Skip to content

Latest commit

Β 

History

History
362 lines (272 loc) Β· 18.1 KB

File metadata and controls

362 lines (272 loc) Β· 18.1 KB

πŸ“Œ Lecture 1 β€” DevSecOps Foundations: From "Add Security Later" to "Security Everywhere"


πŸ“ Slide 1 – πŸ’₯ The $1.4 Billion Patch That Wasn't Applied

  • πŸ—“οΈ March 7, 2017 β€” Apache discloses CVE-2017-5638, an RCE in Struts 2. Patch ships the same day. CVSS 10.0
  • πŸ“§ March 9: Equifax's security team emails the patch directive across the company
  • πŸŒ€ The vulnerable web portal isn't on the inventory the directive used. It is missed
  • πŸ—“οΈ March 10: someone is already exploiting it
  • πŸ’Ύ May 13 – July 30: 147 million records exfiltrated β€” names, SSNs, birth dates, license numbers
  • 🚨 July 29: Equifax discovers the breach. CEO and CISO resign within weeks
  • πŸ’° Final cost: ~$1.4 billion in remediation + settlements

πŸ€” Think: The patch existed. The directive went out. The fix was free. What process failure cost a billion dollars? That gap β€” between "we have a security control" and "the control actually catches the bug" β€” is what this course is about.


πŸ“ Slide 2 – 🎯 Learning Outcomes (this lecture)

# πŸŽ“ Outcome
1 βœ… Define DevSecOps and explain how it differs from "DevOps + a security tool"
2 βœ… Place the shift-left philosophy on a real cost-of-defect curve
3 βœ… Recite the OWASP Top 10 (2025) categories and what changed from 2021
4 βœ… Walk through three real breaches (Equifax 2017, Capital One 2019, Log4Shell 2021) and identify which DevSecOps practice each one would have caught
5 βœ… Describe what your DevSecOps pipeline will look like by the end of the course

πŸ“ Slide 3 – πŸ—ΊοΈ Course Map: Where We're Going

graph LR
    L1["πŸ›οΈ L1 Foundations<br/>(this)"] --> L2["🎯 L2 Threat<br/>modeling"]
    L2 --> L3["πŸ” L3 Secure<br/>Git"]
    L3 --> L4["πŸš€ L4 CI/CD<br/>security"]
    L4 --> L5["πŸ§ͺ L5 SAST/<br/>DAST"]
    L5 --> L6["πŸ—οΈ L6 IaC<br/>scanning"]
    L6 --> L7["πŸ“¦ L7 Container<br/>security"]
    L7 --> L8["πŸ” L8 Supply<br/>chain"]
    L8 --> L9["πŸ“Š L9 Runtime +<br/>metrics"]
    L9 --> L10["🎯 L10 Vuln<br/>management"]

    style L1 fill:#FF9800,color:#fff
    style L10 fill:#4CAF50,color:#fff
Loading
  • 🎯 Through-line: every lab targets OWASP Juice Shop β€” the most famously broken web app in the world. By Week 10 you'll have run every defensive practice against the same attack surface
  • πŸͺœ The arc: culture β†’ modeling β†’ write secure code β†’ ship secure code β†’ scan secure code β†’ secure infrastructure β†’ secure containers β†’ secure supply chain β†’ detect at runtime β†’ triage findings

πŸ“ Slide 4 – 🍹 The Project: OWASP Juice Shop

  • πŸ—οΈ Maintained by BjΓΆrn Kimminich since 2014; OWASP Flagship project since 2018
  • πŸ› Ships with >100 challenges representing every OWASP Top 10 category and more
  • 🚒 Docker one-liner: docker run -d -p 3000:3000 bkimminich/juice-shop:v19.0.0
  • 🎯 Why Juice Shop is the canonical learning target:
    • Realistic stack (Node.js, Angular, SQLite, JWT, file uploads)
    • Bugs are intentional but realistic β€” not "use eval(user_input)" toy examples
    • Has a known set of CVEs to find β€” your scanner output can be checked against ground truth
  • πŸ§ͺ Lab 1 deploys it; Labs 4, 5, 7, 8, 10 keep attacking it from different angles

