DevSecOps University

The comprehensive collection of DevSecOps Learning Resources like Books, Tutorials, Infographics, Tools and much more. Enjoy!

1. Git (Version Control System)

DevSecOps heavily relies on Everything as Code (EaC). A version control system (VCS) becomes the most important tool in our arsenal. Git is the most famous of VCS at the moment.

VIDEO

Git & GitHub Crash Course 2025 by Traversy Media

VIDEO

Git & GitHub Tutorial | Visualized Git Course for Beginner by JavaScript Mastery

VIDEO

Git Tutorial for Beginners by Intellipat

BLOG

Git Handbook by Github

BLOG

Git cheat sheet by Atlassian

BLOG

Git Strategies for DevOps by Ahmad Iqbal Ali

BLOG

Learn the Basics of Git in Under 10 Minutes by Gowtham Venkatesan

BLOG

Understanding Git Explain it Like I’m Five by Kevin Cooper

BLOG

Git – the simple guide by Roger Dudler

BLOG

The Git Supremacy by Mayank Arya

BLOG

Version Controlling with Git in Visual Studio Code and Azure DevOps by Azure

PLAYGROUND

Learn Git Branching

2. CI/CD (Continuous Integration and Delivery)

No matter, you are an Agile shop, DevOps shop or a Cloud-Native shop, continuous integration, continuous delivery and deployment are the cornerstones of modern software development. If you like to attack or defend such a system, you need to understand the basics of it.

VIDEO

GitLab Beginner Tutorial by Raghav Pal

VIDEO

Introduction to Jenkins, CI/CD, and DevOps for Beginners by Valentin Despa

VIDEO

Best practices for securing CI/CD pipeline by Victoria Almazova

VIDEO

CI/CD Platform in AWS with Terraform, Ansible & Docker by Mohamed Labouardy

VIDEO

Continuous delivery from first principles to production by Tom

VIDEO

Let's Build A CI CD Pipeline by Jean De Klerk

VIDEO

Intro to CI/CD with Python by Chris Arceneaux

VIDEO

Gitlab CI/CD by Johan Duran

VIDEO

Building Your First CI/CD Pipeline in Azure by Benjamin Hodge

VIDEO

Continuous Integration with GitLab CI by Pete Johanson

VIDEO

Introduction to GitLab Workflow by Gitlab

VIDEO

From Dev to Prod with GitLab CI by Stephan Hochdorfer

VIDEO

Scaling Continuous Deployment at Facebook and OANDA by Tony Savor

VIDEO

Continuous Delivery with Jenkins in the real World by Gianluca Arbezzano

BLOG

What is CICD — Concepts in Continuous Integration and Deployment by Sanjay Nair

BLOG

An absolute beginners guide to Continuous Delivery by Erin Snyder

BLOG

An Introduction to Continuous Integration, Delivery, and Deployment by Justin Ellingwood

BLOG

Getting Started in CI/CD for Beginners by Samsha

BLOG

What to Consider Before Applying CI/CD | A Beginner's Cheat Sheet by Katalon

BLOG

An Introduction to CI/CD Best Practices by Justin Ellingwood

BLOG

CI/CD on Google Cloud by Google

BLOG

A Modern ci/cd pipeline on pure continuous integration/continuous delivery (ci/cd) on pure storage by PureStorage

BLOG

List of Continuous Integration services by Awesome CI

BLOG

Continuous Integration, Continuous Delivery & Deployment (CI/CD) by Docker

BLOG

Gitlab CI/CD Crash Course by Avicenna Wisesa

BLOG

Automate your work with Gitlab CI/CD tool! by Marcin Nowacki

BLOG

Beginner-Friendly Introduction to GitLab CI/CD by Zuri Hunter

BLOG

GitLab CI/CD Examples by GitLab

BLOG

How To Set Up Continuous Integration Pipelines with GitLab CI on Ubuntu 16.04 by Justin Ellingwood

BLOG

Adopting Modern CI/CD Practices for Adobe Experience Platform Pipeline by Jaemi Bremner

BLOG

How We Build Code at Netflix by Netflix

BLOG

A beginner's guide to building DevOps pipelines with open source tools by Bryant Son

BLOG

Rapid release at massive scale by Chuck Rossi

BLOG

How To Build a CI/CD Pipeline in AWS in 5 Minutes and 58 Seconds by Allen Helton

BLOG

Common security challenges in CI/CD workflow by Meera Rao

HANDS-ON LAB

Python CI/CD Workshop by Datapunks

HANDS-ON LAB

GitLab Git Workshop by Gitlab

HANDS-ON LAB

Gitlab-training by Netways

HANDS-ON LAB

Gitlab-ci-training by Ondrej Sika

3. Artifact management

Organizations deploy software to production but giving access to production deployable artifacts is not a good idea. All deployable software is maintained in a tightly controlled, audible and automatic repo management software also known as artifact management. Think it like a war, jar, zip, tar.gz storage platform.

