What is the difference between DevOps and DevSecOps?

DevOps focuses on software delivery speed (code → production). DevSecOps adds security deliberately throughout the DevOps lifecycle (shift-left): threat modelling from design, SAST/SCA in pipeline, DAST in staging, runtime security in production, and auditable governance. The goal: speed stays high, security posture isn't sacrificed.

What is NIST SP 800-218 SSDF and why is it relevant for Indonesian corporates?

NIST SP 800-218 Secure Software Development Framework (SSDF) is a secure-development practice framework released by NIST since 2022. Its 4 groups (Prepare the Organization / Protect the Software / Produce Well-Secured Software / Respond to Vulnerabilities) have become a global reference, including US Executive Order 14028 requirements. Indonesian corporates use it because auditors (ISO 27001, SOC 2, OJK) increasingly ask about SSDF compliance as the gold standard for secure SDLC.

What is OWASP DevSecOps Maturity Model (DSOMM) and how to use it?

DSOMM is OWASP's maturity model assessing organization position on 5 dimensions (Build & Deployment, Culture & Org, Implementation, Information Gathering, Test & Verification) with 4 maturity levels. We use it as a common language for starting position, target, and gap-closing roadmap across annual cycles.

What is the SLSA framework and when does targeting level 2/3/4 make sense?

SLSA (Supply-chain Levels for Software Artifacts) is an OpenSSF framework for build pipeline integrity with 4 levels: 1 (build documentation), 2 (versioned source, hosted build, provenance), 3 (hardened build platform, non-falsifiable provenance), 4 (hermetic, two-party review). Most corporates target levels 2-3 in 1-2 years. Level 4 is for high-demand contexts (defense, cryptocurrency, critical infrastructure).

What is SBOM and should it be standard for every release?

SBOM (Software Bill of Materials) is a complete list of components & dependencies in software, with common formats CycloneDX (OWASP) and SPDX (Linux Foundation). During major incidents (Log4Shell, XZ Utils), organizations with SBOM can answer 'which applications are affected?' in hours. Without SBOM, the answer can take days or weeks. For corporates with many applications, standard per-release SBOM is investment that pays off at the first incident.

Are SAST + SCA + DAST enough or do we need more?

The combination of SAST + SCA + DAST + secret scanning + container/IaC scanning covers the majority of vectors in most corporates. Additional layers (IAST/RASP, fuzzing) make sense for high-risk or mature products. What's often missed: secret scanning across full git history (going beyond the latest commits), runtime detection (Falco) for container anomalies, and SBOM actively used during incident response.

How does DevSecOps change the AppSec role?

Without DevSecOps, AppSec acts as a gatekeeper that becomes a bottleneck. With DevSecOps, AppSec shifts to enabler: curating paved-road pipelines, training developer-team champion networks, and running automated policy as code. Result: engineering teams stay fast, AppSec focuses on work that really needs expertise (threat modelling, architecture review).

What are the important lessons from Log4Shell, SolarWinds, XZ incidents?

Log4Shell (CVE-2021-44228, December 2021) — supply-chain vulnerability in a widely-used Java library; SBOM critical for fast response. SolarWinds (2020) — compromise of a trusted vendor's build pipeline; signing & provenance critical. XZ Utils backdoor (CVE-2024-3094, 2024) — long-term social engineering of a maintainer; supply-chain risk is more than technical. The module translates lessons into concrete controls.

What's the ideal program duration and batch size?

A 4–5 day bootcamp for foundations + 2–3 day workshop on one real workflow. For deeper transformation, 2–3 month phased program: bootcamp → pipeline hardening → SBOM + signing → champion network → maturity assessment. Ideal batch size is 10–20 participants so labs remain effective.

How to measure program impact to business / regulator?

We use Kirkpatrick: Level 1 (reaction), Level 2 (knowledge via assessment), Level 3 (behavior — pipelines & policies applied), Level 4 (results — tooling coverage, DSOMM position, critical finding MTTR, SBOM coverage, audit readiness). Phillips ROI Level 5 on finance request with supply-chain incident avoidance and audit cost estimates. Baseline is set during TNA.

