DevSecOps Fundamentals

What this cybersecurity course is

DevSecOps Fundamentals is a 6-module cybersecurity course for software engineers, platform engineers, and security practitioners moving into the seam between development and security. Every module is grounded in primary-source frameworks: NIST SP 800-218 (Secure Software Development Framework), the OWASP Top 10 (2021) and OWASP Application Security Verification Standard v4, the Supply chain Levels for Software Artifacts (SLSA) framework, the Accelerate research program (Forsgren, Humble, Kim 2018) on continuous-delivery performance, and the CIS Controls v8. The course covers the full DevSecOps stack: how to shift security left into design and CI, what static and dynamic application-security testing tools actually catch and miss, how to harden a CI/CD pipeline against attacker tampering, and how to ship a software bill of materials (SBOM) that survives a supply-chain audit. Designed by Julian Calvo, Ed.D. in Applied Learning Sciences (University of Miami, 2026).

The course sequences six modules around the secure-software lifecycle: design, code, build, test, release, and operate. Each module pairs a primary-source standard with a hands-on artifact: read the standard, apply it to a real CI pipeline, document the security review the way a platform-engineering team would expect to see it. The pedagogical pattern follows Kolb's experiential learning cycle (1984) and the Dreyfus skill acquisition model (1980): concrete pipeline configurations, structured reflection against the standard, abstract conceptualization through the controls catalog, then active experimentation in a free-tier sandbox. Every claim is cited to NIST, OWASP, SLSA, the Accelerate research program, BLS, ISC2, or peer-reviewed research. No vendor application-security-platform marketing.

Six modules

1. Module 01 · 130 min

   Shift-Left and the Secure Software Development Framework

   What 'shift-left' actually means as an operational practice, why NIST SP 800-218 codifies it as the SSDF, and how to read the framework as a working tool for a platform-engineering team rather than a marketing slogan.

   Learning objectives

   • Cite the four practice groups of NIST SP 800-218 (Prepare the Organization, Protect the Software, Produce Well-Secured Software, Respond to Vulnerabilities) and identify a concrete platform-team activity for each
   • Explain why the Accelerate research (Forsgren, Humble, Kim 2018) found that high-performing engineering organizations have lower change-failure rates than low-performing ones, even though they ship more frequently
   • Distinguish 'shift-left security' as a slogan from shift-left as a measurable practice (where security review moves earlier in the lifecycle and produces evidence of effort)

2. Module 02 · 140 min

   OWASP Top 10 and ASVS

   What the OWASP Top 10 (2021) actually covers, why ASVS is the working catalog DevSecOps engineers should care about more than the Top 10, and how to read each as a hands-on engineer.

   Learning objectives

   • Cite the ten categories of OWASP Top 10 (2021) and identify the methodology behind their selection
   • Read an ASVS v4 requirement (any L1, L2, or L3 control) and translate it into a concrete pipeline check
   • Distinguish SAST, DAST, IAST, and SCA tools by what each catches and misses

3. Module 03 · 140 min

   Software Supply Chain Integrity and SLSA

   Why supply-chain attacks are the fastest-growing breach pattern, what the SLSA framework defines as integrity levels, and how to ship a software bill of materials (SBOM) that survives an audit.

   Learning objectives

   • Cite the four SLSA build levels (Build L1 through Build L3 plus the Source track) and identify the practices each level requires
   • Distinguish SBOM formats (CycloneDX, SPDX) and explain why SBOMs alone do not stop supply-chain attacks
   • Read CISA's Secure Software Self-Attestation Common Form and identify what a software vendor must attest to

4. Module 04 · 120 min

   CI/CD Pipeline Hardening and Secret Management

   What controls protect a CI/CD pipeline from tampering, why long-lived API tokens are the most common compromise vector, and how to design a workload-identity model that retires them.

   Learning objectives

   • Identify the four most common CI/CD compromise patterns (write-access escalation, dependency confusion, malicious test, secret exfiltration) and the controls that mitigate each
   • Distinguish OIDC-based workload identity (GitHub OIDC + AWS IAM Roles, Azure Federated Credentials, Workload Identity Federation in Google Cloud) from long-lived API tokens
   • Apply CIS Controls v8 to a CI/CD pipeline and identify which controls have direct pipeline applicability

5. Module 05 · 110 min

   Runtime Security and Detection for DevSecOps

   How runtime security extends the DevSecOps program past deployment, what eBPF-based observability tools (Falco, Tetragon) actually capture, and how the platform team partners with the SOC.

   Learning objectives

   • Distinguish runtime application self-protection (RASP), runtime container security (Falco / Tetragon), and traditional EDR by what each instruments and what each detects
   • Read a Falco rule and explain how it would catch a container escape attempt
   • Define the platform-team / SOC interface (who owns what alerts, who responds first, how the runbook escalates)

6. Module 06 · 100 min

   The DevSecOps Career Trajectory

   What the application security engineer, DevSecOps engineer, platform security engineer, and security architect ladder looks like, the credentials hiring managers price into the offer, and the BLS, ISC2, and DORA data behind compensation.

   Learning objectives

   • Distinguish AppSec engineer, DevSecOps engineer, platform security engineer, and security architect roles by daily decisions and credentials
   • Cite BLS OES 2024 and ISC2 2024 data on DevSecOps and platform security compensation
   • Build a 12-month plan from current state to a target DevSecOps role with credentialed milestones (Security+, OSCP if pentest-adjacent, GCSA / GSSA for SANS-track, plus engineering portfolio artifacts)

Target audience

• Software engineers stepping sideways into security-focused or platform-engineering roles
• DevOps engineers taking on the security portion of a platform-team charter
• Application security engineers who want to ground their work in primary-source frameworks instead of tool-vendor marketing
• Security engineers from on-prem or SOC backgrounds entering modern CI/CD environments
• Engineering managers building or scaling a DevSecOps program

Prerequisites

• Working comfort with Git, a CI system (GitHub Actions, GitLab CI, CircleCI, Jenkins), and at least one programming language
• Basic understanding of TLS, OAuth, and at-rest encryption
• Familiarity with at least one container runtime (Docker, containerd) and one orchestrator (Kubernetes, ECS, Cloud Run)
• Willingness to commit 8 to 10 weeks of 4 to 6 hours per week study

Related cybersecurity content

• DevSecOps Engineer cybersecurity career guide
• Application Security Engineer career guide
• Cloud Security Fundamentals (the cybersecurity cloud-platform companion)

Disclaimer

This course is for educational purposes only. It does not guarantee employment, certification pass rates, or shipped-product security outcomes. Software security is contextual; recommendations in this course must be adapted to the specific stack, threat model, and risk tolerance of the consuming organization. NIST and US Government materials cited here are public works. OWASP materials are licensed under Creative Commons Attribution-ShareAlike. SLSA is a Linux Foundation project. DecipherU is not affiliated with any standards body or platform vendor.