DevSecOps Study Plan
This page is updated based on jassics/security-study-plan/devsecops-study-plan
This study plan is based on milestones. Check how much you can cover within the timeline - the more topics you cover, the better a candidate you are for roles requiring solid DevSecOps knowledge. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.
DevSecOps is not just "adding security tools to CI/CD." It's about building security into how software is planned, built, tested, delivered, and operated - with as much automation and feedback as possible.
It leans more toward:
- Working closely with developers, SRE/DevOps, and AppSec
- Integrating security checks into pipelines and platforms
- Defining secure defaults and guardrails
- Enabling teams to ship fast and safely
It usually takes 6-12 months to be job-ready at the entry level, or to move laterally from AppSec/DevOps into a DevSecOps role.
In Short
- DevSecOps is not a separate silo - it's how development, security, and operations work together.
- Think "developer + DevOps/SRE + security engineer" combined.
- You should be comfortable with CI/CD systems, containers, and basic cloud concepts.
- You should know enough Application Security to choose and tune the right checks.
- Automation, feedback loops, and culture change matter as much as tools.
ToC
- DevSecOps Fundamentals - 3-4 weeks
- CI/CD and Automation Basics - 3-4 weeks
- Security Testing in the Pipeline - 4-6 weeks
- Cloud, Containers and IaC Security - 4-6 weeks
- Platform Guardrails and Governance - 3-4 weeks
- Metrics, Feedback and Culture - 2-3 weeks
- Resources
- Interview Questions
DevSecOps Fundamentals
Duration: 3-4 weeks
Understand what DevSecOps is and what problems it tries to solve.
Week 1-2: Evolution & Goals
- Understand the evolution: Dev → DevOps → DevSecOps, and why traditional "security at the end" doesn't work.
- Read or refresh related plans:
- Application Security Study Plan
- Secure SDLC Study Plan
- The relevant cloud security study plan(s) - AWS, Azure, GCP
Week 3-4: Responsibilities & Shift Left
- Understand the main DevSecOps goals:
- Shift security left (earlier in the SDLC) and right (monitoring in production)
- Make security part of the delivery pipeline, not a blocking afterthought
- Provide self-service security capabilities for product teams
- Know typical DevSecOps responsibilities:
- Designing and maintaining security checks in CI/CD
- Working with platform/DevOps teams to define secure defaults
- Helping AppSec/Product Security scale via automation
CI/CD and Automation Basics
Duration: 3-4 weeks
You cannot do DevSecOps effectively without a solid grasp of CI/CD.
Week 5-6: Platforms & Stages
- Learn one or two CI/CD platforms in depth (GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI - depending on your environment)
- Understand common pipeline stages: build, unit/integration tests, security tests, packaging/artifacts, deployment
Week 7-8: Infrastructure & Practice
- Learn the infrastructure around pipelines: repositories/branching strategies, environments (dev/test/stage/prod), secrets management for pipelines
- Practice: build a simple app with a basic CI pipeline (build + tests), then plan where security checks will plug in (SAST, SCA, etc.)
Security Testing in the Pipeline
Duration: 4-6 weeks
Focus on what security checks you can automate, and where.
Week 9-11: SAST, SCA & Secrets
- SAST - see this site's SAST guide and SDL in CI/CD; understand its strengths/limitations, where to run it (typically PR/merge), and how to configure gates
- SCA / dependency scanning - see SCA and SCA in CI/CD; vulnerable dependencies, license risk, SBOM basics
- Secrets detection - preventing API keys/passwords from being committed, pre-commit hooks vs pipeline checks
Week 12-14: DAST & Container Scanning
- DAST/API testing - see DAST in CI/CD; black-box testing against running apps/APIs, and where to run it (e.g. pre-prod)
- Container/image scanning - base image vulnerabilities, app packages inside containers, integrating scanning into image builds - see Docker Security Study Plan
You don't need to be an expert in every tool, but you should understand which type of test fits which risk, and where in the pipeline it belongs.
Cloud, Containers and IaC Security
Duration: 4-6 weeks
Most DevSecOps work today happens around cloud-native stacks.
Week 15-17: Containers & Orchestration
- Docker basics (images, containers, Dockerfile) - see Docker Security Study Plan
- Kubernetes/orchestration basics (pods, services, deployments, namespaces) - see Kubernetes Security Study Plan
- Common container security risks: running as root, capabilities, image provenance
Week 18-20: IaC & Baselines
- Infrastructure as Code: Terraform, CloudFormation, ARM/Bicep, Pulumi, Ansible; typical misconfigurations (open security groups, public buckets, missing encryption)
- Cloud security baselines: align with your cloud study plan(s), understand provider-native services (Security Center, Config, GuardDuty)
- DevSecOps role: integrate image and IaC scanning into pipelines; enforce baseline policies via policy-as-code (OPA/Conftest, admission controllers) - see Compliance as Code
Platform Guardrails and Governance
Duration: 3-4 weeks
DevSecOps is also about secure platforms, not only individual pipelines.
Week 21-24: Guardrails & Governance
- Internal developer platforms, golden paths, and templates
- Typical security guardrails: standardized service templates with logging/monitoring/security defaults, centralized identity/access patterns, network policies and ingress/egress controls
- Governance and approvals - when they're necessary, and automating so humans mainly handle exceptions
- Work with Product Security/AppSec/Cloud Security to define minimal required controls and an exception/risk-acceptance process
Metrics, Feedback and Culture
Duration: 2-3 weeks
DevSecOps is as much about people and feedback as it is about tools.
Week 25-27: Metrics & Culture
- Metrics: findings per pipeline/service (and trend), MTTR for security issues, adoption of security checks
- Feedback loops: making scanner results visible/understandable to developers, fast PR feedback, security office hours
- Culture and enablement: security champions, training developers on interpreting/fixing findings, keeping friction low - see Vulnerability Management and DevSecOps Maturity Model
Resources
Certifications: cloud security certs for your primary provider (AWS/Azure/GCP), DevOps/cloud-native certs covering CI/CD and containers, Application Security/Secure SDLC certs if you want to emphasize the security side.
Interview Questions
You can reuse many questions from Application Security interview questions, and from cloud/security interviews generally - but focus on how you would automate and integrate security into pipelines and platforms.
Additional DevSecOps-focused questions to prepare for:
- How would you add security checks into an existing CI/CD pipeline without slowing teams down too much?
- How do you decide which security tools to run on pull requests vs in nightly builds?
- How would you integrate container and IaC scanning into the delivery process?
- How would you measure the success of a DevSecOps initiative over 6-12 months?
Practice next: jassics/security-study-plan for the latest updates to this plan, and DevSecOps interview questions for DevSecOps-specific questions.