Healthcare & Pharmaceuticals Sector

DevSecOps Foundations for Corporate Engineering Teams for the Healthcare & Pharmaceuticals Sector

Modern hospitals have internal SIMRS developer teams or work with SIMRS vendors, plus BPJS, insurance, and clinical analytics integration. Patient data is specific personal data under UU PDP. Hospital developer teams need DevSecOps discipline that protects patient data from design, with evidence attachable to KARS accreditation for information governance.

format: In-house / online / hybrid
duration: 4–5 intensive days or 2–3 month phased program
participants: 10–20 per cohort
language: Indonesian / English

Healthcare & Pharmaceuticals Sector Focus

Why DevSecOps Foundations for Corporate Engineering Teams is different in Healthcare & Pharmaceuticals

Sector KPIs

Hospital application coverage with SBOM
Nearly all production internal applications
Critical SCA finding to production patch time
Significant improvement after discipline matures
DevSecOps governance evidence for KARS
Complete at accreditation/reaccreditation

Relevant regulations & standards

UU PDP No. 27/2022 — health data = specific personal data
UU No. 17/2023 Health Law
KARS Hospital Accreditation Standards
PMK on SIMRS and electronic medical records
ISO/IEC 27001:2022 + ISO 27799
NIST SP 800-218 SSDF

Target roles in Healthcare & Pharmaceuticals

Head of SIMRS / Hospital IT
Lead Backend SIMRS
Hospital DevOps / SRE
Hospital Security Officer
Vendor & Procurement Manager
Director of Medical Support & IT

Outcomes commonly requested in Healthcare & Pharmaceuticals

Hospital developer teams master DevSecOps protecting patient data
SIMRS applications produce SBOM and signed images
SAST/SCA & secret scan active for internal SIMRS repositories
Secure-development governance evidence for KARS accreditation
Patient data breaches due to application defects decrease

Healthcare & Pharmaceuticals-specific questions

Does the module cover external SIMRS vendor integration?

Yes. The third-party risk module covers vendor security assessment, DPA contracts, vendor SBOM obligations, and admission policy for vendor images entering the hospital cluster.

How does the material protect patient data per UU PDP?

The module covers privacy by design (DPIA, data minimization), access control, encryption, audit log, and incident notification obligations, with case exercises on medical record module development.

Can the training align with KARS?

Yes. Training & pipeline discipline evidence is prepared to attach to KARS information governance standards as hospital readiness evidence.

Quick Answer

DevSecOps Foundations training is an in-house program equipping engineering, AppSec, and operations teams to integrate security into CI/CD — shift-left, SAST/DAST/SCA, SBOM, image signing, supply-chain — guided by NIST SP 800-218 SSDF, OWASP DevSecOps Maturity Model (DSOMM), and SLSA framework so releases stay fast and posture stays preserved.

Free Consultation

Guided by industry-recognized DevSecOps frameworks

The material follows NIST SP 800-218 Secure Software Development Framework (2022), OWASP DevSecOps Maturity Model (DSOMM), SLSA framework levels 1–4, OWASP ASVS 4.0, and ISO/IEC 27001:2022 A.8.25–A.8.28 (secure development) — frameworks referenced by global auditors & regulators.

Log4Shell, SolarWinds, XZ lessons: supply-chain is real

Log4Shell (CVE-2021-44228) in December 2021 hit thousands of organizations because of widespread Java library use. SolarWinds (2020) compromised a trusted vendor's build pipeline. XZ Utils backdoor (CVE-2024-3094) showed long-term social engineering of maintainers. Without SBOM, image signing, and supply-chain discipline, organizations respond to these incidents in weeks instead of hours.

Healthy adoption pattern: paved-road + champion network

Successful DevSecOps adoption across many teams typically rests on a paved-road curated by AppSec/Platform (default SAST/SCA, default image signing) + AppSec champion network in every engineering team. Centralized AppSec shifts from bottleneck reviewer to enabler & escalation.

