- ποΈ March 7, 2017 β Apache discloses CVE-2017-5638, an RCE in Struts 2. Patch ships the same day. CVSS 10.0
- π§ March 9: Equifax's security team emails the patch directive across the company
- π The vulnerable web portal isn't on the inventory the directive used. It is missed
- ποΈ March 10: someone is already exploiting it
- πΎ May 13 β July 30: 147 million records exfiltrated β names, SSNs, birth dates, license numbers
- π¨ July 29: Equifax discovers the breach. CEO and CISO resign within weeks
- π° Final cost: ~$1.4 billion in remediation + settlements
π€ Think: The patch existed. The directive went out. The fix was free. What process failure cost a billion dollars? That gap β between "we have a security control" and "the control actually catches the bug" β is what this course is about.
| # | π Outcome |
|---|---|
| 1 | β Define DevSecOps and explain how it differs from "DevOps + a security tool" |
| 2 | β Place the shift-left philosophy on a real cost-of-defect curve |
| 3 | β Recite the OWASP Top 10 (2025) categories and what changed from 2021 |
| 4 | β Walk through three real breaches (Equifax 2017, Capital One 2019, Log4Shell 2021) and identify which DevSecOps practice each one would have caught |
| 5 | β Describe what your DevSecOps pipeline will look like by the end of the course |
graph LR
L1["ποΈ L1 Foundations<br/>(this)"] --> L2["π― L2 Threat<br/>modeling"]
L2 --> L3["π L3 Secure<br/>Git"]
L3 --> L4["π L4 CI/CD<br/>security"]
L4 --> L5["π§ͺ L5 SAST/<br/>DAST"]
L5 --> L6["ποΈ L6 IaC<br/>scanning"]
L6 --> L7["π¦ L7 Container<br/>security"]
L7 --> L8["π L8 Supply<br/>chain"]
L8 --> L9["π L9 Runtime +<br/>metrics"]
L9 --> L10["π― L10 Vuln<br/>management"]
style L1 fill:#FF9800,color:#fff
style L10 fill:#4CAF50,color:#fff
- π― Through-line: every lab targets OWASP Juice Shop β the most famously broken web app in the world. By Week 10 you'll have run every defensive practice against the same attack surface
- πͺ The arc: culture β modeling β write secure code β ship secure code β scan secure code β secure infrastructure β secure containers β secure supply chain β detect at runtime β triage findings
- ποΈ Maintained by BjΓΆrn Kimminich since 2014; OWASP Flagship project since 2018
- π Ships with >100 challenges representing every OWASP Top 10 category and more
- π’ Docker one-liner:
docker run -d -p 3000:3000 bkimminich/juice-shop:v19.0.0 - π― Why Juice Shop is the canonical learning target:
- Realistic stack (Node.js, Angular, SQLite, JWT, file uploads)
- Bugs are intentional but realistic β not "use eval(user_input)" toy examples
- Has a known set of CVEs to find β your scanner output can be checked against ground truth
- π§ͺ Lab 1 deploys it; Labs 4, 5, 7, 8, 10 keep attacking it from different angles
π¬ "Juice Shop is a deliberately broken application β but unlike most CTF apps, it's broken in exactly the way real applications are broken." β BjΓΆrn Kimminich, OWASP Global AppSec 2022
flowchart LR
Dev["π©βπ» Dev"] -.-> Build["ποΈ Build"]
Ops["π₯οΈ Ops"] -.-> Build
Sec["π‘οΈ Sec"] -.-> Build
Build --> DevSecOps["π DevSecOps<br/>Continuous, automated security<br/>at every stage"]
style DevSecOps fill:#FF9800,color:#fff
- π§βπ« Definition (Gartner, Neil MacDonald, 2012): "DevSecOps is the practice of integrating security controls and processes into the DevOps approach β automated, transparent, and continuous."
