DevSecOps Roadmap with Resouces

1. Git (Version Control System)

DevSecOps relies on Everything as Code (EaC). Git is the most widely used VCS.

• VIDEO Git & GitHub Crash Course – Traversy Media Watch
• VIDEO Visual Git Tutorial – JavaScript Mastery Watch
• VIDEO Git Tutorial for Beginners – Intellipaat Watch

• BLOG Git Handbook – GitHub Read
• BLOG Git Cheat Sheet – Atlassian Read
• BLOG Learn the Basics of Git in Under 10 Minutes – Gowtham Venkatesan Read
• BLOG Understanding Git: Explain It Like I’m Five – Kevin Cooper Read
• BLOG Git – The Simple Guide – Roger Dudler Read
• BLOG The Git Supremacy – Mayank Arya Read
• BLOG Git in VS Code & Azure DevOps – DEV Community Read
• BLOG Git Branching Strategies Read
• BLOG Rebase vs Merge Explained Read

2. CI/CD (Continuous Integration & Delivery)

CI/CD pipelines are the backbone of modern DevOps and Cloud-Native systems.

• VIDEO GitLab Beginner Tutorial – Raghav Pal Watch
• VIDEO Introduction to Jenkins, CI/CD, and DevOps – Valentin Despa Watch
• VIDEO Best Practices for Securing CI/CD Pipelines – Victoria Almazova Watch
• VIDEO CI/CD Platform in AWS – Mohamed Labouardy Watch
• VIDEO Continuous Delivery from First Principles – Tom Watch
• VIDEO Let's Build a CI/CD Pipeline – Jean De Klerk Watch
• VIDEO Intro to CI/CD with Python – Chris Arceneaux Watch
• VIDEO GitLab CI/CD – Johan Duran Watch
• VIDEO CI/CD Pipeline in Azure – Benjamin Hodge Watch
• VIDEO Continuous Integration with GitLab CI – Pete Johanson Watch
• VIDEO GitLab Workflow – GitLab Watch
• VIDEO From Dev to Prod with GitLab CI – Stephan Hochdorfer Watch
• VIDEO Scaling Continuous Deployment – Tony Savor Watch
• VIDEO Continuous Delivery with Jenkins – Gianluca Arbezzano Watch

• BLOG What is CI/CD — Concepts in CI and CD – Sanjay Nair Read
• BLOG Absolute Beginner’s Guide to CD – Erin Snyder Read
• BLOG Introduction to CI, CD & Deployment – Justin Ellingwood Read
• BLOG Getting Started in CI/CD for Beginners – Samsha Read
• BLOG Beginner’s Cheat Sheet – Katalon Read
• BLOG CI/CD Best Practices – Justin Ellingwood Read
• BLOG CI/CD on Google Cloud – Google Read
• BLOG Modern CI/CD Pipeline – PureStorage Read
• BLOG List of CI Services – Awesome CI Read
• BLOG CI/CD by Docker Read
• BLOG GitLab CI/CD Crash Course – Avicenna Wisesa Read
• BLOG Automate Your Work with GitLab CI/CD – Marcin Nowacki Read
• BLOG Beginner-Friendly GitLab CI/CD – Zuri Hunter Read
• BLOG GitLab CI/CD Examples – GitLab Read
• BLOG CI with GitLab CI on Ubuntu – Justin Ellingwood Read
• BLOG Modern CI/CD for Adobe – Jaemi Bremner Read
• BLOG How We Build Code at Netflix – Netflix Read
• BLOG Beginner’s Guide to Pipelines – Bryant Son Read
• BLOG Rapid Release at Massive Scale – Chuck Rossi Read
• BLOG CI/CD in AWS in 5 Minutes – Allen Helton Read
• BLOG Security Challenges in CI/CD – Meera Rao Read

• HANDS-ON LAB Python CI/CD Workshop – Datapunks Start
• HANDS-ON LAB GitLab Git Workshop – GitLab Start
• HANDS-ON LAB GitLab Training – Netways Start
• HANDS-ON LAB GitLab CI Training – Ondrej Sika Start

3. Artifact Management

Artifact repositories store and control deployable binaries securely.