πŸ’¬ "Juice Shop is a deliberately broken application β€” but unlike most CTF apps, it's broken in exactly the way real applications are broken." β€” BjΓΆrn Kimminich, OWASP Global AppSec 2022


πŸ“ Slide 5 – 🧭 What Is DevSecOps?

flowchart LR
    Dev["πŸ‘©β€πŸ’» Dev"] -.-> Build["πŸ—οΈ Build"]
    Ops["πŸ–₯️ Ops"] -.-> Build
    Sec["πŸ›‘οΈ Sec"] -.-> Build
    Build --> DevSecOps["πŸš€ DevSecOps<br/>Continuous, automated security<br/>at every stage"]

    style DevSecOps fill:#FF9800,color:#fff
Loading
  • πŸ§‘β€πŸ« Definition (Gartner, Neil MacDonald, 2012): "DevSecOps is the practice of integrating security controls and processes into the DevOps approach β€” automated, transparent, and continuous."
  • πŸͺœ DevOps + a SAST tool β‰  DevSecOps. The defining shift is cultural: security is everyone's job, executed as code, early and often
  • πŸ—“οΈ The term gained traction at AWS re:Invent 2015 when teams started publishing pipeline blueprints
  • πŸ“š First book-length treatment: "DevOpsSec" by Jim Bird (O'Reilly, 2016)
  • 🚫 What DevSecOps is NOT:
    • Not a tool you buy
    • Not "the security team approves the pipeline"
    • Not a one-time audit before launch

πŸ“ Slide 6 – πŸ•°οΈ A 25-Year Timeline

πŸ—“οΈ Year πŸ“ Milestone
2001 Manifesto for Agile Software Development β€” Snowbird, UT
2009 Patrick Debois coins "DevOps" at the first DevOpsDays (Ghent, BE)
2010 OWASP Top 10 first ranked edition
2012 Gartner report introduces DevSecOps term β€” Neil MacDonald
2014 More Agile Testing (Crispin & Gregory) early uses "DevSecOps" in print
2015 DevSecOps becomes a track at AWS re:Invent + RSA
2016 First book-length treatment β€” DevOpsSec (Jim Bird, O'Reilly)
2017 Equifax breach β€” DevSecOps becomes a boardroom topic
2020 SolarWinds β€” supply-chain security joins the agenda
2021 Log4Shell β€” runtime detection joins the agenda
2024 NIST CSF 2.0 adds the Govern function
2025 OWASP Top 10:2025 published; supply-chain failures get their own category

πŸ“ Slide 7 – πŸ’Έ The Cost-of-Defect Curve

πŸ’¬ "The cost of fixing a defect grows roughly 10x at each stage of the SDLC." β€” Barry Boehm, Software Engineering Economics (Prentice Hall, 1981)

graph LR
    R[πŸ“ Requirements<br/>~$1] --> D[πŸ“ Design<br/>~$10]
    D --> C[πŸ’» Code<br/>~$100]
    C --> T[πŸ§ͺ Testing<br/>~$1000]
    T --> P[🚨 Production<br/>~$10,000+]

    style R fill:#4CAF50,color:#fff
    style P fill:#F44336,color:#fff
Loading
  • πŸ“Š IBM System Sciences (1981) and NIST (2002) studies both confirm the curve. The slope flattens in modern fast-feedback teams, but the order of magnitude holds
  • 🎯 DevSecOps in one diagram: push every security check as far left as it will still produce useful signal

πŸ“ Slide 8 – ⬅️ Shift-Left, Pragmatically

  • πŸͺœ Shift-Left = run security checks earlier in the pipeline, where fixes are cheap
  • ⚠️ But: "shift-left" doesn't mean "only left" β€” runtime threats still need runtime defense (Lecture 9)
  • πŸͺ› In this course: every lab maps to a leftward shift of one specific control:
πŸ› οΈ Control πŸ“ Where it shifts to πŸ§ͺ Lab
Threat modeling Design L2
Secret leak detection Pre-commit L3
SAST PR build L5
SCA / SBOM Build L4
IaC scanning PR build L6
Image scan Image build L7
Signing/verification Deploy gate L8
Runtime detection Cluster L9
  • 🧠 The opposite of shift-left is "shift-right-only" = a SOC reading post-mortems. Both ends are valid; the middle is where DevSecOps adds value