VIDEO

Introduction to Artifactory on the JFrog Platform by Melissa

VIDEO

How to integrate nexus with jenkins and upload artifacts to nexus server step by step by Madhu Sudhan Reddy

VIDEO

Six Reasons to Use a Repository Manager Now by Tim OBrien

VIDEO

Sample Devops project nexus artifactory up-loader pipeline Jenkins pipeline code Real-time by Madhu Sudhan Reddy

BLOG

Devops artifacts – artifactory, sonatype nexus, maven artifact repository, and apache archiva by BogoToBogo

BLOG

Artifactory Repository Manager – Tutorial by Simon Scholz

BLOG

Nexus Repository Manager – Tutorial by Simon Scholz

BLOG

DevOps: 8 Reasons for DevOps to use a Binary Repository Manager by Jfrog

BLOG

Repository Management Tools by MindMajix

TOOL

Apache Archiva – Apache Archiva™ is an extensible repository management software that helps taking care of your own personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as Maven, Continuum, and ANT.

TOOL

Maven Repositories – A repository in Maven holds build artifacts and dependencies of varying types

TOOL

Cloud Smith – Cloudsmith is the preferred software platform for securely storing and sharing packages and containers.

TOOL

Jfrog – Artifactory is a product by JFrog that serves as a binary repository manager

TOOL

Nexus repository oss – The free artifact repository with universal format support.

4. Infrastructure as Code (Configuration management tools)

Speed is a competitive advantage and to achieve speed, agility, and performance, organizations are creating infrastructure like its software/code instead of bare metal hardware servers.

Recent advances in virtualisation and cloud computing enables us to accomplish Infrastructure as Code.

VIDEO

Holistic configuration management at Facebook by Chunqiang Tang

VIDEO

SaltStack is more than just configuration management by Thomas Hatch

VIDEO

DSC in Configuration Management tool world by Ben Gelens

VIDEO

Evolution of Configuration Management into a DevOps/Agile World by Marisa Sawatphadungkij

VIDEO

Exiting Vacuum: Integrating Configuration Management into your Ecosystem by Sascha Bates

VIDEO

Configuration Management with Salt Stack: Zero to Hero by Wesley Whetstone

VIDEO

Cloud Native Configuration Management 2020 and beyond by Eric Sorenson

VIDEO

Puppet, the Automation Journey: Configuration Management, Automation and the Cloud by Brendan Rosewarne

BLOG

Configuration Management in DevOps by Bmc Blog

BLOG

Top 10 Configuration Management Tools You Need to Know About by UpGuard

BLOG

Modern Configuration Management: Configuration as Code by Chef

BLOG

Configuration Management 101: Writing Ansible Playbooks by Erika Heidi

BLOG

Configuration Management and Continuous Deployment by Anilkumar Patel

BLOG

Change and Configuration Management — The DevOps Way by Isaac Ndung'u

BLOG

A Newbie's Guide to Configuration Management Tools and How to Get Started by Ofer Velich

BLOG

Automating Configuration Management for DevOps Test Environments by Capgemini

BLOG

A Beginner's Guide to Chef by Linode

BLOG

Automation, Provisioning & Configuration Management (CHEF) by Sudhi

BLOG

All About a Configuration Management Tool Called Chef by Mitesh Soni

BLOG

Configuration Management 101: Writing Chef Recipes by Erika Heidi

BLOG

Chef vs. Puppet by Asaf Yigal

BLOG

Chef vs Puppet — A Detailed Comparison Of The Configuration Management Tools by Spec India

BLOG

Approaches to Configuration Management: Chef, Ansible, and Kubernetes by Kublr Team

BLOG

Configuration Management 101: Writing Puppet Manifests by Erika Heidi

BLOG

Puppet Tutorial for Beginners: Resources, Classes, Manifest, Modules by Guru99

BLOG

A Beginner's Guide to Salt by Linode

BLOG

Getting Started with Salt Stack-the Other Configuration Management System Built with Python by Ben Hosmer