DevSecOps Foundations

DevSecOps is the practice of integrating security into the DevOps lifecycle from the earliest phase (shift-left) — covering threat modelling, SAST/DAST/SCA, secret scanning, container & IaC scanning, SBOM, image signing, and runtime security — mapped to NIST SP 800-218 Secure Software Development Framework (SSDF), OWASP DevSecOps Maturity Model (DSOMM), and SLSA framework levels 1–4, so teams release fast without sacrificing an auditable security posture.

1Designed via training needs analysis (TNA): roles (developer, AppSec, DevOps, SRE, security), stack, and DSOMM maturity position

2Mapped explicitly to NIST SP 800-218 SSDF (Prepare/Protect/Produce/Respond) and SLSA framework levels 1–4

3Concrete shift-left approach: threat modelling + SAST + SCA in dev pipeline, DAST in staging, runtime in production

4Software supply chain management: SBOM (CycloneDX / SPDX), image signing (cosign / Sigstore), provenance attestation

5Lessons from major incidents: SolarWinds (2020), Log4Shell (CVE-2021-44228), XZ Utils backdoor (CVE-2024-3094)

6Aligned with audit obligations: ISO/IEC 27001:2022 (A.8.25-A.8.28 secure development), POJK 11/POJK.03/2022 (banks), UU PDP No. 27/2022

Measurable Outcomes

Expected Outcomes

Indicators mapped to Kirkpatrick levels and OWASP DSOMM maturity — qualitative targets, set during TNA against your team baseline.

DevSecOps discipline mastery (Kirkpatrick L2 — Learning): Most participants pass shift-left, basic threat modelling, and SAST/DAST/SCA/SBOM flow assessment
Verified secure pipeline (L3 — Behavior): Team CI/CD integrates SAST + SCA + secret scanning, with break-build policy for high severity
SBOM & supply-chain attestation: Build produces SBOM (CycloneDX/SPDX) stored, images signed via cosign, and provenance attestation available
OWASP DSOMM position: Team maps starting position on DSOMM dimensions (Build & Deployment, Culture & Org, Implementation, Information Gathering, Test & Verification) and builds gap-closing roadmap
NIST SSDF compliance: Team development activities mapped to 4 SSDF groups (Prepare Organization, Protect Software, Produce Well-Secured Software, Respond to Vulnerabilities)
Audit & incident readiness: Security activity evidence documented for ISO 27001 audit, and supply-chain incident response playbook available

Program Format

Program Format Options

Chosen by team's DSOMM maturity position — finalized after TNA.

DevSecOps Foundations Bootcamp (4–5 days)

Intensive bootcamp: shift-left, threat modelling, SAST/DAST/SCA/secret scanning, container & IaC scanning, SBOM, image signing, runtime security. Hands-on in lab pipeline.

Best for: Teams starting DevSecOps seriously (early DSOMM position)

Supply-Chain Security Deep Dive

Deep workshop: SLSA framework levels 1–4, SBOM (CycloneDX/SPDX), in-toto attestation, cosign signing + verification policy, and lessons from SolarWinds/Log4Shell/XZ incidents.

Best for: Teams facing supply-chain demands (regulators, enterprise clients, executive-order equivalents)

Pipeline Hardening & Policy as Code Workshop

Consultative session applying SAST/SCA/DAST in real pipeline + policy as code (Open Policy Agent / Conftest) for break-build and promote control.

Best for: Teams with existing CI/CD but security not yet consistently integrated

Recurring AppSec Champion & Maturity Program

Recurring program: AppSec champion network, tabletop sessions, finding reviews, and DSOMM reassessment for sustained maturity growth.

Best for: Multi-team engineering organizations wanting to sustain momentum

Free Consultation

Discuss your engineering team's DevSecOps plan

Start with a free training needs analysis: we map stack, roles, OWASP DSOMM maturity position, and your audit obligations, then build a proposal and budget based on real needs.

Request Proposal

Curriculum

Curriculum Framework

Designed via ADDIE; final modules curated by stack & maturity position from TNA. Topics below represent full coverage.

Comparison

Choosing the Program Format

Concise decision matrix — final recommendation set after training needs analysis.

