The Complete DevSecOps Course with Docker and Kubernetes, Udemy (Stefan Toshkov Zhelyazkov), 2024

Master Apparmor, Clair, Quay, Anchore, Swarm, Portainer, Rancher, KubeBench, Prometheus and more for DevOps security

This course is a complete step by step guide for implementing best security practices and tools on your DevOps framework. You will start from the very basics by exploring the DevOps architecture and how it is related to DevSecOps. The you will learn the two main container management platforms: Docker and Kubernetes. You will master container management, working with Docker files, getting and building your own container images and optimizing them.

In the rest of the sections you will master the implementation of the extra security layer on your DevOps tools. Firstly, you will learn how to use the Docker Registry and build a registry on your own. I will show you how to use Docker Content Thrust and protect your docker daemon and host by applying Apparmor and Seccomp security profiles, implementing Docker Bench Security and and auditing the your Docker host. You will also learn how to protect and analyze vulnerabilities your docker images to prevent corruption using Clair, Quay, Anchore and the CVE database. You will explore how to create and manage Docker secrets, networks and port mapping. You will be able to use security monitoring tools such as cAdvisor, Dive, Falco and administration tools such as Portainer, Rancher and Openshift.

❗️ Official page
📌 GitHub

#education #SecDevOps

The small collection video tutorials of AWS Security (theory and practices with Demo)

Amazon Web Services, Inc. (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis.

Theory Introducing:
📌 AWS Security Specialty Certification Full Course by Computer Networks Decoded , 2023
📌 AWS Security Specialty Certification by , 2022
📌 Brief AWS Security Services by Great Learning, 2022
📌 AWS Cloud Security Foundations Test with Answersr by Anand K, 2023

Practical Tutorials:
📌 AWS Security Videos | Learn with Demo by LearnCloud, 2017/2020
📌 AWS VPC Tutorial Videos by Simplilearn, 2024
📌 AWS Security Tutorial / Security Crash by MLOps School, 2022

#education #SecDevOps

Attacking CI/CD by Reza (DevSecops Giudes), 2025

In CI/CD (Continuous Integration/Continuous Deployment) environments, several methods and attacks can compromise security. Code Injection involves injecting malicious code into the build pipeline, exploiting vulnerabilities in the build system or dependencies, potentially leading to the execution of unauthorized commands or access to sensitive data. Dependency Attacks target vulnerabilities in third-party libraries or dependencies used in the CI/CD pipeline, exploiting them to introduce malicious code or cause failures. Artifact Tampering manipulates the build artifacts (e.g., binaries, containers) to include malicious payloads or vulnerabilities, which can be deployed to production systems. Pipeline Hijacking involves gaining unauthorized access to the CI/CD environment to alter build configurations, steal secrets, or inject malicious code into the pipeline.

Credential Exposure occurs when sensitive credentials or secrets (e.g., API keys, tokens) are hardcoded or improperly managed, making them accessible to attackers who can use them to gain unauthorized access. Phishing and Social Engineering tactics target developers or CI/CD administrators to trick them into revealing access credentials or executing malicious commands. Denial of Service (DoS) attacks can overwhelm CI/CD systems, disrupting the build and deployment processes. Misconfiguration of CI/CD tools and environments can inadvertently expose systems or data, leading to potential security breaches. Each of these methods requires vigilant security practices, including secure coding, regular dependency audits, and robust access controls, to mitigate risks in CI/CD workflows.

• CI Debug Enabled;
• Default permissions used on risky events;
• Github Action from Unverified Creator used;
• If condition always evaluates to true;
• Injection with Arbitrary External Contributor Input;
• Job uses all secrets;
• Unverified Script Execution;
• Arbitrary Code Execution from Untrusted Code Changes;
• Unpinnable CI component used;
• Pull Request Runs on Self-Hosted GitHub Actions Runner;
• Mitigation Strategies;
• Example GitHub Actions Workflow;
• RCE via Git Clone;
• Resources

See also:
📌 Attacking and Securing CI/CD Pipeline by Hiroki Suezawa, October 20, 2021

#SecDevOps

Attacking Pipeline by Reza (DevSecops Giudes), 2025

DevOps pipelines, which integrate and automate the processes of software development and IT operations, have become critical for rapid and continuous software delivery. However, their extensive automation and integration capabilities make them attractive targets for cyberattacks. One significant threat is the insertion of malicious code through compromised repositories or Continuous Integration/Continuous Deployment (CI/CD) tools. Attackers can exploit vulnerabilities in pipeline tools or use social engineering to gain access, allowing them to insert backdoors or malware into the codebase.

