 │
│  DEPLOY              RUNTIME            CONTINUOUS              │
│  ┌──────────┐       ┌──────────┐       ┌──────────┐            │
│  │ Policy   │       │ Falco    │       │Compliance│            │
│  │ checks   │       │ detection│       │ scanning │            │
│  ├──────────┤       ├──────────┤       ├──────────┤            │
│  │ Image    │       │ Network  │       │ SBOM     │            │
│  │ signing  │       │ policies │       │ tracking │            │
│  └──────────┘       └──────────┘       └──────────┘            │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Core Principles

Shift Left — Find issues early when they’re cheap to fix
Automate Everything — Security checks in CI/CD, not manual gates
Security as Code — Policies, configs, tests are versioned
Shared Responsibility — Everyone owns security
Continuous Compliance — Compliance verified automatically

Tools Covered

Category	Tools
Secrets Detection	detect-secrets, gitleaks, TruffleHog
SAST	Semgrep, CodeQL, Bandit, SonarQube
SCA	Trivy, Snyk, Dependabot, Grype
Container Scanning	Trivy, Grype, Docker Scout
IaC Scanning	Checkov, tfsec, Kubesec (see IaC Security)
Supply Chain	Cosign, Sigstore, Syft
Runtime	Falco, Kyverno, OPA/Gatekeeper

Study Path

Module 4.1: DevSecOps Fundamentals
     │
     ▼
Module 4.2: Shift-Left Security
     │
     ▼
Module 4.3: Security in CI/CD Pipelines
     │
     ▼
Module 4.4: Supply Chain Security
     │
     ▼
Module 4.5: Runtime Security
     │
     ▼
Module 4.6: Security Culture & Automation
     │
     ▼
[Track Complete] → Security Tools Toolkit

Before: Security Principles — Foundational theory
Related: GitOps — Deployment practices that support DevSecOps
Related: IaC Discipline — Infrastructure as Code security and testing
After: Security Tools Toolkit — Hands-on implementations
After: IaC Tools — Terraform, OpenTofu, Pulumi hands-on

“Security is not a feature. It’s a property of the system—and building it in is cheaper than bolting it on.”