DevSecOps · 10 modules

DevSecOps

Learn DevSecOps the way the DoD and NIST define it — unifying development, security, and operations across the whole software lifecycle. From the shift-left culture and software factories to CI/CD, containers, service mesh, container-level zero trust, and continuous authority to operate (cATO) — and remember it with spaced repetition.

practice cards
161
practice cards
per day
~10 min
per day
level
Intermediate → Advanced
level
modules
10
modules
About this topic

What is DevSecOps?

DevSecOps is an organizational culture and engineering practice that unifies development, security, and operations — automating, monitoring, and applying security at every phase of the software lifecycle instead of bolting it on at the end. This track follows the authoritative source material: the DoD Enterprise DevSecOps Reference Design and NIST SP 800-204C.

It builds from the ground up. The culture and lifecycle — shift-left, the nine-phase closed loop, the four pillars and five guiding principles; the software factory and its CI/CD pipelines, GitOps, and everything as code; the runtime platform — containers and Kubernetes, service mesh and sidecars, and zero trust down to the container level; and hardening and testing with SAST, DAST, IAST, and SCA.

It keeps the DoD framing intact — cATO (continuous authority to operate), Iron Bank hardened containers, Platform One, DCAR, and the RMF — so it doubles as preparation for anyone working in a government or compliance-driven DevSecOps environment. Spaced repetition turns a stack of reference PDFs into recall you can actually use.

What you'll learn

10 modules, seed to bloom

Each module is a set of practice cards — 161 in total. Answer, review, and watch your knowledge grow from seed to full bloom.

Fundamentals & Definitions

What DevSecOps is — its definition, shift-left culture, CI/CD primitives, and core goals

14 cards

The Shift, Lifecycle & Benefits

DevOps vs DevSecOps, the nine-phase lifecycle, and the benefits and delivery metrics

18 cards

Principles, Pillars & Culture

The four pillars, five guiding principles, Agile values, and the cultural biases to overcome

15 cards

Software Factory & GitOps

Software factories, the software supply chain, and push vs pull GitOps pipeline security

17 cards

CI/CD Pipeline & Continuous Delivery

The CI/CD pipeline and orchestrator, and the continuous build/integration/delivery/deployment stages

17 cards

Everything as Code

Infrastructure, security, policy, and observability as code — declarative code and its role

12 cards

Containers, Kubernetes & Immutable Infrastructure

Containers vs VMs, immutable infrastructure, and Kubernetes pods, nodes, scaling, and limits

15 cards

Service Mesh, Sidecar & Zero-Trust Runtime

Service mesh data and control planes, sidecar proxies, Istio, and container-level zero trust

18 cards

Container Hardening & Security Testing

SAST, DAST, IAST and SCA testing, plus DoD container hardening, DCAR, and Iron Bank

20 cards

Governance, Authorization & cATO

Next-generation governance, the RMF and ATO, and continuous authority to operate (cATO)

15 cards
Try before you plant

Sample questions

A taste of the real cards. Pick an answer, then reveal the explanation.

Sample · DevSecOps

What is DevSecOps?

  • AAn organizational culture and practice that unifies software development, security, and operations
  • BA security scanning tool that checks application code for vulnerabilities before each release
  • CA dedicated security team that reviews the software after the operations team has deployed it
  • DA compliance framework that certifies software as secure once its development is fully complete
Sample · DevSecOps

What is a CI/CD pipeline?

  • AThe tools and workflows that achieve continuous integration and delivery, run by an orchestrator
  • BA single script that a developer runs by hand to compile and then upload one application
  • CA ticketing board that simply tracks which features are ready to be released next time
  • DA shared network drive where finished build artifacts are stored for later download
Sample · DevSecOps

What is a service mesh?

  • AA dedicated application-services infrastructure providing secure communication, authN, and authZ
  • BA single load balancer that just distributes the incoming requests across the backend servers
  • CA message queue that buffers the events passed between two decoupled microservices
  • DA monitoring dashboard that charts the request latency across the whole of the cluster
Sample · DevSecOps

What is Continuous Authorization to Operate (cATO)?

  • AA rigorous, evolving ATO based on supply-chain cyber survivability, driven by real-time metrics
  • BA one-time authorization that is granted at launch and then never revisited afterward
  • CA waiver that simply exempts a system from any authorization requirements at all
  • DAn informal sign-off that is given verbally by the development team's own lead engineer
How Gnoseed works

Learn it once, keep it for good

1

Answer a question

Each card is one practical concept with multiple options. Pick what you think is right.

2

Get the full answer

See the correct option plus a clear explanation, and a link to deeper docs when one is available.

3

Review at the right time

A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.

Why learn this

Why DevSecOps is worth your time

Security across the lifecycle

Learn to build, test, and monitor security at every phase — not as a final gate, but baked into the pipeline from the start.

Grounded in the source docs

Every card traces back to the DoD Reference Design or NIST SP 800-204C, with links to the official material.

From culture to runtime

Covers the whole picture: culture and governance, the software factory, containers and service mesh, and continuous ATO.

Compliance-environment ready

cATO, RMF, Iron Bank and the DoD ecosystem make it directly useful for government and regulated DevSecOps work.

FAQ

Common questions

Who is this track for? +

DevOps and platform engineers, security engineers, and compliance teams moving to a DevSecOps model — especially in DoD, government, or other regulated environments. It assumes general CI/CD and container familiarity but builds each topic from fundamentals.

Which sources is it based on? +

The DoD Enterprise DevSecOps Reference Design and Strategy Guide, plus NIST SP 800-204C (and SP 800-207 for zero trust). Cards link to the official DoD and NIST material.

Is it DoD-specific? +

The core practices — shift-left, CI/CD, containers, service mesh, zero trust, and testing — are general DevSecOps. It also keeps DoD-specific concepts (cATO, Iron Bank, DCAR, RMF) intact, so it suits both general learners and those in government or compliance settings.

Is it free? +

Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.

Ready to master DevSecOps?

Plant your first seed today. Ten minutes a day builds DevSecOps knowledge that sticks — from culture all the way to cATO.

Start learning free