- πͺ DevOps + a SAST tool β DevSecOps. The defining shift is cultural: security is everyone's job, executed as code, early and often
- ποΈ The term gained traction at AWS re:Invent 2015 when teams started publishing pipeline blueprints
- π First book-length treatment: "DevOpsSec" by Jim Bird (O'Reilly, 2016)
- π« What DevSecOps is NOT:
- Not a tool you buy
- Not "the security team approves the pipeline"
- Not a one-time audit before launch
| ποΈ Year | π Milestone |
|---|---|
| 2001 | Manifesto for Agile Software Development β Snowbird, UT |
| 2009 | Patrick Debois coins "DevOps" at the first DevOpsDays (Ghent, BE) |
| 2010 | OWASP Top 10 first ranked edition |
| 2012 | Gartner report introduces DevSecOps term β Neil MacDonald |
| 2014 | More Agile Testing (Crispin & Gregory) early uses "DevSecOps" in print |
| 2015 | DevSecOps becomes a track at AWS re:Invent + RSA |
| 2016 | First book-length treatment β DevOpsSec (Jim Bird, O'Reilly) |
| 2017 | Equifax breach β DevSecOps becomes a boardroom topic |
| 2020 | SolarWinds β supply-chain security joins the agenda |
| 2021 | Log4Shell β runtime detection joins the agenda |
| 2024 | NIST CSF 2.0 adds the Govern function |
| 2025 | OWASP Top 10:2025 published; supply-chain failures get their own category |
π¬ "The cost of fixing a defect grows roughly 10x at each stage of the SDLC." β Barry Boehm, Software Engineering Economics (Prentice Hall, 1981)
graph LR
R[π Requirements<br/>~$1] --> D[π Design<br/>~$10]
D --> C[π» Code<br/>~$100]
C --> T[π§ͺ Testing<br/>~$1000]
T --> P[π¨ Production<br/>~$10,000+]
style R fill:#4CAF50,color:#fff
style P fill:#F44336,color:#fff
- π IBM System Sciences (1981) and NIST (2002) studies both confirm the curve. The slope flattens in modern fast-feedback teams, but the order of magnitude holds
- π― DevSecOps in one diagram: push every security check as far left as it will still produce useful signal
- πͺ Shift-Left = run security checks earlier in the pipeline, where fixes are cheap
β οΈ But: "shift-left" doesn't mean "only left" β runtime threats still need runtime defense (Lecture 9)- πͺ In this course: every lab maps to a leftward shift of one specific control:
| π οΈ Control | π Where it shifts to | π§ͺ Lab |
|---|---|---|
| Threat modeling | Design | L2 |
| Secret leak detection | Pre-commit | L3 |
| SAST | PR build | L5 |
| SCA / SBOM | Build | L4 |
| IaC scanning | PR build | L6 |
| Image scan | Image build | L7 |
| Signing/verification | Deploy gate | L8 |
| Runtime detection | Cluster | L9 |
- π§ The opposite of shift-left is "shift-right-only" = a SOC reading post-mortems. Both ends are valid; the middle is where DevSecOps adds value
| ποΈ Pillar | π― What it means | π₯ What goes wrong without it |
|---|---|---|
| π₯ Culture | Shared accountability; "if a dev wrote it, a dev fixes it" | Security team becomes the bottleneck; devs throw work over the wall |
| π οΈ Process | Threat modeling, defined SLAs, post-incident reviews | Heroics; same vulns ship every release |
| π€ Tools | Automated SAST/DAST/SCA/IaC/runtime in the pipeline | Manual scans = quarterly findings dump nobody reads |
- πͺ The DORA report (2022 onward) consistently finds that DevSecOps maturity correlates more with culture + process than tool spend
- π§ͺ "Tools are necessary but not sufficient." If we only taught tools this course would be 3 weeks long. It's 10 weeks because process and culture matter more.
