Security & Governance 90 days 2-3 hours/day updated 2026-06-01
DevSecOps 90-Day Learning Path
Master DevSecOps in 90 days: SAST, DAST, SCA, SBOM, SLSA supply-chain controls, and policy-as-code. Build pipelines where security is a first-class citizen, not an afterthought.
What DevSecOps means
DevSecOps integrates security practices directly into DevOps pipelines so that vulnerabilities are caught at the earliest possible stage. It encompasses automated code scanning, dependency auditing, container hardening, and runtime policy enforcement. The goal is a culture where every developer owns security outcomes, not just a dedicated security team.
Who should follow this path
- DevOps engineers who want to own pipeline security
- Application security engineers moving into automation
- Platform engineers building secure golden paths
- SREs responsible for runtime security posture
- Developers working in regulated industries
Prerequisites
- Solid CI/CD pipeline experience (GitHub Actions or Jenkins)
- Comfortable with containers and Kubernetes basics
- Basic Linux and networking knowledge
- Familiarity with Git branching workflows
- Some exposure to OWASP Top 10 concepts
The 90-day plan
Daily study recommendation: 2-3 hours/day, six days a week. Consistency beats intensity — block the time in your calendar like a meeting.
Days 1–15: Foundation
- OWASP Top 10 and CWE/CVE taxonomy
- Threat modeling fundamentals (STRIDE)
- Secure SDLC frameworks overview
- NIST Cybersecurity Framework basics
- DevSecOps maturity models
Outcome: Understand the core security vocabulary and frameworks that underpin DevSecOps practice.
Days 16–30: Core concepts
- SAST with Semgrep and SonarQube
- SCA with OWASP Dependency-Check and Snyk
- Secret scanning with Gitleaks and TruffleHog
- DAST fundamentals with OWASP ZAP
- Integrating scans into GitHub Actions pipelines
Outcome: Run automated code and dependency scans inside a real CI pipeline and triage findings.
Days 31–45: Tools and workflows
- Container image scanning with Trivy and Grype
- Dockerfile hardening and least-privilege base images
- Kubernetes admission controllers (OPA/Gatekeeper)
- Policy-as-code with Kyverno
- Secrets management with HashiCorp Vault
Outcome: Harden container workloads and enforce policy gates at the Kubernetes layer.
Days 46–60: Hands-on projects
- SBOM generation with Syft and CycloneDX
- SLSA framework levels 1-3 implementation
- Sigstore/Cosign image signing
- Software supply chain attack patterns
- Dependency pinning and lock-file strategies
Outcome: Implement supply-chain security controls producing verifiable SBOMs and signed artifacts.
Days 61–75: Advanced practices
- Cloud security posture management (CSPM) with Prowler
- Infrastructure-as-code scanning with Checkov
- Runtime security with Falco
- Zero-trust network policies in Kubernetes
- Compliance-as-code for SOC2 and PCI-DSS controls
Outcome: Extend security controls to cloud infrastructure and runtime environments with continuous compliance checks.
Days 76–90: Portfolio, interview & certification prep
- Building a DevSecOps portfolio project end-to-end
- Preparing for CKS and AWS Security Specialty exams
- Common DevSecOps interview questions and scenarios
- Metrics: MTTD, MTTR, vulnerability SLA tracking
- Contributing to open-source security tooling
Outcome: Complete a portfolio-ready secure pipeline project and be interview-ready for DevSecOps roles.
Weekly outcomes at a glance
| Phase | Outcome |
|---|---|
| Days 1–15 | Understand the core security vocabulary and frameworks that underpin DevSecOps practice. |
| Days 16–30 | Run automated code and dependency scans inside a real CI pipeline and triage findings. |
| Days 31–45 | Harden container workloads and enforce policy gates at the Kubernetes layer. |
| Days 46–60 | Implement supply-chain security controls producing verifiable SBOMs and signed artifacts. |
| Days 61–75 | Extend security controls to cloud infrastructure and runtime environments with continuous compliance checks. |
| Days 76–90 | Complete a portfolio-ready secure pipeline project and be interview-ready for DevSecOps roles. |
Tools to learn
- Semgrep
- SonarQube
- Snyk
- Trivy
- Gitleaks
- OWASP ZAP
- HashiCorp Vault
- OPA/Gatekeeper
- Falco
- Syft
- Checkov
- Sigstore/Cosign
Labs to practice
Mini projects
- Build a fully automated secure CI/CD pipeline with SAST, SCA, image scan, and SBOM generation gates
- Implement OPA/Gatekeeper policies to block non-compliant workloads in a Kubernetes cluster
- Create a SLSA Level 2 supply chain with signed images and provenance attestations
Interview questions to prepare
- What is the difference between SAST, DAST, and IAST, and when would you use each?
- How do you prevent secret leakage in a CI/CD pipeline?
- Explain SLSA levels and what each level guarantees about build provenance.
- How would you implement policy-as-code to enforce security controls in Kubernetes?
- What is an SBOM and why is it important for software supply chain security?
- How does Sigstore/Cosign improve container image trust?
- Describe a shift-left security strategy for a microservices application.
- How do you prioritize and SLA-track vulnerabilities found by automated scanners?
Certification suggestions
- Certified Kubernetes Security Specialist (CKS) — CNCF
- AWS Certified Security Specialty — AWS
- Certified DevSecOps Professional (CDP) — Practical DevSecOps
- CompTIA Security+ — CompTIA
Browse the full certification registry for exam details and official links.
Free resources
- OWASP DevSecOps Guideline
- Semgrep Learn (free interactive lessons)
- Trivy Documentation
- SLSA Framework
- Sigstore Docs
- Falco Documentation
Related roadmaps
Related tool categories
- DevSecOps Tools
- Security Tools
- Software Supply Chain Security Tools
- Container Security Tools
- Policy as Code Tools
- Secrets Management Tools
// instructor-led option
Prefer live, guided training with mentors and certification support? DevOpsSchool.com runs paid instructor-led programs that pair well with this free path.
Explore paid training on DevOpsSchool.com ↗