BLOG

Use Salt for Basic Configuration Management by Bejoy Abraham Mathews

BLOG

An Introduction to SaltStack Terminology and Concepts by Justin Ellingwood

BLOG

Configuration management on Gcloud by Google

BLOG

Holistic Configuration Management at Facebook by Chunqiang Tang, Thawan Kooburat, Pradeep Venkatachalam, Akshay Chander, Zhe Wen, Aravind Narayanan, Patrick Dowell, and Robert Karl

TOOL

Ansible – Ansible is an open-source IT Configuration Management, Deployment & Orchestration tool

TOOL

Chef – Chef is an automation tool that provides a way to define infrastructure as code.

TOOL

Vagrant – Vagrant is a tool for building and managing virtual machine environments in a single workflow

TOOL

Puppet – Puppet is a powerful enterprise-grade configuration management tool

HANDS-ON LAB

HPC configuration management using Puppet 5 by cwmoller

HANDS-ON LAB

Ansible From Zero to Best Practices by Will Thames

HANDS-ON LAB

Puppet Learning-VM by Puppet

5. Cloud Service Provider-Platform

Modern software development needs an on-demand, elastic, automated and measurable platform to build software on. Knowing on-prem or a public cloud-based solution is a must these days.

VIDEO

Introduction to AWS Security by Bill Ried

VIDEO

AWS Security by Design by Shafreen Sayyed

VIDEO

Advanced Security Best Practices Masterclass by Ian Massingham

VIDEO

The Fundamentals of AWS Cloud Security by Becky Weiss

VIDEO

Security Best Practices the Well-Architected Way by Ben Potter

VIDEO

Introduction to AWS Security Hub by Ely Kahn

VIDEO

A Cloud Security Architecture Workshop by Dave Shackleford

VIDEO

Successfully Implementing DEV-SEC-OPS in the Cloud by Jimmy Jenis

BLOG

AWS Security Checklist by AWS

BLOG

AWS Security Pillar by AWS

BLOG

AWS Security Blog by AWS

BLOG

AWS Security Primer by Michael Wittig

BLOG

The Fundamental Security Concepts in AWS – Part 1 by Tom Porter

BLOG

AWS Security Fundamentals by AWS

TOOL

Scout Suite – Scout Suite is an open-source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

TOOL

Cs Suite – Cloud Security Suite – One-stop tool for auditing the security posture of AWS/GCP/Azure infrastructure.

TOOL

AWS-security-benchmark – Open source demos, concept, and guidance related to the AWS CIS Foundation framework.

TOOL

AWS WAF Security Automations – A solution that contains all AWS WAF samples developed so far – waf-reactive-blacklist, waf-bad-bot-blocking, waf-block-bad-behaving, and waf-reputation-lists.

HANDS-ON LAB

flaws by Scott Piper

HANDS-ON LAB

Flaws2 by Scott Piper

HANDS-ON LAB

Cloud Goat by RhinoSecurity

HANDS-ON LAB

Serverless Security Workshop by AWS

HANDS-ON LAB

AWS Security Workshop by Sppum

DevSecOps Resources

Now that basics are taken care of, we can explore the meat of the DevSecOps resources.

Threat modelling and Security Review
Static Analysis (SAST)
Dynamic Analysis (DAST)
Security as Code
Compliance as Code

Feeling overwhelmed? you might want to check out our DevSecOps courses to learn more with easy step by step instructions.

6. Threat Modeling

Threat modeling helps individuals and organisations in quantifying the security efforts.

BOOK

Threat Modeling: Designing for Security by Adam Shostack

BOOK

Threat Modeling by Frank Swiderski, Window Snyder

BOOK

Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis by Tony UcedaVelez, Marco M. Morana

BOOK

Threat Modeling by Matthew J. Coles, Izar Tarandach

FREE COURSE

Threat Modeling Workshop by Robert Hurlbut

PAID COURSE

Certified Threat Modeling Professional (CTMP) by Practical DevSecOps

PAID COURSE

DevSecOps Expert by Practical DevSecOps

PAID COURSE

Threat Modeling Fundamentals by Pluralsight

PAID COURSE

CyberSec First Responder: Threat Detection & Response CFR210 by Stone River eLearning