Aspect	DevSecOps Foundations Bootcamp	Supply-Chain Security Deep Dive	Pipeline Hardening & Policy as Code	Recurring AppSec Champion & Maturity
Primary goal	Team shift-left foundation	SLSA + SBOM + signing readiness	Consistent pipeline integration	Sustained maturity uplift
Ideal participants	Teams starting DevSecOps	Teams facing supply-chain demands	Teams with CI/CD, lacking integration	Multi-team engineering & champions
Typical duration	4–5 intensive days	2–3 day workshop	1–2 week consulting	Monthly / quarterly
Main output	Fundamentals mastery + labs	SBOM + signed image + playbook	Pipeline + policy as code	Champions + DSOMM up
Core framework	NIST SSDF + OWASP DSOMM basics	SLSA + SBOM CycloneDX/SPDX	OPA Gatekeeper + ISO 27001 A.8.x	DSOMM cycle + Kirkpatrick

For Whom

Who This Program Is For

Software Developer / Engineer

Teams writing code, most effective at fixing vulnerabilities when they're still cheap.

Common challenges

SAST/SCA findings pile up; no priority clarity; no shared severity language
Secrets accidentally committed; secret scan only active after the incident
Threat modelling not yet part of design; vulnerabilities found at audit / pen-test

Application Security (AppSec)

Teams supporting developers to maintain security posture.

Common challenges

Hard to scale security reviews to dozens of teams; acts as bottleneck
No AppSec champion network in developer teams yet
No maturity baseline (DSOMM) reportable to leadership

DevOps / Build Engineer / SRE

Teams designing CI/CD pipelines and running runtime.

Common challenges

CI/CD pipeline not yet integrated with SAST/SCA/DAST as standard
SBOM not generated; images not signed; no supply-chain attestation
Runtime security still reactive; no container anomaly detection

Security Engineer / Security Architect

Teams setting security policy and maintaining organization posture.

Common challenges

Security control mapping to frameworks (NIST SSDF, ISO 27001:2022) not yet formal
Major incident lessons (Log4Shell, SolarWinds, XZ) not translated to playbooks
No policy as code automatically executed in pipeline

CTO / VP Engineering / Head of Eng

Owner of DevSecOps investment decisions and posture accountability.

Common challenges

Maturity position unknown; security investment unfocused
No security KPIs reportable to board / regulator
ISO 27001 / POJK audits raise repeated findings

Industry Context

Industry Applications

One specific use case per industry, naming relevant workflows, regulations, and DevSecOps patterns.

Banking & Financial Services

DevSecOps pipeline for bank digital services (internet banking, mobile, API channels) with integrated SAST/SCA/DAST, SBOM per build, signed images, and security activity evidence usable for OJK examinations (POJK 11/POJK.03/2022, SEOJK 29/SEOJK.03/2022).

See in Banking & Financial Services context →

Technology & Startups

DevSecOps platform for fast-growing technology companies — so all engineering teams deploy safely without making AppSec a bottleneck, with AppSec champion network and policy as code.

See in Technology & Startups context →

State-Owned Enterprises (BUMN)

Holding-level DevSecOps standard across BUMN subsidiaries with uniform security baseline, standard SBOM, and secure-development evidence usable for SPI/BPK and aligned with AKHLAK 'Amanah & Kompeten'.

See in State-Owned Enterprises (BUMN) context →

Government & Public Sector

Secure development of digital public service applications (SPBE) with SBOM, signing, and pipeline access controls accountable to BSSN, the Inspectorate, and the public, aligned with UU PDP.

See in Government & Public Sector context →

Healthcare & Pharmaceuticals

Secure development of hospital applications (SIMRS, BPJS integration module, electronic medical record module) with pipeline controls that protect patient data (UU PDP specific data) and are KARS-ready.

Energy & Resources

DevSecOps for corporate applications & support systems in the energy sector (oil & gas, power) with OT/IT boundary controls — so application changes don't become an entry vector to critical operational systems.

See in Energy & Resources context →

Delivery Method

Delivery

Format adapts to your engineering team distribution; all formats hands-on in lab pipeline.