• VIDEO Introduction to Artifactory on the JFrog Platform – Melissa Watch
• VIDEO How to Integrate Nexus with Jenkins and Upload Artifacts – Madhu Sudhan Reddy Watch
• VIDEO Six Reasons to Use a Repository Manager Now – Tim O’Brien Watch
• VIDEO Sample DevOps Project: Nexus–Artifactory Uploader Jenkins Pipeline – Madhu Sudhan Reddy Watch

• BLOG DevOps Artifacts: Artifactory, Sonatype Nexus, Maven & Apache Archiva – BogoToBogo Read
• BLOG Artifactory Repository Manager – Tutorial – Simon Scholz Read
• BLOG Nexus Repository Manager – Tutorial – Simon Scholz Read
• BLOG DevOps: 8 Reasons for DevOps to Use a Binary Repository Read

4. Infrastructure as Code (IaC)

Infrastructure is treated like software to enable speed and consistency.

• VIDEO Holistic Configuration Management at Facebook – Chunqiang Tang Watch
• VIDEO SaltStack Is More Than Just Configuration Management – Thomas Hatch Watch
• VIDEO DSC in the Configuration Management Tool World – Ben Gelens Watch
• VIDEO Evolution of Configuration Management in a DevOps World – Marisa Sawatphadungkij Watch
• VIDEO Integrating Configuration Management into Your Ecosystem – Sascha Bates Watch
• VIDEO Configuration Management with SaltStack: Zero to Hero – Wesley Whetstone Watch
• VIDEO Cloud-Native Configuration Management 2020 and Beyond – Eric Sorenson Watch
• VIDEO Puppet Automation Journey: Configuration Management & Cloud – Brendan Rosewarne Watch

• BLOG Configuration Management in DevOps – BMC Blog Read
• BLOG Top 10 Configuration Management Tools – UpGuard Read
• BLOG Modern Configuration Management: Configuration as Code – Chef Read
• BLOG Writing Ansible Playbooks – Erika Heidi Read
• BLOG Configuration Management & Continuous Deployment – Anilkumar Patel Read
• BLOG Change & Configuration Management the DevOps Way – Isaac Ndung'u Read
• BLOG Beginner’s Guide to Configuration Management Tools – Ofer Velich Read
• BLOG Automating Configuration Management for DevOps – Capgemini Read
• BLOG Beginner’s Guide to Chef – Linode Read
• BLOG Automation & Configuration Management with Chef – Sudhi Read
• BLOG All About Chef Configuration Tool – Mitesh Soni Read
• BLOG Writing Chef Recipes – Erika Heidi Read
• BLOG Chef vs Puppet – Asaf Yigal Read
• BLOG Chef vs Puppet Detailed Comparison – Spec India Read
• BLOG Configuration Management Approaches: Chef, Ansible & Kubernetes – Kublr Read
• BLOG Writing Puppet Manifests – Erika Heidi Read
• BLOG Puppet Tutorial for Beginners – Guru99 Read
• BLOG Beginner’s Guide to Salt – Linode Read
• BLOG Getting Started with SaltStack – Ben Hosmer Read
• BLOG Using Salt for Basic Configuration Management – Bejoy Abraham Mathews Read
• BLOG SaltStack Concepts & Terminology – Justin Ellingwood Read
• BLOG Configuration Management on Google Cloud – Google Read
• BLOG Holistic Configuration Management at Facebook – Chunqiang Tang et al. Read

• TOOL Ansible – Open-source configuration management, deployment & orchestration tool
• TOOL Chef – Automation platform for defining infrastructure as code
• TOOL Vagrant – Tool for building and managing VM environments
• TOOL Puppet – Enterprise-grade configuration management platform

5. Cloud Service Provider Platform

Modern development needs elastic, on-demand cloud platforms.

• VIDEO Introduction to AWS Security – Bill Reid Watch
• VIDEO AWS Security by Design – Shafreen Sayyed Watch
• VIDEO Advanced Security Best Practices Masterclass – Ian Massingham Watch
• VIDEO Fundamentals of AWS Cloud Security – Becky Weiss Watch
• VIDEO Security Best Practices: Well-Architected Way – Ben Potter Watch
• VIDEO Introduction to AWS Security Hub – Ely Kahn Watch
• VIDEO Cloud Security Architecture Workshop – Dave Shackleford Watch
• VIDEO Implementing DevSecOps in the Cloud – Jimmy Jenis Watch

