DevOps to DevSecOps in 9 Hours | Practical Learning
A comprehensive 9-hour practical course by Abhishek Veeramalla that transforms a DevOps engineer into a DevSecOps practitioner. The video is structured as a 7-day curriculum covering threat modeling, secure pipelines, infrastructure scanning, container hardening, Kubernetes security, and capstone pipeline construction for a three-tier application.
Course Structure
The curriculum follows a progressive “shift left” model, moving security earlier into the software delivery lifecycle:
| Day | Topic | Key Tools & Concepts |
|---|---|---|
| Day 1 | Introduction to DevSecOps & Threat Modeling | [[wiki/concepts/Security/Shift-Left-Security |
| Day 2 | Securing Git & GitHub Workflows | Branch protection, secret scanning, pre-commit hooks, PAT hygiene |
| Day 3 | Terraform Security & IaC Scanning | Terraform manifest hardening, state file encryption, secret management with Vault |
| Day 4 | Container Security with Docker | [[wiki/concepts/Security/Container-Security |
| Day 5 | Kubernetes Security | [[wiki/concepts/Kubernetes/Kubernetes-RBAC |
| Day 6 | SAST, DAST, and SCA | [[wiki/concepts/Security/SAST-DAST-SCA |
| Day 7 | Capstone Project | End-to-end DevSecOps pipeline for a three-tier application using GitHub Actions |
Core Philosophy: Shift Left
The course anchors on the shift left principle: the earlier a security control is applied, the cheaper it is to fix a vulnerability. Rather than bolting security onto a finished pipeline, DevSecOps embeds it into every stage — from the developer’s IDE through CI/CD to runtime monitoring. This transforms the traditional “dev then ops then sec” waterfall into a continuous feedback loop where security is everyone’s responsibility.
Key Technical Synthesis
Threat Modeling with OWASP Threat Dragon
The Day 1 threat-modeling module is distinctive because it treats security as a design activity rather than an audit activity. Using OWASP Threat Dragon, learners diagram a three-tier application’s data flow, identify trust boundaries, and enumerate threats via the STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). The output is a prioritized risk matrix that drives every subsequent security control choice in the pipeline.
Git & GitHub Security
Day 2 focuses on the software supply chain’s front door. The coverage includes branch protection rules (requiring PR reviews and status checks), secret scanning with GitHub Advanced Security, pre-commit hooks to block credential leaks before they reach remote, and the principle of least privilege for Personal Access Tokens. This section connects directly to GitOps security patterns where the Git repository is the single source of truth and therefore the highest-value attack surface.
Terraform & Infrastructure as Code Security
Day 3 addresses a common blind spot: treating infrastructure code as less sensitive than application code. The course demonstrates scanning Terraform manifests for hardcoded secrets, encrypting state files, and integrating HashiCorp Vault for dynamic secret injection. A critical insight is that IaC drift and misconfiguration are now the leading causes of cloud breaches, making static analysis of .tf files as important as application SAST.
Container Security
Day 4 is a deep dive into Docker hardening: running containers as non-root users, using distroless or Alpine base images to shrink attack surface, and scanning images with Trivy for OS-level and application-level CVEs. The course emphasizes that image scanning is not enough — runtime security (seccomp, AppArmor, capabilities dropping) is required for production workloads.
Kubernetes Security
Day 5 leverages the CKA-level Kubernetes knowledge the channel is known for, but pivots to a security lens. Topics include RBAC least-privilege Role and ClusterRole design, NetworkPolicies for zero-trust east-west segmentation, and Pod Security Standards (restricted, baseline, privileged). The section treats Kubernetes not just as an orchestrator but as a security boundary.
SAST, DAST, and SCA
Day 6 maps the three primary code-analysis disciplines to pipeline stages:
- SAST (Static Application Security Testing) — analyzes source code without execution; catches injection flaws, insecure dependencies, and secret leakage at build time.
- DAST (Dynamic Application Security Testing) — attacks the running application; simulates real-world exploit scenarios like SQL injection and XSS.
- SCA (Software Composition Analysis) — audits open-source dependencies for known CVEs and license compliance. The course uses SonarQube for SAST/SCA and OWASP ZAP for DAST, integrating both into GitHub Actions with quality gates that fail builds on critical findings.
Capstone: Three-Tier DevSecOps Pipeline
Day 7 ties all seven days into a single GitHub Actions pipeline for a frontend-backend-database application. The pipeline includes: threat-model review → secret scanning → SAST → container image build → image scan → IaC scan → DAST on staging → Kubernetes deployment with RBAC + NetworkPolicies. This capstone is the course’s primary differentiator: learners leave with a production-ready secure pipeline template rather than fragmented tool knowledge.
Tools Covered
- GitHub Actions — CI/CD orchestration
- Docker — Containerization
- Kubernetes — Container orchestration and runtime security
- Terraform — Infrastructure as Code
- Trivy — Container image and filesystem vulnerability scanner
- SonarQube — SAST and code quality platform
- OWASP ZAP — Dynamic application security scanner
- OWASP Threat Dragon — Threat modeling tool
- HashiCorp Vault — Secret management and dynamic credentials
Audience & Prerequisites
The course assumes existing DevOps familiarity (Docker, Kubernetes basics, CI/CD concepts) and is targeted at DevOps engineers, cloud engineers, security enthusiasts, and beginners specifically starting with DevSecOps. The practical, terminal-driven demonstrations follow Abhishek’s established teaching style of live coding with working manifests.
Why This Matters
DevSecOps is not a separate role from DevOps — it is the maturation of DevOps. As organizations move from “deploy fast” to “deploy fast and securely,” the ability to build and operate secure pipelines becomes a non-negotiable skill. This course provides a structured, tool-agnostic mental model (shift left, defense in depth, zero trust) paired with concrete implementations that can be adapted to any stack.
See Also
Wiki Concepts
- DevSecOps Fundamentals — Core principles and the security-as-code mindset
- Shift Left Security — The economic and operational rationale for early security controls
- Threat Modeling — STRIDE methodology and OWASP Threat Dragon in practice
- Container Security — Docker hardening, image scanning, and runtime protection
- SAST, DAST, and SCA — Security testing taxonomy and pipeline integration
- GitOps Security — Securing repositories, workflows, and the supply chain
- Kubernetes RBAC — Role-based access control for cluster and namespace hardening
- Kubernetes Network Policies — Zero-trust east-west traffic segmentation
- Kubernetes Authentication & Authorization — API server security pipeline
- Kubernetes ConfigMaps and Secrets — Secret lifecycle and injection patterns
- Docker Fundamentals — Container primitives prerequisite for security hardening
- Dockerize a Project — Dockerfile best practices including non-root and multi-stage builds
- AI Security — Securing agentic workflows and AI-generated code pipelines
- CKA Certification — Kubernetes foundation that DevSecOps builds upon
- CKA Study Roadmap — 40-day learning plan leading into DevSecOps specialization
Related Sources
- CKA Day 33 — Kubernetes Ingress Tutorial | Ingress Explained — Guest session by Abhishek Veeramalla on the Tech Tutorials with Piyush CKA series
- CKA Day 26 — Kubernetes Network Policies Explained — Deep-dive into zero-trust networking that Day 5 of this course extends
- CKA Day 23 — Kubernetes RBAC Explained — RBAC fundamentals that underpin the Day 5 Kubernetes security module
Creator / Entity
- Abhishek Veeramalla — Primary instructor; DevOps educator focused on Kubernetes, CI/CD, and cloud infrastructure
Tags: devsecops devops cybersecurity kubernetes docker terraform github-actions sast dast cloud-security owasp shift-left container-security threat-modeling