The goal of this program is to provide developers, security professionals, and DevOps engineers with the practical knowledge and skills to successfully integrate security into the Continuous Integration/Continuous Delivery (CI/CD) pipeline:

• DevOps and Cloud Engineers.
• Application Security Specialists and Analysts.
• Software Developers and QA Engineers.
• CISO and Security Directors overseeing development.
• Solution and Enterprise Architects.
• Release and Pipeline Managers.
• Vulnerability Management Specialists.

• Hands-on labs integrating SAST and SCA tools into a mock CI/CD pipeline (e.g., Jenkins/GitLab).
• Group activity performing a rapid threat model for a new microservice.
• Case studies on the cultural and tooling challenges of DevSecOps adoption.
• Technical discussions on the differences between IAST and RASP technologies.
• Individual assignment designing a set of security acceptance criteria for a sprint.

Unit 1: Foundations and Culture of DevSecOps

• Defining DevSecOps and the shared responsibility model for security.
• The cultural shift: from "Security Says No" to "Security Helps."
• Principles of automation, early feedback, and continuous integration.
• Mapping DevSecOps practices to business value and risk reduction.

• Shifting left: embedding security from design and requirements gathering.
• Conducting rapid threat modeling at the feature level.
• Defining and enforcing security requirements in Agile user stories.
• The role of the Security Champion within development teams.

Unit 2: Pipeline Automation and CI/CD Security

• Automating Static Application Security Testing (SAST) in the code repository.
• Integrating Software Composition Analysis (SCA) for third-party library dependencies.
• Configuration security scanning for Infrastructure as Code (IaC) templates.
• Implementing "security gates" to break the build on critical findings.

• Automating Dynamic Application Security Testing (DAST) in the staging environment.
• The role of Interactive Application Security Testing (IAST).
• Managing and securing secrets, credentials, and API keys in the pipeline.
• Secure configuration of the CI/CD platform itself (e.g., Jenkins, GitLab, Azure DevOps).

Unit 3: Container and Cloud-Native Security

• Vulnerability scanning and hardening of container images (Dockerfiles).
• Securing the container registry and image provenance.
• Run-time security controls for containerized applications.
• Best practices for using minimal, secured base images.

• Automating compliance checks using Cloud Security Posture Management (CSPM).
• Security-as-Code principles for securing cloud configurations.
• Implementing Identity and Access Management (IAM) for non-human identities.
• Securing serverless functions and event-driven architectures.

Unit 4: Vulnerability Feedback and Remediation

• Providing timely, contextualized, and actionable security feedback to developers.
• Integrating security findings into existing developer tools (IDE, ticketing systems).
• Managing false positives and tuning automated security tools.
• Establishing SLAs and procedures for vulnerability remediation.

• Centralizing and prioritizing security findings from multiple tools.
• Metrics for measuring DevSecOps success (e.g., vulnerability fix rate, time-to-remediate).
• Continuous monitoring and runtime protection (RASP, WAF) in production.
• Developing and leveraging a security control library.

Unit 5: Advanced Automation and Future Trends

• Using policy-as-code to enforce security and compliance requirements.
• Automating governance checks for data classification and regulatory needs.
• Orchestrating security tools using Security Orchestration, Automation, and Response (SOAR).
• Managing security debt and technical debt in the pipeline.

• The application of AI/ML for automated security testing and threat modeling.
• Continuous Automated Red Teaming (CART) integration.
• Security for low-code/no-code development platforms.
• Building a sustainable, non-punitive culture of continuous learning and improvement.