Furthermore, the reliance on third-party tools and libraries within these pipelines can introduce security risks if these dependencies are not adequately vetted or monitored. Once the pipeline is compromised, the malicious code can propagate quickly, leading to widespread and potentially catastrophic impacts on production environments.

Security issues in DevOps pipelines also stem from misconfigurations and insufficient access controls. Often, credentials and sensitive data are inadvertently exposed through improper configuration management or poor secret handling practices, such as hardcoding credentials within scripts. Inadequate segmentation and over-privileged access can also exacerbate the problem, allowing attackers who gain a foothold in one part of the pipeline to move laterally and escalate their privileges. Abuse of the pipeline can result in unauthorized deployment of code, data breaches, and significant disruption to services. To mitigate these risks, organizations need to implement robust security practices, including regular security audits, continuous monitoring, strict access controls, and the use of security tools designed to detect and prevent threats within the DevOps lifecycle.

• DevOps resources compromise;
• Control of common registry;
• Direct PPE (d-PPE);
• Indirect PPE (i-PPE);
• Public PPE;
• Changes in repository;
• Inject in Artifacts;
• User/Services credentials;
• Typosquatting docker registry image;
• Resources.

See also:
📌 Compromising CI/CD Pipelines with Leaked Credentials by Security Zines, 2022
📌 Attacking GitLab CI_CD via Shared Runners by Denis Andzakovic, 2023
📌 Compromising the Code: Inside CI/CD Pipeline Attacks, Urshila Ravindran, 2025
📌 Securing CI/CD Pipelines: Common Misconfigurations and Exploits Paths by Charlie Klein, 2025

#SecDevOps

Embold Static Code Analysis Platform

Embold — статический анализатор кода, который необходим в любом процессе DevSecOps. Он позволяет управлять и контролировать качество проектов по разработке ПО.

Embold предоставляется бесплатно для проектов с открытым исходным кодом и доступен как локальное решение или как SaaS; в последнем случае все данные надежно хранятся в облаке, а связь между браузерами и инструментом шифруется с помощью SSL для обеспечения безопасности.

В рамках бесплатного пакета доступны 5 мест для пользователей и 5 сканирований кода объёмом до 50 тысяч строк.

❗️ Официальная страница

#AppSec #SecDevOps

Yandex Cloud Security Solution Library, Yandex, 2023

Yandex Cloud Security Solution Library — это набор примеров и рекомендаций, собранных в публичных репозиториях на GitHub. Они помогут компаниям, которые хотят построить безопасную инфруструктуру в Yandex Cloud и соответствовать требованиям различных регуляторов и стандартов.

Команда Yandex Cloud проработала самые распространённые задачи, которые возникают при построении безопасности в облаке, протестировала и подробно описала необходимые сценарии.

❗️GitHub

#SecDevOps

DevSecOps - Implementing Secure CI/CD Pipelines Video Series by Kunal Pachauri, 2019

This will provide an overview of how DevSecOps emerged and what a CI/CD pipeline looks like in an architechtural way

❗️See YouTube playlist

#education #SecDevOps

Awesome Cloud Security Labs by iknowjason, 2025

Awesome free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs

❗️GitHub

By category:
📌 AWS;
📌 Azure;
📌 GCP;
📌 Kubernetes;
📌 Container;
📌 Terraform;
📌 Research Labs;
📌 CI/CD.

See also:
➡️Awesome Cloud Security Resources

#SecDevOps

Новая методология AppSec Table Top: как эффективно и безболезненно выстроить процессы безопасной разработки

Отрасль AppSec (application security) в России находится в стадии активного развития. Даже компании со зрелыми процессами безопасной разработки сталкиваются с рядом уникальных вызовов:

📌 острой нехваткой специалистов и экспертизы;
📌 отсутствием методологии и модели оценки зрелости, приближенных к российским реалиям и учитывающих требования регуляторов;
📌 необходимостью разъяснять R&D-командам потребность во внедрении безопасной разработки в цикл создания ПО.

Это усложняет применение международных стандартных методов AppSec и требует адаптации к специфическим российским условиям.

Чтобы решить проблему, необходимо развивать местную экспертизу, разрабатывать свой подход к защите веб-приложений и создавать открытые ресурсы. Поэтому мы сформировали собственную методологию безопасной разработки — AppSec Table Top.


