DevSecOps
Integrate security practices into every stage of the software development lifecycle.
Learning Path
| Topic | Description |
|---|---|
| Fundamentals | Shift-left, SAST/DAST/SCA, container security, secrets management, compliance-as-code |
| Cheatsheet | Quick reference for security tools: Trivy, Snyk, Semgrep, GitLeaks, and more |
| Interview Questions | 30+ interview questions with answers for DevSecOps roles |
Key Concepts
- Shift-Left Security — Move security checks earlier in the development process
- SAST — Static Application Security Testing (analyze source code)
- DAST — Dynamic Application Security Testing (test running application)
- SCA — Software Composition Analysis (check dependencies for vulnerabilities)
- Container Scanning — Find vulnerabilities in Docker images before deployment
- Secrets Management — Never store credentials in code
- Supply Chain Security — Secure the entire software development process
- Compliance-as-Code — Enforce security and compliance automatically
Popular Tools
- Scanning: Trivy, Semgrep, Snyk, SonarQube, GitLeaks
- Container Security: Docker Scout, Aqua, Harbor, Clair
- Infrastructure: Checkov, Terraform Validate, tflint
- DAST: OWASP ZAP, Burp Suite, Nuclei
- Cloud: Prowler (AWS), ScoutSuite, CloudMapper
Getting Started
- Start with Fundamentals to understand core concepts
- Reference the Cheatsheet for tool commands
- Prepare for interviews with Interview Questions
OWASP Top 10
The 10 most critical web application security risks:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Known Vulnerable Components
- Insufficient Logging & Monitoring
Contributing
Know great DevSecOps resources? Submit a PR to help the community learn!