Skip to content

DevSecOps Roadmap

  • Roadmap: https://roadmap.sh/devsecops

1. Introduction

  • 1.1 What is DevSecOps
  • 1.2 DevSecOps vs DevOps
  • 1.3 Shift-Left Security Mindset
  • 1.4 Role and Responsibilities

2. Learn a Programming Language

  • 2.1 Python
  • 2.2 Go
  • 2.3 Ruby
  • 2.4 Rust
  • 2.5 JavaScript / Node.js
  • 2.6 Bash
  • 2.7 PowerShell
  • 2.8 Scripting Knowledge (general)
  • 2.9 Editors: Vim / Nano / Emacs

3. Networking Basics

  • 3.1 Networking Fundamentals
  • 3.2 HTTP / HTTPS
  • 3.3 DNS
  • 3.4 TLS
  • 3.5 VLANs
  • 3.6 Network Segmentation

4. Core Security Concepts

  • 4.1 CIA Triad
  • 4.2 Defense in Depth
  • 4.3 Least Privilege
  • 4.4 Zero Trust Concepts
  • 4.5 Attack Surface Mapping

5. Identity, Authentication and Authorization

  • 5.1 Identity Basics
  • 5.2 Authentication
  • 5.3 Authorization
  • 5.4 Role Based Access (RBAC)
  • 5.5 IAM (Identity and Access Management)
  • 5.6 Large-Scale Identity Strategy

6. Cryptography

  • 6.1 Cryptographic Hashing
  • 6.2 Symmetric Encryption
  • 6.3 Asymmetric Encryption
  • 6.4 bcrypt
  • 6.5 SHA-256
  • 6.6 Encryption at Rest / in Transit
  • 6.7 Key Management Service (KMS)
  • 6.8 PKI Design and Failover
  • 6.9 Certificate Lifecycle

7. Secure Coding

  • 7.1 Secure Coding Principles
  • 7.2 Input Validation Patterns
  • 7.3 SQL Injection Prevention
  • 7.4 XSS Prevention
  • 7.5 Secure API Design

8. Threat Modeling

  • 8.1 Threat Modeling Concepts
  • 8.2 STRIDE
  • 8.3 PASTA
  • 8.4 Threat Modeling Workflows
  • 8.5 OWASP Top 10

9. Network Security

  • 9.1 Firewalls
  • 9.2 IDS / IPS
  • 9.3 Secure Network Zoning
  • 9.4 ACLs
  • 9.5 DDoS Mitigation Strategy

10. Endpoint Security

  • 10.1 Endpoint Detection
  • 10.2 EDR Strategy
  • 10.3 Automated Patching

11. Container and Cloud Security

  • 11.1 Docker
  • 11.2 Kubernetes
  • 11.3 Container Security
  • 11.4 Image Scanning
  • 11.5 Cloud Security
  • 11.6 CSPM (Cloud Security Posture Management)

12. CI/CD and Supply Chain Security

  • 12.1 Build Pipeline Hardening
  • 12.2 Supply Chain Security
  • 12.3 SBOMs (Software Bill of Materials)
  • 12.4 Dependency Risk Management
  • 12.5 Secure SDLC

13. Security Tools

  • 13.1 Nmap / Nmap Basics
  • 13.2 Nessus
  • 13.3 Qualys
  • 13.4 OpenVAS
  • 13.5 Burp Suite
  • 13.6 Wireshark Basics

14. Monitoring, Logging and Detection

  • 14.1 Monitoring
  • 14.2 Log Analysis
  • 14.3 SIEM
  • 14.4 Alert Types
  • 14.5 SOAR Concepts
  • 14.6 SOAR Automation

15. Incident Response

  • 15.1 Incident Response Lifecycle
  • 15.2 Containment
  • 15.3 Response Strategy
  • 15.4 Forensics
  • 15.5 Root Cause Analysis

16. Governance, Risk and Compliance

  • 16.1 Audit and Compliance Mapping
  • 16.2 ISO 27001
  • 16.3 NIST
  • 16.4 SOC 2
  • 16.5 Risk Quantification

17. Enterprise and Scale

  • 17.1 Enterprise Operations
  • 17.2 Multi-Region Security Planning