Skip to content
Technology & Startups Sector

DevSecOps Foundations for Corporate Engineering Teams for the Technology & Startups Sector

Fast-growing tech companies often have a dozen+/dozens of engineering teams releasing hundreds of times per week. Centralized AppSec becomes a bottleneck; without a curated DevSecOps platform and champion network, posture is uneven across teams. Shift-left + policy as code + champion network adoption accelerates releases while maintaining sustainable posture.

format
In-house / online / hybrid
duration
4–5 intensive days or 2–3 month phased program
participants
10–20 per cohort
language
Indonesian / English
Technology & Startups Sector Focus

Why DevSecOps Foundations for Corporate Engineering Teams is different in Technology & Startups

Fast-growing tech companies often have a dozen+/dozens of engineering teams releasing hundreds of times per week. Centralized AppSec becomes a bottleneck; without a curated DevSecOps platform and champion network, posture is uneven across teams. Shift-left + policy as code + champion network adoption accelerates releases while maintaining sustainable posture.

Sector KPIs
  • Repository coverage with SAST + SCA + secret scan active
    Nearly all production repositories
  • Engineering team coverage with active champion
    Every team has at least 1 trained champion
  • DSOMM position
    At least 1 level up per annual cycle
Relevant regulations & standards
  • ISO/IEC 27001:2022 A.8.25-A.8.28 secure development
  • SOC 2 Trust Services Criteria common criteria for SaaS
  • NIST SP 800-218 SSDF
  • OWASP DSOMM
  • SLSA framework levels 1-4
  • UU PDP No. 27/2022 platform user data
Target roles in Technology & Startups
  • CISO / Head of Security
  • VP Engineering / CTO
  • Head of AppSec
  • Head of Platform / SRE
  • Engineering Manager
  • AppSec Champion (per team)
Outcomes commonly requested in Technology & Startups
  • Curated internal DevSecOps platform (paved-road with default SAST/SCA/DAST)
  • Active AppSec champion network in every engineering team
  • Policy as code prevents unsafe configuration at admission
  • Standard SBOM + image signing across all production
  • OWASP DSOMM position raised period-on-period
Technology & Startups-specific questions
How to prevent AppSec from becoming a bottleneck when engineering teams are many?
The module teaches AppSec champion patterns: chosen developers in every team get deep training and become the first point of contact. Centralized AppSec acts as enabler & escalation; per-PR review stays distributed.
Does the module cover SLSA framework for supply-chain integrity?
Yes. The SLSA module covers 4 levels (1: build documentation → 4: hermetic build with two-party review), with practice applying SLSA level 2-3 on real pipelines (provenance attestation, verified build environment).
How to measure DevSecOps program effectiveness?
The module teaches reportable KPIs: tooling coverage, critical-finding-to-patch time, DSOMM position, champion coverage, SBOM coverage, and quality metrics (escape rate of vulnerabilities to production). Baseline is set during TNA.

Quick Answer

DevSecOps Foundations training is an in-house program equipping engineering, AppSec, and operations teams to integrate security into CI/CD — shift-left, SAST/DAST/SCA, SBOM, image signing, supply-chain — guided by NIST SP 800-218 SSDF, OWASP DevSecOps Maturity Model (DSOMM), and SLSA framework so releases stay fast and posture stays preserved.

Free Consultation

Guided by industry-recognized DevSecOps frameworks

The material follows NIST SP 800-218 Secure Software Development Framework (2022), OWASP DevSecOps Maturity Model (DSOMM), SLSA framework levels 1–4, OWASP ASVS 4.0, and ISO/IEC 27001:2022 A.8.25–A.8.28 (secure development) — frameworks referenced by global auditors & regulators.

Log4Shell, SolarWinds, XZ lessons: supply-chain is real

Log4Shell (CVE-2021-44228) in December 2021 hit thousands of organizations because of widespread Java library use. SolarWinds (2020) compromised a trusted vendor's build pipeline. XZ Utils backdoor (CVE-2024-3094) showed long-term social engineering of maintainers. Without SBOM, image signing, and supply-chain discipline, organizations respond to these incidents in weeks instead of hours.

Healthy adoption pattern: paved-road + champion network

Successful DevSecOps adoption across many teams typically rests on a paved-road curated by AppSec/Platform (default SAST/SCA, default image signing) + AppSec champion network in every engineering team. Centralized AppSec shifts from bottleneck reviewer to enabler & escalation.

DevSecOps Foundations

DevSecOps is the practice of integrating security into the DevOps lifecycle from the earliest phase (shift-left) — covering threat modelling, SAST/DAST/SCA, secret scanning, container & IaC scanning, SBOM, image signing, and runtime security — mapped to NIST SP 800-218 Secure Software Development Framework (SSDF), OWASP DevSecOps Maturity Model (DSOMM), and SLSA framework levels 1–4, so teams release fast without sacrificing an auditable security posture.