graph TB
CIA[π Classical CIA] --> C[π Confidentiality<br/>only authorized see]
CIA --> I[β
Integrity<br/>only authorized change]
CIA --> A[π’ Availability<br/>authorized always reach]
CIA -.modern.-> AU[πͺͺ Authenticity<br/>identity is real]
CIA -.modern.-> NR[π Non-Repudiation<br/>can't deny the action]
style C fill:#2196F3,color:#fff
style I fill:#4CAF50,color:#fff
style A fill:#FF9800,color:#fff
- ποΈ CIA Triad: classical model, dates to a 1976 US Air Force report (Anderson)
- πͺͺ Authenticity matters now because of phishing + AI-generated content
- π Non-Repudiation matters now because of regulatory reporting (GDPR, HIPAA)
- π§ Lab 3 (signed commits) is the first non-repudiation control you'll deploy
- π OWASP = Open Worldwide Application Security Project β community-driven non-profit, founded 2001
- π The Top 10 is a periodic ranking of the most critical web app risks. Releases: 2003, 2004, 2007, 2010, 2013, 2017, 2021, 2025
- π OWASP Top 10:2025 β announced November 2025, final release January 2026 β built on 175,000+ CVE records + practitioner surveys
- π What's new vs 2021:
- π A02: Software Supply Chain Failures (replaced/expanded "Vulnerable and Outdated Components")
- π A10: Mishandling of Exceptional Conditions
- πͺ SSRF absorbed into Broken Access Control (it was a category of its own in 2021)
| # | π·οΈ Category | π― Plain English |
|---|---|---|
| A01 | Broken Access Control | Users do things they shouldn't be allowed to (now includes SSRF) |
| A02 | Software Supply Chain Failures π | Compromised libs, broken provenance |
| A03 | Cryptographic Failures | Weak/missing encryption, hard-coded secrets |
| A04 | Injection | SQL, NoSQL, command, LDAP β untrusted input as code |
| A05 | Insecure Design | The architecture invites the bug |
| A06 | Security Misconfiguration | Defaults, debug pages, open S3 buckets |
| A07 | Identification & Authentication Failures | Weak passwords, broken MFA, session fixation |
| A08 | Software & Data Integrity Failures | Unsigned updates, unsafe deserialization |
| A09 | Security Logging & Monitoring Failures | Can't detect because we can't see |
| A10 | Mishandling of Exceptional Conditions π | Error paths leak info, fail-open instead of fail-closed |
- π§ Every lab in this course defends against at least one A0X category. Worth bookmarking this slide
# β Vulnerable β string concatenation
def get_user(username):
cursor.execute(f"SELECT * FROM users WHERE name = '{username}'")
# Input: bob' OR '1'='1
# Becomes: SELECT * FROM users WHERE name = 'bob' OR '1'='1'
# β
Safe β parameterized query
def get_user(username):
cursor.execute("SELECT * FROM users WHERE name = ?", (username,))- π§ The fix is trivial when developers know it. The teaching problem is that string concat looks fine until you imagine an attacker
- πͺ Lab 5 (SAST with Semgrep) will catch this exact pattern automatically β your first concrete shift-left win
- π― OWASP Juice Shop ships 6 SQL injection challenges as of v19; you'll find them with Semgrep before you find them by hand
- ποΈ July 19, 2019 β Paige Thompson (former AWS employee) exploits a misconfigured WAF at Capital One via SSRF
- πͺ The WAF's IAM role had wildcard
s3:Get*/s3:List*across 700+ buckets - πΎ Exfiltration: 106 million records, 140,000 SSNs
- π° Settlement: $190M
- π§ The lessons in DevSecOps terms:
- ποΈ IaC scan (L6) would have flagged the wildcard IAM
- π― Threat modeling (L2) would have surfaced the metadata service as a trust boundary
- π Runtime detection (L9) on outbound S3 calls would have caught the exfiltration mid-flight
- ποΈ November 24, 2021 β Alibaba security team discloses CVE-2021-44228 (CVSS 10.0) in Log4j 2
- π Log4j is everywhere β embedded in millions of Java apps, including Minecraft, iCloud, Steam, Tesla
- π The bug: log messages are interpreted as JNDI lookups β arbitrary code execution from a log line
- π December 9, 2021: PoC goes public. The internet rewrites Christmas plans
- π§ In DevSecOps terms:
- π SBOM (L4) β could you instantly say "do my services depend on Log4j 2?" Most companies couldn't on day one
- π Supply-chain signing (L8) β verifying provenance doesn't fix vuln deps, but it lets you know which exact version you have, fast
- π Runtime detection (L9) β Falco rules for unusual JNDI lookups shipped within 24 hours
π€ Think: Log4Shell was a code-level bug, but every defense that worked was at a higher layer (SBOM, runtime detection). What does that tell you about defense-in-depth?