• BLOG AWS Security Checklist – AWS Read
• BLOG AWS Security Pillar – AWS Read
• BLOG AWS Security Blog – AWS Read
• BLOG AWS Security Primer – Michael Wittig Read
• BLOG Fundamental Security Concepts in AWS (Part 1) – Tom Porter Read
• BLOG AWS Security Fundamentals – AWS Read

• TOOL AWS Security Hub
• TOOL AWS IAM
• TOOL AWS GuardDuty
• TOOL AWS CloudTrail

• HANDS-ON LAB AWS Security Hands-on Labs
• HANDS-ON LAB AWS Well-Architected Security Labs

6. Threat Modeling

Threat modeling helps quantify and reduce security risks.

• BOOK Threat Modeling: Designing for Security – Adam Shostack Read
• BOOK Threat Modeling – Frank Swiderski & Window Snyder Read
• BOOK Risk-Centric Threat Modeling – Tony UcedaVelez & Marco M. Morana Read
• BOOK Threat Modeling – Matthew J. Coles & Izar Tarandach Read

• FREE COURSE Threat Modeling Workshop – Robert Hurlbut Start
• PAID COURSE Certified Threat Modeling Professional (CTMP) – Practical DevSecOps Start
• PAID COURSE DevSecOps Expert – Practical DevSecOps Start
• PAID COURSE Threat Modeling Fundamentals – Pluralsight Start
• PAID COURSE CyberSec First Responder: Threat Detection & Response (CFR210) – Stone River eLearning Start
• PAID COURSE Learning Threat Modeling for Security Professionals – Adam Shostack Start
• PAID COURSE Threat Modeling: Spoofing In Depth – Adam Shostack Start
• PAID COURSE Threat Modeling: Tampering in Depth – Adam Shostack Start

• BLOG What Is Security Threat Modeling? – Lawrence C. Miller & Peter H. Gregory Read
• BLOG Threat Modeling Cheat Sheet – OWASP Read
• BLOG Threat Modeling in the Enterprise (Part 1) – Stiliyana Simeonova Read
• BLOG Threat Modeling for Dummies – Adam Englander Read
• BLOG DevSecOps, Threat Modeling & STRIDE – Bruno Amaro Almeida Read
• BLOG Threat Modeling: Why, How, When & Tools – Debarghya Pandit Read
• BLOG Threat Modeling Datasheet – Synopsys Read
• BLOG Threat Modeling Blog – Security Innovation Read
• BLOG Threat Modeling: 6 Common Mistakes – Jeff Petters Read
• BLOG Threat Modeling for Cloud Infrastructure – Pat Cable Read
• BLOG Why You Should Care About Threat Modeling – Suresh Marisetty Read
• BLOG Threat Modeling Methods Whitepaper – Nataliya Shevchenko et al. Read
• BLOG Threat Modeling Toolkit – ThoughtWorks Read
• BLOG How to Get Started with Threat Modeling – HackerNoon Read
• BLOG Threat Modeling Tutorial – GeeksforGeeks Read
• BLOG Analyzing Application Security with Threat Modeling – Goran Aviani Read
• BLOG Tactical Threat Modeling – SafeCode Read
• BLOG Power of a Tailored Threat Model – Looking Glass Read
• BLOG Where Is My Threat Model? – Abhishek Datta Read

• FREE TOOL OWASP Threat Dragon – Online threat modeling with diagrams & rule engine Use
• FREE TOOL Microsoft Threat Modeling Tool – Design-phase threat discovery tool Use
• FREE TOOL OWASP Threat Dragon (GitLab Fork) – GitLab-integrated threat modeling tool Use
• FREE TOOL Raindance – Attack map modeling for SDLC Use
• FREE TOOL ThreatSpec – Embed threat modeling into development workflows Use
• PAID TOOL IriusRisk – Questionnaire-driven adaptive threat modeling Use
• PAID TOOL SD Elements – Automated threat modeling platform Use

7. Static Application Security Testing (SAST)

SAST analyzes source code to identify security vulnerabilities early in the SDLC.