On-site intensive & workshop

Facilitator comes to your office for a 4–5 day bootcamp; labs in practice repositories + integration to your internal pipeline (NDA applies).

Live online + managed labs

Interactive classes via Zoom/Teams; labs run on GitHub/GitLab sandbox + lab container registry provided by Neksus.

Hybrid

On-site for consultative modules (pipeline hardening, policy as code), online for concept & lab modules — suits multi-location teams.

Scheduling fits team release & on-call calendar

Materials & labs localized to your stack (GitHub Actions / GitLab CI / Jenkins / Azure DevOps)

Lab repositories provided; option to integrate to internal non-production repo available

Participation certificate + position map against OWASP DSOMM

Evaluation report & prioritized recommendations for security / engineering leadership

Engagement Flow

Engagement Path

Follows ADDIE + NIST SSDF Prepare/Protect/Produce/Respond — qualitative durations, scaled to DSOMM position.

Training Needs Analysis & DSOMM Position

Mapping stack (GitHub/GitLab/Jenkins/Azure DevOps), roles, OWASP DSOMM position, existing SAST/SCA tooling, measurement baseline, and audit obligations.

Initial stage

Program Design by Role (ADDIE)

Drafting measurable learning objectives, role-based syllabi (developer/AppSec/DevOps/security), pipeline lab scenarios, and framework map to NIST SSDF + ISO 27001.

Pre-delivery

DevSecOps Foundations Bootcamp

Core 4–5 day session: shift-left, threat modelling, SAST/DAST/SCA/secret scan, container & IaC scanning, SBOM, image signing, runtime security. Hands-on in lab pipeline.

Core week

Pipeline Hardening & Policy as Code

Consultative session applying SAST/SCA/DAST in team pipeline + policy as code (OPA/Conftest/Kyverno) for break-build and promote control.

Rolling per team

Supply-Chain & SBOM Roll-out

SLSA levels 2-3 workshop + per-build SBOM (CycloneDX/SPDX) + image signing with cosign + admission policy verifying signature.

Rolling per repository

Champion, Tabletop & Recurring Evaluation

Active AppSec champion network, supply-chain incident tabletop, DSOMM reassessment, Kirkpatrick L1–L4 evaluation (Phillips L5 on request).

Recurring & continuous

Case Studies

Typical Outcome Patterns

Illustrative patterns based on similar program structures — no named clients or promised numbers. NIST SSDF, OWASP DSOMM, SLSA, and SolarWinds/Log4Shell/XZ incidents are attributed as external sources (NIST, OWASP Foundation, Linux Foundation OpenSSF, MITRE CVE).

Financial institution with many digital channel repositories

Intervention

Bootcamp + pipeline hardening + SBOM + image signing + champion network

Result

Per-release secure-development evidence available; supply-chain traceable during major CVE incidents

Technology company with dozens of engineering teams

Intervention

OWASP DSOMM maturity assessment + paved-road pipeline + champion network

Result

DSOMM position rises consistently, centralized AppSec shifts to enabler role, releases don't slow

Government agency running SPBE

Intervention

Bootcamp + SBOM & secure SDLC workshop + BSSN/SPBE documentation

Result

Secure-development evidence available for SPBE Index; public service applications measurably hardened

Procurement Info

Information for Procurement & Vendor Management

What procurement, finance, legal, and information security teams need.

Legal entity

Indonesian PT under the Selestia ecosystem (Eduprima group); complete NPWP & legal documents; ready for PKS/contracts and vendor onboarding.

Proposal

Structured proposal: measurable learning objectives, role-based syllabus, framework map (NIST SP 800-218 SSDF / OWASP DSOMM / SLSA / ISO 27001:2022 A.8.25-A.8.28 / POJK / UU PDP), facilitator profile, schedule, and TNA-based cost detail.

Pricing model

TNA-based — flat per program, per session, per participant, tiered, or custom. Estimate issued after TNA is agreed.

Payment & tax

Flexible terms (DP + balance / per-batch installments); tax invoice (PPN) and PO documentation supported.

BUMN/government procurement

Familiar with BUMN/government procurement: vendor documentation, e-procurement / SPSE, HPS/offers, and compliance clauses.