flowchart LR
R[π Requirements] --> D[π Design]
D --> I[π» Implement]
I --> V[π§ͺ Verify]
V --> O[π Operate]
O -.feedback.-> R
style R fill:#FF9800,color:#fff
style D fill:#9C27B0,color:#fff
style I fill:#2196F3,color:#fff
style V fill:#4CAF50,color:#fff
style O fill:#F44336,color:#fff
| πͺ Phase | π‘οΈ DevSecOps practice | π§ͺ Lab |
|---|---|---|
| Requirements | Security stories, abuse cases | (Lecture-only) |
| Design | Threat modeling (STRIDE), data classification | L2 |
| Implement | Signed commits, secret scanning, secure coding | L3 |
| Verify | SAST, DAST, IaC scan, container scan, SBOM/SCA | L4βL8 |
| Operate | Runtime detection, vuln management, metrics | L9βL10 |
- πͺ The whole point of this course is that practice goes in each phase β by Week 10 you'll have something running in every one
- ποΈ OWASP SAMM β Software Assurance Maturity Model β 4 levels Γ 15 practices. We'll do a proper walkthrough in Lecture 9
- π BSIMM β Building Security In Maturity Model β descriptive, annual report (BSIMM 16 in January 2026, based on 111 orgs)
- πͺ A typical org distribution (2026 BSIMM data):
- Level 0: <10% (no formal program)
- Level 1: ~40% (ad-hoc, person-dependent)
- Level 2: ~40% (documented, repeatable)
- Level 3: ~10% (measured, continuously improved)
- π― End-of-course goal: every student should be able to describe a Level 2 program and identify one concrete gap to push their team toward Level 3 β this is exam-territory material
| π§βπΌ Role | π― Responsibility | π Where you meet them in the course |
|---|---|---|
| π©βπ» Developer | Writes code, runs SAST locally, fixes findings | Every lab |
| π DevOps/SRE | Maintains the pipeline; deploys hardening | L4, L7 |
| π‘οΈ Security Engineer | Writes detection rules, custom policies | L6, L9 |
| π¦Έ Security Champion | Developer trained in security; embeds in dev teams | Lecture-only |
| π― Security Architect | Designs trust boundaries, signs off threat models | L2 |
| π Security Manager | Owns metrics, SLAs, exec reporting | L10 |
- πͺ "Security Champion" is the role that scales DevSecOps in real orgs β one developer per team trained to push back on PRs that ship vulnerable code. Read the OWASP Security Champions Playbook (v2.0, 2024) when you have a quiet hour
| π± Myth | π§ Reality |
|---|---|
| "Security slows us down" | DORA 2024: high-performing security teams ship more often than low-performing ones |
| "We'll do security after MVP" | The MVP becomes legacy; security tech debt compounds at 1.7x/year |
| "We have a firewall" | Modern apps speak HTTPS through firewalls; perimeter security is a 1990s mental model |
| "Our scanner shows 0 critical, so we're secure" | Scanners find known bugs. Your unknowns are your unknowns. (Threat modeling, L2) |
| "That's the security team's problem" | The security team can't be in every PR. Distributed ownership is the only model that scales |
- π§ You'll hear at least three of these in the first month of any real DevSecOps job. The point of this course is to give you the data + stories to push back without sounding theoretical
Books to keep on your desk:
| π Book | βοΈ Why |
|---|---|
| DevOpsSec β Jim Bird (O'Reilly, 2016, free PDF) | Still the most accessible DevSecOps overview; 80 pages |
| Securing DevOps β Julien Vehent (Manning, 2018) | Real Mozilla pipeline walkthrough; ch. 2 maps tools to phases |
| The DevOps Handbook β Kim, Humble, Debois, Willis (2nd ed., 2021) | The DevOps cultural foundation that DevSecOps extends |
| Web Application Security β Andrew Hoffman (O'Reilly, 2020) | Companion to Juice Shop attacks; ch. 4 maps to A03/A07 |
Talks (1β2 hours, worth your time):
- π₯ "Continuous Delivery + DevSecOps: The Marriage" β Jez Humble, GOTO 2019
- π₯ "How Mozilla Does DevSecOps" β Julien Vehent, AppSec EU 2018
- π₯ "OWASP Top 10:2025 β What Changed and Why" β Andrew van der Stock (OWASP), Global AppSec 2025
Standards & specs (bookmark them):
- π OWASP Top 10:2025
- π OWASP Juice Shop
- π NIST SSDF (SP 800-218) β the canonical secure-SDLC standard
Next week: Lecture 2 β Threat Modeling with STRIDE and Threagile. Bring a system diagram of any app you've worked on; we'll model it.
π¬ "Security is not a product, but a process." β Bruce Schneier, Secrets and Lies (Wiley, 2000) β and still true 26 years later.