PAID COURSE

Learning Threat Modeling for Security Professionals by Adam Shostack

PAID COURSE

Threat Modeling: Spoofing In Depth by Adam Shostack

PAID COURSE

Threat Modeling: Tampering in Depth by Adam Shostack

BLOG

What Is Security Threat Modeling? by Lawrence C. Miller, Peter H. Gregory

BLOG

Threat-modeling CheatSheet By Owasp by OWASP

BLOG

Threat Modeling in the Enterprise, Part 1: Understanding the Basics by Stiliyana Simeonova

BLOG

Threat Modeling for Dummies by Adam Englander

BLOG

DevSecOps, Threat Modeling and You: Get started using the STRIDE method by Bruno Amaro Almeida

BLOG

Threat Modeling: The Why, How, When and Which Tools by Debarghya Pandit

BLOG

Threat-modeling datasheet by Synopsys

BLOG

Threat Modeling blog by Security Innovation

BLOG

Threat Modeling: 6 Mistakes You're Probably Making by Jeff Petters

BLOG

How to Create a Threat Model for Cloud Infrastructure Security by Pat Cable

BLOG

Why You Should Care About Threat Modelling by Suresh Marisetty

BLOG

Threat Modeling: a Summary of Available Methods Whitepaper by Nataliya Shevchenko, Timothy A. Chick, Paige O'Riordan, Thomas Patrick Scanlon, PhD, & Carol Woody, PhD

BLOG

Threat Modelling Toolkit by ThoughtWorks

BLOG

How to get started with Threat Modeling, before you get hacked by Hackernoon

BLOG

Thread Modeling tutorial by Geeks For Geeks

BLOG

How to analyze the security of your application with threat modeling by Goran Aviani

BLOG

Tactical Threat Modeling by SafeCode

BLOG

The Power of a Tailored Threat Model Whitepaper by Looking Glass

BLOG

Where is my Threat Model? by Abhishek Datta

FREE TOOL

OWASP Threat Dragon – An online threat modeling web application including system diagramming and a rule engine to auto-generate threats/mitigations.

FREE TOOL

Microsoft Threat Modeling Tool – Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.

FREE TOOL

Owasp-threat-dragon-gitlab – This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of Github.

FREE TOOL

raindance – Project intended to make Attack Maps part of software development by reducing the time it takes to complete them

FREE TOOL

threatspec – Threatspec is an open-source project that aims to close the gap between development and security by bringing the threat modeling process further into the development process.

PAID TOOL

Irius risk – Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system that guides the user through straight forward questions about the technical architecture, the planned features and the security context of the application.

PAID TOOL

SD elements – Automate Threat Modeling with SD Elements

7. Static Analysis Security Testing (SAST)

Static Security Analysis Testing, is a technique to analyse source code, binary and byte code for security vulnerabilities without running the code/binary/byte code.

Since the code is not run but statically examined, its called static analysis. SAST tools are great at finding vulnerabilities which are common to a language, well known security issues and grep’able patterns.

VIDEO

Static Analysis Security Testing for Dummies… and You by Kevin Fealey

VIDEO

Application Security Testing by Semi Yulianto

VIDEO

Static Analysis for Dynamic Assessments by Greg Patton

VIDEO

Static Code Analysis: Scan All Your Code For Bugs by Dr. Jared DeMott

VIDEO

Bug Hunting with Static Code Analysis by Nick Jones

VIDEO

Static Application Security Testing With CICD Pipelines Using Whitesource by Mohamad Radwan

VIDEO

Walk through of GitLab's APEX Static Application Security Testing (SAST) for Salesforce Development by Lucas C

VIDEO

*AST In CI/CD – how to make it WORK by Ofer Maor

BLOG

How to integrate SAST into the DevSecOps pipeline in 5 simple steps by Meera Rao

BLOG

SAST vs DAST – Why SAST? by Sharon Solomon

TOOL

SAST tools by OWASP

8. Dynamic Analysis Security Testing (DAST)

Dynamic Analysis Security Testing is a technique to analyze the running application for security vulnerabilities. Since an application is running and examined dynamically its called dynamic analysis.

The dynamic analysis doesn’t need someone to have lots of knowledge in intricacies of a programming language.

