Focus: Understanding the "Sec" in DevSecOps and planning before coding.
- What is DevSecOps? (Shift Left vs. Shield Right)
- The 2026 Landscape: AI-driven attacks vs. AI-driven defense
- Threat Modeling: Using the STRIDE framework
- OWASP Threat Dragon or PyTM
- Perform a threat model for a simple 3-tier web application
Focus: Securing the code and the supply chain (dependencies).
- SAST (Static Application Security Testing): Scanning your own code
- SCA (Software Composition Analysis): Finding vulnerabilities in Open Source libraries
- The "Billion Dollar" Problem: Handling Transitive Dependencies
- Snyk (for SCA) and SonarQube (for SAST)
- Integrate Snyk and SonarQube into a GitHub Action/GitLab pipeline to fail builds on "High" vulnerabilities
Focus: Preventing credential leaks and securing your Terraform/Bicep code.
- Secret Sprawl: Why
.envand hardcoded keys are a disaster - IaC Scanning: Catching misconfigured S3 buckets or open Security Groups before deployment
- TruffleHog (Secret Scanning)
- Checkov or KICS (IaC Scanning)
- Scan a "leaky" Terraform repo
- Implement HashiCorp Vault for dynamic secret injection
Focus: Securing the ship (Docker) and the harbor (K8s).
- Distroless images and multi-stage builds
- Image Linting: Finding "root" users and insecure instructions
- Kubernetes Admission Controllers and Network Policies
- Trivy (Image Scanning)
- Hadolint (Docker Linting)
- Scan a Docker image for CVEs
- Deploy a "Secure-by-Default" Pod to a K8s cluster
Focus: Testing the running application for real-world exploits.
- DAST (Dynamic Application Security Testing): Attacking the app like a hacker
- OWASP Top 10 (2026 Updates): Injection, Broken Access Control, etc.
- Securing REST & GraphQL APIs
- OWASP ZAP (Automation)
- StackHawk
- Run an automated ZAP baseline scan against a running staging environment
- Generate a PDF report
Focus: Monitoring what happens AFTER deployment and staying compliant.
- Runtime Security: Detecting drift and suspicious behavior (e.g., a shell opening in a container)
- eBPF: The secret sauce of modern cloud-native security
- Compliance (SOC2/GDPR) as an automated check
- Falco (Runtime Detection)
- Prowler (AWS/Azure/GCP Auditing)
- Set up Falco to alert on Slack whenever someone runs
apt-get installinside a production container
Focus: Bringing it all together and the DevSecOps Career Roadmap.
- Secret Scan (Pre-commit)
- SAST/SCA (Build phase)
- IaC Scan (Provision phase)
- DAST (Post-deploy phase)
- AI Fixes: Use AI (like GitHub Copilot or Snyk AI) to auto-remediate a found bug
- Certifications: CASE, CND, DevSecOps Foundation
- Resume Tips and guidance for the future of the role