DevOps to DevSecOps in 9 Hours | Practical Learning

A comprehensive 9-hour practical course by Abhishek Veeramalla that transforms a DevOps engineer into a DevSecOps practitioner. The video is structured as a 7-day curriculum covering threat modeling, secure pipelines, infrastructure scanning, container hardening, Kubernetes security, and capstone pipeline construction for a three-tier application.

Course Structure

The curriculum follows a progressive “shift left” model, moving security earlier into the software delivery lifecycle:

DayTopicKey Tools & Concepts
Day 1Introduction to DevSecOps & Threat Modeling[[wiki/concepts/Security/Shift-Left-Security
Day 2Securing Git & GitHub WorkflowsBranch protection, secret scanning, pre-commit hooks, PAT hygiene
Day 3Terraform Security & IaC ScanningTerraform manifest hardening, state file encryption, secret management with Vault
Day 4Container Security with Docker[[wiki/concepts/Security/Container-Security
Day 5Kubernetes Security[[wiki/concepts/Kubernetes/Kubernetes-RBAC
Day 6SAST, DAST, and SCA[[wiki/concepts/Security/SAST-DAST-SCA
Day 7Capstone ProjectEnd-to-end DevSecOps pipeline for a three-tier application using GitHub Actions

Core Philosophy: Shift Left

The course anchors on the shift left principle: the earlier a security control is applied, the cheaper it is to fix a vulnerability. Rather than bolting security onto a finished pipeline, DevSecOps embeds it into every stage — from the developer’s IDE through CI/CD to runtime monitoring. This transforms the traditional “dev then ops then sec” waterfall into a continuous feedback loop where security is everyone’s responsibility.

Key Technical Synthesis

Threat Modeling with OWASP Threat Dragon

The Day 1 threat-modeling module is distinctive because it treats security as a design activity rather than an audit activity. Using OWASP Threat Dragon, learners diagram a three-tier application’s data flow, identify trust boundaries, and enumerate threats via the STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). The output is a prioritized risk matrix that drives every subsequent security control choice in the pipeline.

Git & GitHub Security

Day 2 focuses on the software supply chain’s front door. The coverage includes branch protection rules (requiring PR reviews and status checks), secret scanning with GitHub Advanced Security, pre-commit hooks to block credential leaks before they reach remote, and the principle of least privilege for Personal Access Tokens. This section connects directly to GitOps security patterns where the Git repository is the single source of truth and therefore the highest-value attack surface.

Terraform & Infrastructure as Code Security

Day 3 addresses a common blind spot: treating infrastructure code as less sensitive than application code. The course demonstrates scanning Terraform manifests for hardcoded secrets, encrypting state files, and integrating HashiCorp Vault for dynamic secret injection. A critical insight is that IaC drift and misconfiguration are now the leading causes of cloud breaches, making static analysis of .tf files as important as application SAST.

Container Security

Day 4 is a deep dive into Docker hardening: running containers as non-root users, using distroless or Alpine base images to shrink attack surface, and scanning images with Trivy for OS-level and application-level CVEs. The course emphasizes that image scanning is not enough — runtime security (seccomp, AppArmor, capabilities dropping) is required for production workloads.

Kubernetes Security

Day 5 leverages the CKA-level Kubernetes knowledge the channel is known for, but pivots to a security lens. Topics include RBAC least-privilege Role and ClusterRole design, NetworkPolicies for zero-trust east-west segmentation, and Pod Security Standards (restricted, baseline, privileged). The section treats Kubernetes not just as an orchestrator but as a security boundary.

SAST, DAST, and SCA

Day 6 maps the three primary code-analysis disciplines to pipeline stages:

  • SAST (Static Application Security Testing) — analyzes source code without execution; catches injection flaws, insecure dependencies, and secret leakage at build time.
  • DAST (Dynamic Application Security Testing) — attacks the running application; simulates real-world exploit scenarios like SQL injection and XSS.
  • SCA (Software Composition Analysis) — audits open-source dependencies for known CVEs and license compliance. The course uses SonarQube for SAST/SCA and OWASP ZAP for DAST, integrating both into GitHub Actions with quality gates that fail builds on critical findings.

Capstone: Three-Tier DevSecOps Pipeline

Day 7 ties all seven days into a single GitHub Actions pipeline for a frontend-backend-database application. The pipeline includes: threat-model review → secret scanning → SAST → container image build → image scan → IaC scan → DAST on staging → Kubernetes deployment with RBAC + NetworkPolicies. This capstone is the course’s primary differentiator: learners leave with a production-ready secure pipeline template rather than fragmented tool knowledge.

Tools Covered

  • GitHub Actions — CI/CD orchestration
  • Docker — Containerization
  • Kubernetes — Container orchestration and runtime security
  • Terraform — Infrastructure as Code
  • Trivy — Container image and filesystem vulnerability scanner
  • SonarQube — SAST and code quality platform
  • OWASP ZAP — Dynamic application security scanner
  • OWASP Threat Dragon — Threat modeling tool
  • HashiCorp Vault — Secret management and dynamic credentials

Audience & Prerequisites

The course assumes existing DevOps familiarity (Docker, Kubernetes basics, CI/CD concepts) and is targeted at DevOps engineers, cloud engineers, security enthusiasts, and beginners specifically starting with DevSecOps. The practical, terminal-driven demonstrations follow Abhishek’s established teaching style of live coding with working manifests.

Why This Matters

DevSecOps is not a separate role from DevOps — it is the maturation of DevOps. As organizations move from “deploy fast” to “deploy fast and securely,” the ability to build and operate secure pipelines becomes a non-negotiable skill. This course provides a structured, tool-agnostic mental model (shift left, defense in depth, zero trust) paired with concrete implementations that can be adapted to any stack.

See Also

Wiki Concepts

Creator / Entity

  • Abhishek Veeramalla — Primary instructor; DevOps educator focused on Kubernetes, CI/CD, and cloud infrastructure

Tags: devsecops devops cybersecurity kubernetes docker terraform github-actions sast dast cloud-security owasp shift-left container-security threat-modeling