VIDEO

Dynamic Security Testing with OWASP Zap by Omer Levi Hevroni

VIDEO

Practical Dynamic Application Security Testing within an Enterprise by Nicholas Kenney

VIDEO

Let's take baby steps to security testing by Christina Thalayasingam

VIDEO

Automated Static And Dynamic Security Analysis of Mobile Apps by Raveendar & Rajesh

BLOG

Dynamic application security testing (DAST) by Port Swigger

BLOG

Integrating Web Vulnerability Scanners in Continuous Integration: DAST for CI/CD by Davor Petreski

BLOG

Dynamic Application Security Testing (DAST) by GitLab

BLOG

DAST Scan Automation in CICD Pipeline by Satish Govindappa

BLOG

Veracode Dynamic Analysis + Jenkins: Integrate DAST Into Your CI/CD Pipeline By Marina Kvitnitsky

BLOG

Integrating OWASP ZAP in DevSecOps Pipeline by BreachLock

BLOG

DAST vs SAST: A Case for Dynamic Application Security Testing by Ian Muscat

BLOG

Automating DAST Scans with Jenkins, Arachni & ThreadFix by Matthias Rohr

FREE TOOL

W3af – w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

FREE TOOL

Wapti – Wapiti allows you to audit the security of your websites or web applications.

FREE TOOL

Vega – Vega is a free and open-source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information and other vulnerabilities. It is written in Java, GUI based and runs on Linux, OS X, and Windows.

FREE TOOL

Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.

PAID TOOL

Burp Suite – Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

PAID TOOL

Detectify – Automated security and asset monitoring for all teams.Scan your web apps for 1500+ vulnerabilities

PAID TOOL

NetSparker – Netsparker is a scalable, multi-user web application security solution with built-in workflow and reporting tools ideal for security teams. It's available as a hosted and self-hosted solution and can be fully integrated into any development or testing environment.

9. Security as Code

Speed is a competitive advantage and to achieve speed, agility, and performance, organizations are creating infrastructure like its software/code instead of bare metal hardware servers.

Recent advances in virtualisation and cloud computing enables us to accomplish Infrastructure as Code.

VIDEO

Security as Code Webinar by Ellie Mae's

VIDEO

Implementing Security as Code by Julio Faerman

VIDEO

Security as Code A SecDevOps Use Case by Ed Bellis

BLOG

What is Security as Code (SaC)? by Ziad Ghalleb

TOOL

Gauntlt – Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.

TOOL

Checkov – Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.

TOOL

Terrascan – A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.

TOOL

tfsec – tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support.

TOOL

CFripper – Library designed to be used as part of a Lambda function to "rip apart" a CloudFormation template and check it for security compliance.

TOOL

Cfn nag – The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure.

TOOL

terraform-aws-secure-baseline – A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.2.0.

10. Compliance as Code

If hardening can be done using Infrastructure as Code tools, why can’t compliance be automated as code?

VIDEO

Compliance as Code: Automate Compliance Using Open Source Technology by RedHat

VIDEO

Continuous Assurance and Continuous Compliance via Data, Graph, Query and Code by Erkang Zheng

VIDEO

Managing Compliance as Code: Using Chef InSpec for All Its Possibilities by Chef

VIDEO

Compliance as Code – Lessons Learned From Regulated Organizations by Sergiu Bodiu

VIDEO

Compliance As Code – Webinar by Anitian

VIDEO

Exception Handling: Compliance as Code by Chef

VIDEO

Infrastructure and Compliance as Code for Universities by Blake Dworaczyk, Adam Mikeal, Nick Rycar

VIDEO

DevSecOps Delight with Compliance as Code by Anthony Rees

VIDEO

InSpec Compliance as Code by Kent Picat Gruber

BLOG

What's the fuss with 'Compliance as Code' ? by Mario Platt

BLOG

Why building compliance into your code will benefit your entire company by Vanessa Wegner

BLOG

Compliance as Code with InSpec By Michael Ducy

BLOG

6 Benefits of Compliance as Code for the Enterprise by Cliff Almond

BLOG

Codifying Your Configuration Standards by Phil Dorczuk

TOOL

Inspec – Chef InSpec is a free and open-source framework for testing and auditing your applications and infrastructure.

TOOL

Compliance Masonry – Compliance Masonry is a command-line interface (CLI) that allows users to construct certification documentation using the OpenControl Schema.

Contributors

This project wouldn’t be possible without sponsorship from Practical DevSecOps and efforts from Atul Singh and Joshua Jebaraj

Start your journey today and upgrade your security career

Gain advanced security skills through our certification courses. Upskill today and get certified to become the top 1% cybersecurity engineers in the industry.