πŸ“ Slide 9 – πŸͺœ Three Pillars (Culture, Process, Tools)

πŸ›οΈ Pillar 🎯 What it means πŸ”₯ What goes wrong without it
πŸ‘₯ Culture Shared accountability; "if a dev wrote it, a dev fixes it" Security team becomes the bottleneck; devs throw work over the wall
πŸ› οΈ Process Threat modeling, defined SLAs, post-incident reviews Heroics; same vulns ship every release
πŸ€– Tools Automated SAST/DAST/SCA/IaC/runtime in the pipeline Manual scans = quarterly findings dump nobody reads
  • πŸͺœ The DORA report (2022 onward) consistently finds that DevSecOps maturity correlates more with culture + process than tool spend
  • πŸ§ͺ "Tools are necessary but not sufficient." If we only taught tools this course would be 3 weeks long. It's 10 weeks because process and culture matter more.

πŸ“ Slide 10 – πŸ”’ The CIA Triad β€” and Two Modern Additions

graph TB
    CIA[πŸ” Classical CIA] --> C[πŸ” Confidentiality<br/>only authorized see]
    CIA --> I[βœ… Integrity<br/>only authorized change]
    CIA --> A[🟒 Availability<br/>authorized always reach]
    CIA -.modern.-> AU[πŸͺͺ Authenticity<br/>identity is real]
    CIA -.modern.-> NR[πŸ“œ Non-Repudiation<br/>can't deny the action]

    style C fill:#2196F3,color:#fff
    style I fill:#4CAF50,color:#fff
    style A fill:#FF9800,color:#fff
Loading
  • πŸ›οΈ CIA Triad: classical model, dates to a 1976 US Air Force report (Anderson)
  • πŸͺͺ Authenticity matters now because of phishing + AI-generated content
  • πŸ“œ Non-Repudiation matters now because of regulatory reporting (GDPR, HIPAA)
  • 🧠 Lab 3 (signed commits) is the first non-repudiation control you'll deploy

πŸ“ Slide 11 – πŸ† OWASP and the Top 10:2025

  • 🌐 OWASP = Open Worldwide Application Security Project β€” community-driven non-profit, founded 2001
  • πŸ† The Top 10 is a periodic ranking of the most critical web app risks. Releases: 2003, 2004, 2007, 2010, 2013, 2017, 2021, 2025
  • πŸ†• OWASP Top 10:2025 β€” announced November 2025, final release January 2026 β€” built on 175,000+ CVE records + practitioner surveys
  • πŸ”„ What's new vs 2021:
    • πŸ†• A02: Software Supply Chain Failures (replaced/expanded "Vulnerable and Outdated Components")
    • πŸ†• A10: Mishandling of Exceptional Conditions
    • πŸͺœ SSRF absorbed into Broken Access Control (it was a category of its own in 2021)

πŸ“ Slide 12 – πŸ”₯ OWASP Top 10:2025 β€” The List

# 🏷️ Category 🎯 Plain English
A01 Broken Access Control Users do things they shouldn't be allowed to (now includes SSRF)
A02 Software Supply Chain Failures πŸ†• Compromised libs, broken provenance
A03 Cryptographic Failures Weak/missing encryption, hard-coded secrets
A04 Injection SQL, NoSQL, command, LDAP β€” untrusted input as code
A05 Insecure Design The architecture invites the bug
A06 Security Misconfiguration Defaults, debug pages, open S3 buckets
A07 Identification & Authentication Failures Weak passwords, broken MFA, session fixation
A08 Software & Data Integrity Failures Unsigned updates, unsafe deserialization
A09 Security Logging & Monitoring Failures Can't detect because we can't see
A10 Mishandling of Exceptional Conditions πŸ†• Error paths leak info, fail-open instead of fail-closed
  • 🧠 Every lab in this course defends against at least one A0X category. Worth bookmarking this slide