• VIDEO Static Analysis Security Testing for Dummies… and You – Kevin Fealey Watch
• VIDEO Application Security Testing – Semi Yulianto Watch
• VIDEO Static Analysis for Dynamic Assessments – Greg Patton Watch
• VIDEO Static Code Analysis: Scan All Your Code for Bugs – Jared DeMott Watch
• VIDEO Bug Hunting with Static Code Analysis – Nick Jones Watch
• VIDEO SAST with CI/CD Pipelines Using WhiteSource – Mohamad Radwan Watch
• VIDEO GitLab APEX SAST Walkthrough for Salesforce – Lucas C Watch
• VIDEO AST in CI/CD: How to Make It Work – Ofer Maor Watch

• BLOG How to Integrate SAST into the DevSecOps Pipeline in 5 Steps – Meera Rao Read
• BLOG SAST vs DAST – Why SAST? – Sharon Solomon Read

• TOOL SAST Tools – OWASP Explore
• TOOL GitLab SAST
• TOOL SonarQube
• TOOL Semgrep

8. Dynamic Application Security Testing (DAST)

DAST tests running applications to identify security vulnerabilities from the outside.

• VIDEO Dynamic Security Testing with OWASP ZAP – Omer Levi Hevroni Watch
• VIDEO Practical Dynamic Application Security Testing in the Enterprise – Nicholas Kenney Watch
• VIDEO Baby Steps to Security Testing – Christina Thalayasingam Watch
• VIDEO Automated Static & Dynamic Security Analysis of Mobile Apps – Raveendar & Rajesh Watch

• BLOG Dynamic Application Security Testing (DAST) – PortSwigger Read
• BLOG Integrating Web Vulnerability Scanners in CI/CD – Davor Petreski Read
• BLOG Dynamic Application Security Testing (DAST) – GitLab Read
• BLOG DAST Scan Automation in CI/CD Pipeline – Satish Govindappa Read
• BLOG Veracode Dynamic Analysis + Jenkins – Marina Kvitnitsky Read
• BLOG Integrating OWASP ZAP in DevSecOps Pipeline – BreachLock Read
• BLOG DAST vs SAST – Case for Dynamic Testing – Ian Muscat Read
• BLOG Automating DAST Scans with Jenkins, Arachni & ThreadFix – Matthias Rohr Read

• FREE TOOL W3af – Web Application Attack & Audit Framework Use
• FREE TOOL Wapiti – Web application vulnerability scanner Use
• FREE TOOL Vega – Open-source web security scanner Use
• FREE TOOL Nikto – Open-source web server vulnerability scanner Use
• PAID TOOL Burp Suite – Integrated web application security testing platform Use
• PAID TOOL Detectify – Automated security & asset monitoring Use
• PAID TOOL Netsparker – Enterprise-grade web application security scanner Use

9. Security as Code

Security as Code embeds security controls, policies, and checks directly into code and pipelines.

• VIDEO Git & GitHub Crash Course – Traversy Media Watch
• VIDEO Visual Git Tutorial – JavaScript Mastery Watch
• VIDEO Git Tutorial for Beginners – Intellipaat Watch

• BLOG What Is Security as Code (SaC)? – Ziad Ghalleb Read

10. Compliance as Code

If hardening can be done using Infrastructure as Code tools, why can’t compliance be automated as code?

• VIDEOCompliance as Code: Automate Compliance Using Open Source Technology – RedHat
• VIDEOContinuous Assurance and Continuous Compliance via Data, Graph, Query and Code – Erkang Zheng
• VIDEOManaging Compliance as Code: Using Chef InSpec for All Its Possibilities – Chef
• VIDEOCompliance as Code – Lessons Learned From Regulated Organizations – Sergiu Bodiu
• VIDEOCompliance As Code – Webinar – Anitian
• VIDEOException Handling: Compliance as Code – Chef
• VIDEOInfrastructure and Compliance as Code for Universities – Blake Dworaczyk, Adam Mikeal, Nick Rycar
• VIDEODevSecOps Delight with Compliance as Code – Anthony Rees
• VIDEOInSpec Compliance as Code – Kent Picat Gruber

• BLOG What’s the Fuss with “Compliance as Code”? – Mario Platt Read
• BLOG Why Building Compliance into Your Code Benefits the Entire Company – Vanessa Wegner Read
• BLOG Compliance as Code with InSpec – Michael Ducy Read
• BLOG 6 Benefits of Compliance as Code for the Enterprise – Cliff Almond Read
• BLOG Codifying Your Configuration Standards – Phil Dorczuk Read