Description

This curriculum spans the technical and operational practices of a mature DevSecOps program, comparable to multi-quarter internal capability builds that integrate security testing across CI/CD, infrastructure, and application layers in large engineering organisations.

Module 1: Integrating Security Testing into CI/CD Pipelines

Selecting appropriate SAST tools that support incremental analysis to minimize false positives in pull request validation.
Configuring pipeline stages to fail builds based on severity thresholds while allowing risk-based waivers for legitimate exceptions.
Managing tool execution timing by scheduling full scans during off-peak hours and lightweight scans during active development.
Integrating security gate results into merge request interfaces to ensure developers address findings before code integration.
Handling credential management for security tools within pipeline runners using short-lived tokens and vault integration.
Ensuring pipeline logs do not expose sensitive vulnerability details to unauthorized team members through log sanitization.

Module 2: Static Application Security Testing (SAST) at Scale

Defining custom rulesets to reduce noise from framework-generated or third-party library code.
Implementing context-aware analysis to distinguish between exploitable and non-exploitable code paths.
Establishing ownership workflows for triaging and assigning SAST findings to development teams based on code ownership.
Managing performance impact by analyzing only changed files in large monorepos with distributed scanning.
Integrating SAST results into developer IDEs with real-time feedback without disrupting coding flow.
Archiving and versioning SAST baselines to track remediation progress across releases.

Module 3: Dynamic Application Security Testing (DAST) in Pre-Production

Configuring DAST tools to authenticate into test environments using service accounts without hardcoding credentials.
Scheduling DAST scans after deployment to staging environments to ensure accurate coverage of running services.
Limiting scan aggressiveness to avoid disrupting shared test environments or triggering rate-limiting controls.
Mapping DAST findings to specific API endpoints and versioned deployments for accurate tracking.
Validating scan coverage by comparing discovered endpoints against documented API specifications.
Coordinating DAST execution with penetration testing teams to avoid duplicate efforts and conflicting scan activity.

Module 4: Software Composition Analysis (SCA) and Third-Party Risk

Enforcing SCA policy checks during dependency upgrades to block known vulnerable versions in pull requests.
Mapping open-source components to business-critical applications for risk prioritization during incident response.
Handling license compliance risks by integrating legal review workflows for high-risk licenses.
Automating patch feasibility checks by correlating vulnerability severity with available fixes or workarounds.
Managing transitive dependencies by generating dependency trees and identifying indirect exposure paths.
Integrating SCA findings into asset inventory systems to maintain accurate software bill of materials (SBOM).

Module 5: Secrets Detection and Configuration Hardening

Deploying pre-commit hooks to detect hardcoded secrets in source code before push to remote repositories.
Configuring secrets scanning to support custom regex patterns for organization-specific credential formats.
Integrating with cloud provider APIs to automatically revoke exposed API keys detected in public repositories.
Differentiating between test, development, and production secrets to avoid false positives in non-sensitive contexts.
Establishing response playbooks for incidents involving leaked credentials, including rotation timelines and impact assessment.
Scanning container images and infrastructure-as-code templates for embedded secrets prior to deployment.

Module 6: Infrastructure as Code (IaC) Security

Applying policy-as-code frameworks to validate IaC templates against security baselines during merge requests.
Mapping IaC misconfigurations to cloud compliance standards such as CIS or PCI DSS for audit reporting.
Handling environment-specific exceptions by defining policy exemptions with expiration and approval requirements.
Integrating IaC scanning into Terraform Cloud or AWS CloudFormation workflows to enforce pre-deployment checks.
Correlating IaC findings with runtime configuration drift using cloud security posture management tools.
Managing false positives in IaC rules by refining policies based on cloud provider service updates and deprecations.

Module 7: Security Testing Orchestration and Metrics

Aggregating results from multiple security tools into a centralized dashboard with consistent severity scoring.
Defining KPIs such as mean time to detect, fix, and verify vulnerabilities across teams and applications.
Implementing feedback loops to measure tool efficacy by tracking false positive rates and remediation completion.
Orchestrating scan sequences to avoid tool contention and optimize resource utilization in shared environments.
Generating compliance evidence packages by exporting scan results with timestamps and execution contexts.
Integrating security metrics into sprint retrospectives to drive accountability and improvement in development practices.

Module 8: Threat Modeling and Test Case Prioritization

Conducting architecture-level threat modeling during design sprints to identify high-risk components for targeted testing.
Mapping STRIDE threats to specific security testing activities such as DAST, SAST, or manual review.
Prioritizing test coverage based on data sensitivity, exposure surface, and business impact of affected systems.
Updating threat models following major architectural changes or incident post-mortems.
Integrating threat model outputs into CI/CD pipelines to trigger additional security checks for high-risk changes.
Documenting threat modeling sessions with actionable findings and assigning ownership for mitigation tracking.