πŸ“ Slide 13 – πŸ’‰ Why Injection Hasn't Left the Top 10 in 20 Years

# ❌ Vulnerable β€” string concatenation
def get_user(username):
    cursor.execute(f"SELECT * FROM users WHERE name = '{username}'")
    # Input: bob' OR '1'='1
    # Becomes: SELECT * FROM users WHERE name = 'bob' OR '1'='1'

# βœ… Safe β€” parameterized query
def get_user(username):
    cursor.execute("SELECT * FROM users WHERE name = ?", (username,))
  • 🧠 The fix is trivial when developers know it. The teaching problem is that string concat looks fine until you imagine an attacker
  • πŸͺœ Lab 5 (SAST with Semgrep) will catch this exact pattern automatically β€” your first concrete shift-left win
  • 🎯 OWASP Juice Shop ships 6 SQL injection challenges as of v19; you'll find them with Semgrep before you find them by hand

πŸ“ Slide 14 – πŸ”¬ Case Study: Capital One (2019)

  • πŸ—“οΈ July 19, 2019 β€” Paige Thompson (former AWS employee) exploits a misconfigured WAF at Capital One via SSRF
  • πŸͺœ The WAF's IAM role had wildcard s3:Get* / s3:List* across 700+ buckets
  • πŸ’Ύ Exfiltration: 106 million records, 140,000 SSNs
  • πŸ’° Settlement: $190M
  • 🧠 The lessons in DevSecOps terms:
    • πŸ—οΈ IaC scan (L6) would have flagged the wildcard IAM
    • 🎯 Threat modeling (L2) would have surfaced the metadata service as a trust boundary
    • πŸ“Š Runtime detection (L9) on outbound S3 calls would have caught the exfiltration mid-flight

πŸ“ Slide 15 – πŸ”¬ Case Study: Log4Shell (2021)

  • πŸ—“οΈ November 24, 2021 β€” Alibaba security team discloses CVE-2021-44228 (CVSS 10.0) in Log4j 2
  • 🌍 Log4j is everywhere β€” embedded in millions of Java apps, including Minecraft, iCloud, Steam, Tesla
  • πŸ› The bug: log messages are interpreted as JNDI lookups β†’ arbitrary code execution from a log line
  • 🐍 December 9, 2021: PoC goes public. The internet rewrites Christmas plans
  • 🧠 In DevSecOps terms:
    • πŸ“‹ SBOM (L4) β€” could you instantly say "do my services depend on Log4j 2?" Most companies couldn't on day one
    • πŸ” Supply-chain signing (L8) β€” verifying provenance doesn't fix vuln deps, but it lets you know which exact version you have, fast
    • πŸ“Š Runtime detection (L9) β€” Falco rules for unusual JNDI lookups shipped within 24 hours

πŸ€” Think: Log4Shell was a code-level bug, but every defense that worked was at a higher layer (SBOM, runtime detection). What does that tell you about defense-in-depth?


πŸ“ Slide 16 – 🧩 Secure SDLC: The Five Phases

flowchart LR
    R[πŸ“ Requirements] --> D[πŸ“ Design]
    D --> I[πŸ’» Implement]
    I --> V[πŸ§ͺ Verify]
    V --> O[πŸš€ Operate]
    O -.feedback.-> R

    style R fill:#FF9800,color:#fff
    style D fill:#9C27B0,color:#fff
    style I fill:#2196F3,color:#fff
    style V fill:#4CAF50,color:#fff
    style O fill:#F44336,color:#fff
Loading
πŸͺœ Phase πŸ›‘οΈ DevSecOps practice πŸ§ͺ Lab
Requirements Security stories, abuse cases (Lecture-only)
Design Threat modeling (STRIDE), data classification L2
Implement Signed commits, secret scanning, secure coding L3
Verify SAST, DAST, IaC scan, container scan, SBOM/SCA L4–L8
Operate Runtime detection, vuln management, metrics L9–L10
  • πŸͺœ The whole point of this course is that practice goes in each phase β€” by Week 10 you'll have something running in every one

