← Academy Hub
Learning Track · 15 modules

DevSecOps

Security in the SDLC. SAST/DAST/SCA, IaC, CI/CD hardening, software supply chain.

Why this track

DevSecOps is where security catches code before it becomes a finding. This track teaches the practical SDLC integration — SAST / DAST / SCA tooling, IaC scanning, supply-chain controls, secrets management, CI/CD hardening, and the cultural shift that gets engineering to actually adopt security tooling without resentment. You will leave able to design and operate a security pipeline that finds 80% of issues before code merges.

What you will be able to do
  • Integrate SAST, DAST, SCA, and IaC scanning into CI/CD pipelines that engineers will not bypass
  • Implement supply-chain security with SBOM, SLSA, and signed builds
  • Manage secrets at scale (Vault, AWS Secrets Manager, Sealed Secrets) without secrets-in-code
  • Design a threat model that lives alongside code and refreshes per release
  • Run a vulnerability management programme that prioritises by exploitability + business impact
Prerequisite: Familiarity with Git and at least one CI/CD platform (GitHub Actions, GitLab CI, Jenkins).
15
Modules
11.5 h
Total time
15
Free modules
Quiz retries
Difficulty mix
Beginner · 3 Intermediate · 9 Advanced · 3

Module sequence

M1
Threat Modelling — STRIDE, PASTA, LINDDUN in Practice
Threat modelling methodologies that work — STRIDE, PASTA, attack trees, LINDDUN for privacy. The practical workflow for engineering teams, anti-patterns to avoid, tooling, and DPDP/ISO alignment.
Intermediate 70 min
M1
DevSecOps Fundamentals
Shift-left + extend-right, SDLC security map, where each control lives, metrics that matter, and the 30-day rollout.
Beginner 60 min
M2
SAST, DAST & SCA in CI
What each scanner class detects, tool selection for 2026, CI integration patterns, false-positive tuning, triage workflow.
Intermediate 90 min
M4
CI/CD Pipeline Hardening
Pipeline attack surface: config injection, pwn-requests, unpinned actions, OIDC trust policies, ephemeral runners, signing.
Advanced 120 min
M5
Supply Chain Security (SBOM, SLSA, Signing)
SBOM generation with Syft, SLSA provenance levels, Cosign keyless signing, dependency pinning, and 2026 regulatory crib sheet.
Advanced 120 min
M6
Container & Image Scanning
Why this module. Every container starts from a base image with hundreds of packages, most of which the application doesn’t use, all of which could have CVEs. Scanning is mandatory; scanning well is the differentiator. Where to scan Build time — fail PRs that introduce new critical CVEs. Trivy / Grype in CI. Registry — […]
Intermediate 25
M7
Secret Scanning in Code Repos
Why this module. Engineers commit secrets. AWS keys, API tokens, database passwords end up in Git, often in .env.example files that were supposed to have placeholders. Once committed, secrets stay in Git history forever — and within minutes attackers find them via GitHub search. The tool stack git-secrets / detect-secrets / Gitleaks / TruffleHog — […]
Beginner 20
M8
Pre-Commit Hooks for Security
Why this module. The cheapest security check is the one that runs on the developer’s laptop before code ever reaches CI. Pre-commit hooks catch ~60% of mistakes for ~5% of the operational cost of equivalent CI checks. What runs in pre-commit Linting + format — Ruff, Black, ESLint, Prettier. Reduces diff noise. Type checking — […]
Beginner 20
M9
Dependency Management & Renovate
Why this module. 80% of application code is third-party dependencies. Each is a CVE waiting to happen. Manual updates don’t scale; automated bots are non-negotiable in 2026. The two leading bots Dependabot (GitHub) — free, easy, default for GitHub repos. Limited customization. Renovate — open source, very flexible, multi-platform (GitHub, GitLab, Bitbucket). Industry favourite for […]
Intermediate 20
M10
Threat Modelling for Engineers (STRIDE/LINDDUN)
Why this module. Threat modelling has a reputation as a heavyweight, consultant-driven exercise. It doesn’t have to be. Done right, it’s a 90-minute workshop that produces a list of design-time security improvements worth more than 100 hours of post-deployment patching. STRIDE in 60 seconds Microsoft’s mnemonic for categories of threats: Spoofing — impersonating someone Tampering […]
Intermediate 30
M11
SLSA Levels & Build Provenance
Why this module. 2020 SolarWinds taught the industry that “we trust our build pipeline” is no longer enough. SLSA (Supply-chain Levels for Software Artifacts) is Google’s framework for hardening builds against supply-chain attacks. By 2026, several Indian regulated entities have begun requiring SLSA L2+ attestations from vendors. The four SLSA levels Level What’s required Roughly […]
Advanced 25
M12
Security Champions Programme
Why this module. A security team can’t be in every code review, every architecture meeting, every incident discussion. Security Champions are embedded engineers who carry the security mindset into their teams — multiplying the security team’s reach by 10-50x. Who is a Champion An engineer (not security professional) who: Volunteers (or is selected with consent) […]
Intermediate 20
M13
Vulnerability Triage at Scale
Why this module. A typical enterprise scan returns 50,000+ CVEs across servers, containers, dependencies. Trying to “fix all critical/high” is mathematically impossible at that scale. Modern triage uses EPSS, KEV, reachability, and asset criticality to focus the 200 fixes that matter. The signals beyond CVSS CVSS — severity in theory. The original signal; loud and […]
Intermediate 25
M14
Shift-Right Security — Runtime Defence
Why this module. “Shift-left” — find security issues earlier — became dogma. But shift-left has limits: bugs ship anyway, dependencies have CVEs you can’t anticipate, attackers find new exploits. Modern teams add “shift-right” — runtime detection and response — without abandoning shift-left. Where shift-left fails Zero-day exploits — by definition unknowable at build time Configuration […]
Intermediate 25
M15
DevSecOps Metrics & Maturity
Why this module. Engineering teams measure DORA. Security teams measure CVE backlog. DevSecOps requires a unified metric set — measuring how secure software is delivered, not just secure or how fast. This module is the metrics blueprint. DORA — the engineering baseline Deployment Frequency — how often code reaches production Lead Time for Changes — […]
Intermediate 20

Related tracks

Track
Cloud Security Practitioner
AWS → Azure → GCP → Kubernetes. Real hardening, not checklists.
🎯
Track
Web Application Penetration Testing
From HTTP fundamentals to business-logic exploitation. The complete path.
🛡
Track
System Security
Hardening and operating systems defensively. Linux, Windows, logging, containers.

Common questions about this track

How do I get engineers to adopt these tools? +

Tooling adoption is a culture problem first, technology second. The track devotes meaningful content to rollout strategy — start with non-blocking pipelines, fix-it-yourself culture, and metrics that prove value, not punish lapses.

Open source or commercial tooling? +

Open source baseline (Semgrep, Trivy, Checkov, Falco, Sigstore) is fully covered. Commercial alternatives (Snyk, Wiz, Sysdig) are referenced where they meaningfully change the workflow.

Does this overlap with cloud security? +

Significantly. Both tracks reinforce each other; modern cloud security IS DevSecOps for cloud. Take this track if your role title contains "engineer"; take cloud-security if it contains "architect" or "auditor".

Is supply-chain security worth the time? +

In 2026, yes — Log4Shell, xz-utils, and the steady cadence of npm typosquats have made SBOM and provenance non-optional for any business that serves enterprise customers.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map