❗️ Официальная страница
⛳️ Статья на Хабре

#SecDevOps

Пример небезопасной network policy в default namespace для pod'ов в среде AWS (via K8s)

В примере указан базовый конфиг с построчными комментариями некоторых weak безопасности. А теперь в комментарии предложи свое видение - какие строки изменить\добавить команды или параметры что бы сделать этот конфиг максимально безопасным!

🔻 YAML файл с исходником смотри ниже 🔻

#SecDevOps

Practical Cloud Security Handbook: Secure cloud deployments with AWS, Azure, GCP, and IBM Cloud, Shiv Kumar, 2025

This handbook systematically guides you from cloud security fundamentals, including the shared responsibility model, through various cloud-native architectural patterns and top cloud workloads like IAM, VPC, and containerization. You will gain a deep understanding of core security concepts, such as encryption and protocols, and then explore the practical, multi-cloud configurations for securing storage, network services, and identity access management across AWS, Azure, IBM, and GCP. The book progresses to vital operational security aspects like monitoring, encryption application, and robust testing. It further explores modern approaches like security as code, offering best practices for both cloud-native and non-cloud-native implementations, integrates DevSecOps principles, and concludes with crucial compliance and regulatory considerations.

Upon completing this handbook, you will possess a comprehensive, hands-on understanding of cloud security, enabling you to design, implement, and maintain secure cloud environments and confidently address today's complex cybersecurity challenges.

What you will learn:
- Secure workloads across AWS, Azure, GCP, and IBM.
- Implement Zero Trust security architectures.
- Use infrastructure as code for secure deployments.
- Set up DevSecOps pipelines with Jenkins and GitHub.
- Explore IAM, encryption, and network security controls.
- Detect and respond to security breaches effectively.
- Apply DevSecOps, Zero Trust, and compliance best practices.

#book #SecDevOps

Примеры finding\security issues "Overly Permissive RBAC Configurations" и "Missing Network Segmentation Controls" для Kubernetes (default config) по классификатору OWASP K8S

Overly permissive RBAC means roles have more permissions than needed, potentially allowing attackers to escalate privileges.

Missing network segmentation controls mean workloads can freely communicate, increasing the risk of lateral movement in case of a breach.

See also:
📌 Kubernetes Hardening Best Practices You Can’t Ignore
📌 Kontra OWASP Top 10 for Kubernetes

#SecDevOps

DevSecOps Assessment Framework (DAF) by Jet, 2025

Есть множество полезных фреймворков, позволяющих оценить процессы безопасной разработки, например, SAMM, BSIMM, DSOMM, MSDL. Также есть лучшие практики, бенчмарки, рекомендуемые подходы к защите контейнеров и сред контейнерной оркестрации, такие как NSA Kubernetes Hardening Guide, или, например CIS for Kubernetes. Помимо этого, существует множество инструментов, повышающих защищенность при формировании и совершенствовании процессов DevSecOps (SAST, DAST, SCA, Container security, Secret management и другие) со своими рекомендациями по настройкам и их использованию. Но нет чего-то одного, описывающего, что конкретно и в какой последовательности нужно делать, чтобы выстроить процесс безопасной разработки, а также чтобы объективно оценить существующий уровень зрелости безопасной разработки и понять, куда двигаться дальше.

Эту проблему призван решить DevSecOps Assessment Framework (DAF). Он включает в себя не просто набор рекомендаций и лучших подходов из разных областей DevSecOps, но еще и большой экспертный опыт нашего сообщества, структурированный и адаптированный под современные реалии. Некоторые практики из общеизвестных фреймворков не добавлены в DAF, но при этом сформированы новые и более детальные. Все модели, домены, поддомены и практики описаны понятным языком во избежание двусмысленностей и разных толкований.

❗️GitHub

#SecDevOps

FREE DEVSECOPS COURSES AND TRAINING

Top free DevSecOps courses for 2026 include comprehensive, hands-on training, 7-day zero-to-hero challenges via YouTube, and specialized, self-paced learning paths from Google Skills, Cybrary, and Coursera focusing on cloud security, Docker, and CI/CD pipelines.

Fundamentals only, beginner entry:

✅ DevSecOps by Google Skills
✅ Free DevSecOps Course: 2026
✅ DevSecOps в облачном CI/CD (RUS)
✅ Бесплатный курс Cloud DevSecOps (RUS)

#education #SecDevOps