πŸ“ Slide 17 – πŸͺœ Maturity Models β€” Where You'll End Up

  • πŸ›οΈ OWASP SAMM β€” Software Assurance Maturity Model β€” 4 levels Γ— 15 practices. We'll do a proper walkthrough in Lecture 9
  • πŸ“Š BSIMM β€” Building Security In Maturity Model β€” descriptive, annual report (BSIMM 16 in January 2026, based on 111 orgs)
  • πŸͺœ A typical org distribution (2026 BSIMM data):
    • Level 0: <10% (no formal program)
    • Level 1: ~40% (ad-hoc, person-dependent)
    • Level 2: ~40% (documented, repeatable)
    • Level 3: ~10% (measured, continuously improved)
  • 🎯 End-of-course goal: every student should be able to describe a Level 2 program and identify one concrete gap to push their team toward Level 3 β€” this is exam-territory material

πŸ“ Slide 18 – 🏒 Roles in a DevSecOps Team

πŸ§‘β€πŸ’Ό Role 🎯 Responsibility πŸ‘€ Where you meet them in the course
πŸ‘©β€πŸ’» Developer Writes code, runs SAST locally, fixes findings Every lab
πŸš€ DevOps/SRE Maintains the pipeline; deploys hardening L4, L7
πŸ›‘οΈ Security Engineer Writes detection rules, custom policies L6, L9
🦸 Security Champion Developer trained in security; embeds in dev teams Lecture-only
🎯 Security Architect Designs trust boundaries, signs off threat models L2
πŸ“Š Security Manager Owns metrics, SLAs, exec reporting L10
  • πŸͺœ "Security Champion" is the role that scales DevSecOps in real orgs β€” one developer per team trained to push back on PRs that ship vulnerable code. Read the OWASP Security Champions Playbook (v2.0, 2024) when you have a quiet hour

πŸ“ Slide 19 – 🚫 The Five Myths You'll Hear at Your First Job

😱 Myth 🧠 Reality
"Security slows us down" DORA 2024: high-performing security teams ship more often than low-performing ones
"We'll do security after MVP" The MVP becomes legacy; security tech debt compounds at 1.7x/year
"We have a firewall" Modern apps speak HTTPS through firewalls; perimeter security is a 1990s mental model
"Our scanner shows 0 critical, so we're secure" Scanners find known bugs. Your unknowns are your unknowns. (Threat modeling, L2)
"That's the security team's problem" The security team can't be in every PR. Distributed ownership is the only model that scales
  • 🧠 You'll hear at least three of these in the first month of any real DevSecOps job. The point of this course is to give you the data + stories to push back without sounding theoretical

πŸ“ Slide 20 – πŸ“š Resources & What's Next

Books to keep on your desk:

πŸ“– Book ✍️ Why
DevOpsSec β€” Jim Bird (O'Reilly, 2016, free PDF) Still the most accessible DevSecOps overview; 80 pages
Securing DevOps β€” Julien Vehent (Manning, 2018) Real Mozilla pipeline walkthrough; ch. 2 maps tools to phases
The DevOps Handbook β€” Kim, Humble, Debois, Willis (2nd ed., 2021) The DevOps cultural foundation that DevSecOps extends
Web Application Security β€” Andrew Hoffman (O'Reilly, 2020) Companion to Juice Shop attacks; ch. 4 maps to A03/A07

Talks (1–2 hours, worth your time):

  • πŸŽ₯ "Continuous Delivery + DevSecOps: The Marriage" β€” Jez Humble, GOTO 2019
  • πŸŽ₯ "How Mozilla Does DevSecOps" β€” Julien Vehent, AppSec EU 2018
  • πŸŽ₯ "OWASP Top 10:2025 β€” What Changed and Why" β€” Andrew van der Stock (OWASP), Global AppSec 2025

Standards & specs (bookmark them):

Next week: Lecture 2 β€” Threat Modeling with STRIDE and Threagile. Bring a system diagram of any app you've worked on; we'll model it.

πŸ’¬ "Security is not a product, but a process." β€” Bruce Schneier, Secrets and Lies (Wiley, 2000) β€” and still true 26 years later.