βΎοΈ Collection and Roadmap for everyone who wants DevSecOps. Hope your DevOps are more safe π
Last updated Jul 5, 2026
2.1k
Stars
426
Forks
0
Issues
+2
Stars/day
Attention Score
97
Language breakdown
Just 100.0%
βΈ Files
click to expand
README
Roadmap for everyone who wants DevSecOps.
What is DevSecOps and Why is it Important?
DevSecOps is a culture and practice that aims to integrate security into every phase of the software development lifecycle (SDLC). It emphasizes collaboration between Development, Security, and Operations teams. The goal is to build secure software from the ground up, reduce vulnerabilities, and ensure faster, safer deployments. This roadmap provides a curated list of resources and tools to help individuals and organizations implement DevSecOps practices.π Table of Contents
* 0. DevSecOps Overview * 1. Design * 2. Develop * 3. Build * 4. Test * 5. Deploy * 6. Operate and Monitorπ How to Use This Roadmap
This roadmap is designed to be a comprehensive guide for individuals and organizations looking to adopt or improve their DevSecOps practices. Here's how you can make the most of it:- Understand the Basics: If you're new to DevSecOps, start with the "What is DevSecOps and Why is it Important?" section to get a foundational understanding.
- View the Big Picture: The main Roadmap image provides a visual overview of the different stages and areas within DevSecOps. Use this to orient yourself.
- Explore Tools: The Tools section offers a curated list of software and services that can help you implement various DevSecOps capabilities.
- Dive into Resources: The Resources section is categorized by the DevSecOps lifecycle (Design, Develop, Build, Test, Deploy, Operate and Monitor). Each category contains links to articles, guides, and official documentation. You can explore these based on your specific needs or areas of interest.
- Focus on CI/CD Security: If your focus is on securing your pipelines, the Security of CICD section provides targeted resources.
- Contribute: This is a community-driven effort. If you have suggestions, find broken links, or want to add new resources, please see our CONTRIBUTING.md guide.
π Roadmap
π© Tools
This project includes a curated list of tools to help you implement DevSecOps practices. These tools cover various stages of the SDLC, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), secret management, threat modeling, component analysis, and more.β‘οΈ Explore the DevSecOps Tools List
This list is designed to help you quickly find and compare tools, reducing the time spent on searching and decision-making.
π¦ Resources
0. DevSecOps Overview
- Overview 1. DevSecOps in Wikipedia and Grokipedia 2. Zero to DevSecOps (OWASP Meetup) 3. DevSecOps What Why And How (BlackHat USA-19) 4. DevSecOps β Security and Test Automation (Mitre) 5. DevSecOps: Making Security Central To Your DevOps Pipeline 6. Strengthen and Scale security using DevSecOps 7. DSOVS (OWASP DevSecOps Verification Standard) 8. What is DevSecOps? (Github)1. Design
- Development Lifecycle 1. SDL(Secure Development Lifecycle) by Microsoft 2. OWASP's Software Assurance Maturity Model 3. Building Security In Maturity Model (BSIMM) 4. NIST's Secure Software Development Framework 5. DevSecOps basics: 9 tips for shifting left (Gitlab) 6. 6 Ways to bring security to the speed of DevOps (Gitlab) - Threat Model 1. What is Threat Modeling / Wikipedia 2. Threat Modeling by OWASP 3. Application Threat Modeling by OWASP 4. Agile Threat Modeling Toolkit 5. OWASP Threat Dragon2. Develop
- Secure Coding 1. Secure coding guide by Apple 2. Secure Coding Guidelines for Java SE 3. Go-SCP / Go programming language secure coding practices guide 4. Android App security best practices by Google 5. Securing Rails Applications3. Build
- SAST(Static Application Security Testing) 1. Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1 2. Announcing third-party code scanning tools: static analysis & developer security training 3. SAST levels defined by OWASP4. Test
- DAST(Dynamic Application Security Testing) 1. Dynamic Application Security Testing with ZAP and GitHub Actions 2. Dynamic Application Security Testing (DAST) in Gitlab 3. DAST using projectdiscovery Nuclei (github action) 4. ZAPCon 2021-Democratizing ZAP with test automation and domain specific languages 5. DAST levels defined by OWASP - Penetration testing 1. Penetration Testing at DevSecOps Speed5. Deploy
- Security Hardening & Config 1. CIS Benchmarks 2. DevSecOps in Kubernetes - Security Scanning 1. Best practices for scanning images (docker)6. Operate and Monitor
- RASP(Run-time Application Security Protection) 1. Runtime Application Self-Protection by rapid7 2. Jumpstarting your devsecops - Pipeline with IAST and RASP - Security Audit - Security Monitor 1. IAST(Interactive Application Security Testing) - IAST levels defined by OWASP 2. Metrics, Monitoring, Alerting - Security Analysis 1. Attack Surface Analysis Cheat Sheet by OWASPSecurity of CICD
- Github Actions
- Jenkins
Awesome Resources
- https://github.com/TaptuIT/awesome-devsecops
π Other roadmaps
|
|
|
| ------------------------------------------------------------ | ------------------------------------------------------------ |
| U.S. Department of Defense | Larry Maccherone |
|
| ππΌ Wrap Up
If you think the roadmap can be improved, please do open a PR with any updates and submit any issues. Also, I will continue to improve this, so you might want to star this repository to revisit.Idea from: Go Developer Roadmap
Contributors
π More in this category