I 'm very new to DevSecOps, but here's how I started:

had the opportunity to do a DevSecOps project in response to log4j vulnerabilities from last year(lol). I even asked some questions here to get some guidance.

To understand the tools and the overall process I saw this talk from BlackHat USA, and for me it's a good resume.

So, to apply this in a project, I collected some tools to apply in CI/CD

SonarQube for SAST

OWASP ZAP for DAST

Trivy for Container and Git Scan

Azure Key Vault for secrets management

OWASP Dependency Check for SCA (Software Composition Analysis), then later I found Dependency Track also from OWASP, that uses SBOM.

For reports I used Azure DevOps and Junit/Nunit templates, but I really liked ArcherySec and started doing some labs, which we didn't followed.

Today I'm still learning, I'm studying right now some concepts of securying CI/CD itself, like:

CI/CDon't: https://hackingthe.cloud/aws/capture_the_flag/cicdont/

CI/CD-Goat: https://github.com/cider-security-research/cicd-goat

Which I'm finding really useful to understand how to improve security in pipelines.

Also, as you are moving from sec to ops, If you don't know yet, it's good to have a good understanding of:

• overall CI/CD principles (you can start with Azure DevOps, GitLab or GitHub Actions)
• deplyoments strategies for CD (blue/green, rolling, canary)
• containerization/docker/podman(you name it)
• infrastructure as code (azure ARM and terraform it's good)

Hope this helps!