Measurement

Kirkpatrick L1–L3 evaluation reports (attendance, knowledge assessment, pipeline behavior) + OWASP DSOMM position map; Phillips ROI L5 on finance/risk request.

Confidentiality & data security

NDA signing, confidentiality of code & pipeline configurations used as case studies, and practices aligned with UU PDP and your internal security policy.

Material ownership

Pipeline references, policy-as-code templates, and documents built for your company are yours; usage rights of training materials are agreed in the contract.

FAQ

Frequently Asked Questions

Next Step

Discuss your engineering team's DevSecOps plan

Start with a free training needs analysis: we map stack, roles, OWASP DSOMM maturity position, and your audit obligations, then build a proposal and budget based on real needs.

Training needs analysis at no cost — the natural first step
Proposal, role-based syllabus, and framework map (NIST SSDF / OWASP DSOMM / SLSA / ISO 27001 / POJK) within a few business days
Labs in lab pipeline; option to integrate to internal non-production pipeline
Procurement-ready documents (company profile, NPWP, NDA, PPN tax invoice)

Request Proposal & Free TNA Free Consultation

Explore More

DevSecOps Foundations for Corporate Engineering Teams training for your Healthcare & Pharmaceuticals team

Start with a free training needs analysis: we map stack, roles, OWASP DSOMM maturity position, and your audit obligations, then build a proposal and budget based on real needs.

Training needs analysis at no cost — the natural first step
Proposal, role-based syllabus, and framework map (NIST SSDF / OWASP DSOMM / SLSA / ISO 27001 / POJK) within a few business days
Labs in lab pipeline; option to integrate to internal non-production pipeline
Procurement-ready documents (company profile, NPWP, NDA, PPN tax invoice)

DevSecOps Foundations for Corporate Engineering Teams for the Healthcare & Pharmaceuticals Sector

Why DevSecOps Foundations for Corporate Engineering Teams is different in Healthcare & Pharmaceuticals

DevSecOps Foundations

Expected Outcomes

Program Format Options

DevSecOps Foundations Bootcamp (4–5 days)

Supply-Chain Security Deep Dive

Pipeline Hardening & Policy as Code Workshop

Recurring AppSec Champion & Maturity Program

Discuss your engineering team's DevSecOps plan

Curriculum Framework

1DevSecOps Foundations & Shift-Left

2Threat Modelling & Secure Design

3Static & Dynamic Analysis (SAST / DAST / IAST)

4Software Composition Analysis & Supply-Chain

5Container, IaC & Cloud Security in Pipeline

6Runtime Security, Logging & Incident Response

7Governance, Compliance & Maturity Roadmap

Choosing the Program Format

Who This Program Is For

Software Developer / Engineer

Application Security (AppSec)

DevOps / Build Engineer / SRE

Security Engineer / Security Architect

CTO / VP Engineering / Head of Eng

Industry Applications

Delivery

On-site intensive & workshop

Live online + managed labs

Hybrid

Engagement Path

Training Needs Analysis & DSOMM Position

Program Design by Role (ADDIE)

DevSecOps Foundations Bootcamp

Pipeline Hardening & Policy as Code

Supply-Chain & SBOM Roll-out

Champion, Tabletop & Recurring Evaluation

Typical Outcome Patterns

Information for Procurement & Vendor Management

Frequently Asked Questions

What is the difference between DevOps and DevSecOps?

What is NIST SP 800-218 SSDF and why is it relevant for Indonesian corporates?

What is OWASP DevSecOps Maturity Model (DSOMM) and how to use it?

What is the SLSA framework and when does targeting level 2/3/4 make sense?

What is SBOM and should it be standard for every release?

Are SAST + SCA + DAST enough or do we need more?

How does DevSecOps change the AppSec role?

What are the important lessons from Log4Shell, SolarWinds, XZ incidents?

What's the ideal program duration and batch size?

How to measure program impact to business / regulator?

Discuss your engineering team's DevSecOps plan

Related Topics

DevSecOps Foundations for Corporate Engineering Teams training for your Healthcare & Pharmaceuticals team