1Designed via training needs analysis (TNA): roles (developer, AppSec, DevOps, SRE, security), stack, and DSOMM maturity position
2Mapped explicitly to NIST SP 800-218 SSDF (Prepare/Protect/Produce/Respond) and SLSA framework levels 1–4
3Concrete shift-left approach: threat modelling + SAST + SCA in dev pipeline, DAST in staging, runtime in production
4Software supply chain management: SBOM (CycloneDX / SPDX), image signing (cosign / Sigstore), provenance attestation
5Lessons from major incidents: SolarWinds (2020), Log4Shell (CVE-2021-44228), XZ Utils backdoor (CVE-2024-3094)
6Aligned with audit obligations: ISO/IEC 27001:2022 (A.8.25-A.8.28 secure development), POJK 11/POJK.03/2022 (banks), UU PDP No. 27/2022

Measurable Outcomes

Expected Outcomes

Indicators mapped to Kirkpatrick levels and OWASP DSOMM maturity — qualitative targets, set during TNA against your team baseline.

DevSecOps discipline mastery (Kirkpatrick L2 — Learning)
Most participants pass shift-left, basic threat modelling, and SAST/DAST/SCA/SBOM flow assessment
Verified secure pipeline (L3 — Behavior)
Team CI/CD integrates SAST + SCA + secret scanning, with break-build policy for high severity
SBOM & supply-chain attestation
Build produces SBOM (CycloneDX/SPDX) stored, images signed via cosign, and provenance attestation available
OWASP DSOMM position
Team maps starting position on DSOMM dimensions (Build & Deployment, Culture & Org, Implementation, Information Gathering, Test & Verification) and builds gap-closing roadmap
NIST SSDF compliance
Team development activities mapped to 4 SSDF groups (Prepare Organization, Protect Software, Produce Well-Secured Software, Respond to Vulnerabilities)
Audit & incident readiness
Security activity evidence documented for ISO 27001 audit, and supply-chain incident response playbook available

Program Format

Program Format Options

Chosen by team's DSOMM maturity position — finalized after TNA.

1

DevSecOps Foundations Bootcamp (4–5 days)

Intensive bootcamp: shift-left, threat modelling, SAST/DAST/SCA/secret scanning, container & IaC scanning, SBOM, image signing, runtime security. Hands-on in lab pipeline.

Best for: Teams starting DevSecOps seriously (early DSOMM position)
2

Supply-Chain Security Deep Dive

Deep workshop: SLSA framework levels 1–4, SBOM (CycloneDX/SPDX), in-toto attestation, cosign signing + verification policy, and lessons from SolarWinds/Log4Shell/XZ incidents.

Best for: Teams facing supply-chain demands (regulators, enterprise clients, executive-order equivalents)
3

Pipeline Hardening & Policy as Code Workshop

Consultative session applying SAST/SCA/DAST in real pipeline + policy as code (Open Policy Agent / Conftest) for break-build and promote control.

Best for: Teams with existing CI/CD but security not yet consistently integrated
4

Recurring AppSec Champion & Maturity Program

Recurring program: AppSec champion network, tabletop sessions, finding reviews, and DSOMM reassessment for sustained maturity growth.

Best for: Multi-team engineering organizations wanting to sustain momentum

Free Consultation

Discuss your engineering team's DevSecOps plan

Start with a free training needs analysis: we map stack, roles, OWASP DSOMM maturity position, and your audit obligations, then build a proposal and budget based on real needs.

Request Proposal

Curriculum

Curriculum Framework

Designed via ADDIE; final modules curated by stack & maturity position from TNA. Topics below represent full coverage.

Comparison

Choosing the Program Format

Concise decision matrix — final recommendation set after training needs analysis.

AspectDevSecOps Foundations BootcampSupply-Chain Security Deep DivePipeline Hardening & Policy as CodeRecurring AppSec Champion & Maturity
Primary goalTeam shift-left foundationSLSA + SBOM + signing readinessConsistent pipeline integrationSustained maturity uplift
Ideal participantsTeams starting DevSecOpsTeams facing supply-chain demandsTeams with CI/CD, lacking integrationMulti-team engineering & champions
Typical duration4–5 intensive days2–3 day workshop1–2 week consultingMonthly / quarterly
Main outputFundamentals mastery + labsSBOM + signed image + playbookPipeline + policy as codeChampions + DSOMM up
Core frameworkNIST SSDF + OWASP DSOMM basicsSLSA + SBOM CycloneDX/SPDXOPA Gatekeeper + ISO 27001 A.8.xDSOMM cycle + Kirkpatrick

For Whom

Who This Program Is For

Designed by role because DevSecOps challenges differ for developer vs AppSec vs operations.

Software Developer / Engineer

Teams writing code, most effective at fixing vulnerabilities when they're still cheap.

Common challenges

  • SAST/SCA findings pile up; no priority clarity; no shared severity language
  • Secrets accidentally committed; secret scan only active after the incident
  • Threat modelling not yet part of design; vulnerabilities found at audit / pen-test

Application Security (AppSec)

Teams supporting developers to maintain security posture.

Common challenges

  • Hard to scale security reviews to dozens of teams; acts as bottleneck
  • No AppSec champion network in developer teams yet
  • No maturity baseline (DSOMM) reportable to leadership

DevOps / Build Engineer / SRE

Teams designing CI/CD pipelines and running runtime.

Common challenges

  • CI/CD pipeline not yet integrated with SAST/SCA/DAST as standard
  • SBOM not generated; images not signed; no supply-chain attestation
  • Runtime security still reactive; no container anomaly detection

Security Engineer / Security Architect

Teams setting security policy and maintaining organization posture.

Common challenges

  • Security control mapping to frameworks (NIST SSDF, ISO 27001:2022) not yet formal
  • Major incident lessons (Log4Shell, SolarWinds, XZ) not translated to playbooks
  • No policy as code automatically executed in pipeline

CTO / VP Engineering / Head of Eng

Owner of DevSecOps investment decisions and posture accountability.

Common challenges

  • Maturity position unknown; security investment unfocused
  • No security KPIs reportable to board / regulator
  • ISO 27001 / POJK audits raise repeated findings

Industry Context

Industry Applications

One specific use case per industry, naming relevant workflows, regulations, and DevSecOps patterns.

Banking & Financial Services

DevSecOps pipeline for bank digital services (internet banking, mobile, API channels) with integrated SAST/SCA/DAST, SBOM per build, signed images, and security activity evidence usable for OJK examinations (POJK 11/POJK.03/2022, SEOJK 29/SEOJK.03/2022).

See in Banking & Financial Services context →
Technology & Startups

DevSecOps platform for fast-growing technology companies — so all engineering teams deploy safely without making AppSec a bottleneck, with AppSec champion network and policy as code.

State-Owned Enterprises (BUMN)

Holding-level DevSecOps standard across BUMN subsidiaries with uniform security baseline, standard SBOM, and secure-development evidence usable for SPI/BPK and aligned with AKHLAK 'Amanah & Kompeten'.

See in State-Owned Enterprises (BUMN) context →
Government & Public Sector

Secure development of digital public service applications (SPBE) with SBOM, signing, and pipeline access controls accountable to BSSN, the Inspectorate, and the public, aligned with UU PDP.

See in Government & Public Sector context →
Healthcare & Pharmaceuticals

Secure development of hospital applications (SIMRS, BPJS integration module, electronic medical record module) with pipeline controls that protect patient data (UU PDP specific data) and are KARS-ready.

See in Healthcare & Pharmaceuticals context →
Energy & Resources

DevSecOps for corporate applications & support systems in the energy sector (oil & gas, power) with OT/IT boundary controls — so application changes don't become an entry vector to critical operational systems.

See in Energy & Resources context →

Delivery Method

Delivery

Format adapts to your engineering team distribution; all formats hands-on in lab pipeline.

On-site intensive & workshop

Facilitator comes to your office for a 4–5 day bootcamp; labs in practice repositories + integration to your internal pipeline (NDA applies).

Live online + managed labs

Interactive classes via Zoom/Teams; labs run on GitHub/GitLab sandbox + lab container registry provided by Neksus.

Hybrid

On-site for consultative modules (pipeline hardening, policy as code), online for concept & lab modules — suits multi-location teams.

Scheduling fits team release & on-call calendar
Materials & labs localized to your stack (GitHub Actions / GitLab CI / Jenkins / Azure DevOps)
Lab repositories provided; option to integrate to internal non-production repo available
Participation certificate + position map against OWASP DSOMM
Evaluation report & prioritized recommendations for security / engineering leadership

Engagement Flow

Engagement Path

Follows ADDIE + NIST SSDF Prepare/Protect/Produce/Respond — qualitative durations, scaled to DSOMM position.

1

Training Needs Analysis & DSOMM Position

Mapping stack (GitHub/GitLab/Jenkins/Azure DevOps), roles, OWASP DSOMM position, existing SAST/SCA tooling, measurement baseline, and audit obligations.

Initial stage
2

Program Design by Role (ADDIE)

Drafting measurable learning objectives, role-based syllabi (developer/AppSec/DevOps/security), pipeline lab scenarios, and framework map to NIST SSDF + ISO 27001.

Pre-delivery
3

DevSecOps Foundations Bootcamp

Core 4–5 day session: shift-left, threat modelling, SAST/DAST/SCA/secret scan, container & IaC scanning, SBOM, image signing, runtime security. Hands-on in lab pipeline.

Core week
4

Pipeline Hardening & Policy as Code

Consultative session applying SAST/SCA/DAST in team pipeline + policy as code (OPA/Conftest/Kyverno) for break-build and promote control.

Rolling per team
5

Supply-Chain & SBOM Roll-out

SLSA levels 2-3 workshop + per-build SBOM (CycloneDX/SPDX) + image signing with cosign + admission policy verifying signature.

Rolling per repository
6

Champion, Tabletop & Recurring Evaluation

Active AppSec champion network, supply-chain incident tabletop, DSOMM reassessment, Kirkpatrick L1–L4 evaluation (Phillips L5 on request).

Recurring & continuous

Case Studies

Typical Outcome Patterns

Illustrative patterns based on similar program structures — no named clients or promised numbers. NIST SSDF, OWASP DSOMM, SLSA, and SolarWinds/Log4Shell/XZ incidents are attributed as external sources (NIST, OWASP Foundation, Linux Foundation OpenSSF, MITRE CVE).

Financial institution with many digital channel repositories

Intervention

Bootcamp + pipeline hardening + SBOM + image signing + champion network

Result

Per-release secure-development evidence available; supply-chain traceable during major CVE incidents

Technology company with dozens of engineering teams

Intervention

OWASP DSOMM maturity assessment + paved-road pipeline + champion network

Result

DSOMM position rises consistently, centralized AppSec shifts to enabler role, releases don't slow

Government agency running SPBE

Intervention

Bootcamp + SBOM & secure SDLC workshop + BSSN/SPBE documentation

Result

Secure-development evidence available for SPBE Index; public service applications measurably hardened

Procurement Info

Information for Procurement & Vendor Management

What procurement, finance, legal, and information security teams need.

Legal entity

Indonesian PT under the Selestia ecosystem (Eduprima group); complete NPWP & legal documents; ready for PKS/contracts and vendor onboarding.

Proposal

Structured proposal: measurable learning objectives, role-based syllabus, framework map (NIST SP 800-218 SSDF / OWASP DSOMM / SLSA / ISO 27001:2022 A.8.25-A.8.28 / POJK / UU PDP), facilitator profile, schedule, and TNA-based cost detail.

Pricing model

TNA-based — flat per program, per session, per participant, tiered, or custom. Estimate issued after TNA is agreed.

Payment & tax

Flexible terms (DP + balance / per-batch installments); tax invoice (PPN) and PO documentation supported.

BUMN/government procurement

Familiar with BUMN/government procurement: vendor documentation, e-procurement / SPSE, HPS/offers, and compliance clauses.

Measurement

Kirkpatrick L1–L3 evaluation reports (attendance, knowledge assessment, pipeline behavior) + OWASP DSOMM position map; Phillips ROI L5 on finance/risk request.

Confidentiality & data security

NDA signing, confidentiality of code & pipeline configurations used as case studies, and practices aligned with UU PDP and your internal security policy.

Material ownership

Pipeline references, policy-as-code templates, and documents built for your company are yours; usage rights of training materials are agreed in the contract.

FAQ

Frequently Asked Questions

Next Step

Discuss your engineering team's DevSecOps plan

Start with a free training needs analysis: we map stack, roles, OWASP DSOMM maturity position, and your audit obligations, then build a proposal and budget based on real needs.

  • Training needs analysis at no cost — the natural first step
  • Proposal, role-based syllabus, and framework map (NIST SSDF / OWASP DSOMM / SLSA / ISO 27001 / POJK) within a few business days
  • Labs in lab pipeline; option to integrate to internal non-production pipeline
  • Procurement-ready documents (company profile, NPWP, NDA, PPN tax invoice)
Request Proposal & Free TNAFree Consultation

Explore More

Related Topics

Pelatihan Cloud ComputingPelatihan Docker Dan KubernetesPelatihan Mlops Production Ai EngineeringKeamanan Siber Kesadaran KaryawanAgile Scrum Tim Produk

DevSecOps Foundations for Corporate Engineering Teams training for your Technology & Startups team

Start with a free training needs analysis: we map stack, roles, OWASP DSOMM maturity position, and your audit obligations, then build a proposal and budget based on real needs.

  • Training needs analysis at no cost — the natural first step
  • Proposal, role-based syllabus, and framework map (NIST SSDF / OWASP DSOMM / SLSA / ISO 27001 / POJK) within a few business days
  • Labs in lab pipeline; option to integrate to internal non-production pipeline
  • Procurement-ready documents (company profile, NPWP, NDA, PPN tax invoice)
PIC Contact (HR / L&D / Procurement)
Company
Training Need