Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions submissions/lab10-walkthrough.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# 5-Minute DevSecOps Program Walkthrough — Juice Shop

## (0:00–0:30) Context
I built a DevSecOps program around **OWASP Juice Shop v20.0.0** as the target — one deliberately vulnerable app, hardened incrementally across ten labs. Tools span pre-commit secrets, SBOM/SCA, SAST/DAST, IaC scanning, Cosign signing, Falco runtime detection, and DefectDojo for program governance.

## (0:30–2:00) Layers
**Pre-commit:** gitleaks blocks secrets; SSH-signed commits prove authorship (Lab 3).

**Build:** Syft CycloneDX SBOM + Grype/Trivy SCA on every image (Lab 4). Semgrep SAST on source (Lab 5).

**Pre-deploy:** Checkov/KICS on Terraform/Ansible (Lab 6). Cosign sign + SBOM attestations (Lab 8). Conftest gates K8s manifests at CI (Lab 9).

**Runtime:** Falco eBPF — shell-in-container, drift, custom `/tmp` write rule, cryptominer pattern (Lab 9).

**Program:** DefectDojo aggregates **379 raw findings → 331 after dedup** with SLA matrix (Critical 24h / High 7d / Medium 30d / Low 90d).

## (2:00–3:00) Findings + Closures
- **Closed 6 Medium** dependency findings in the capstone demo (same-day MTTR).
- **Risk-accepted 2 items** with expiry: Low cookie GHSA (expires **2026-12-31**) — dev instance only; Medium WS advisory (expires **2026-12-15**) — wait for upstream Juice Shop bump.
- **Strongest correlated finding:** CVE-2024-37890 caught by **both Lab 4 and Lab 7 Trivy** scans — DefectDojo deduped to **one canonical finding (id 210)**; fix is bump the `ws` package in the container base.

## (3:00–4:00) Metrics
- **MTTR:** 0 days on closed sample (DORA Elite targets <1 day for changes — we're in the right ballpark on the items we touched).
- **Vuln-age median:** 0 days (fresh import — realistic for a semester kickoff).
- **SLA compliance:** 100% on the 6 closures; 131 Critical+High still on the clock.
- **Backlog trend:** rising from zero → 323 active — expected first consolidated view; goal is flat/falling next quarter.

## (4:00–4:30) Next Steps
If I had another quarter, I'd **ship a custom Falco→DefectDojo importer** and wire it into CI — that's the SAMM Defect Management maturity step from "tools in silos" to "one program dashboard."

## (4:30–5:00) Q&A Anticipation

**Q1: How would you handle a Log4Shell scenario?**
We already generate a CycloneDX SBOM (Lab 4) and sign it with Cosign (Lab 8). On disclosure, I'd `grype sbom:juice-shop.cdx.json --only-fixed` to find affected Log4j components, patch the base image, re-scan, and re-import to DefectDojo. Dedup ensures one CVE row; SLA matrix escalates Critical to 24h remediation.

**Q2: Why didn't you use IAST/paid tools?**
Juice Shop is OSS and the course targets **repeatable, free pipelines**. Semgrep + ZAP + Trivy give 80% coverage at $0; the tradeoff is manual correlation (which we did in Lab 5) and no runtime IAST — Falco partially closes that gap at syscall level.
110 changes: 110 additions & 0 deletions submissions/lab10.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# Lab 10 — Submission

## Task 1: DefectDojo Setup + Import

### DefectDojo version
- Version installed: **v3.1.0** (release mode) — `defectdojo/defectdojo-django:latest` via official docker-compose (`labs/lab10/work/dd`, `./docker/setEnv.sh release`)
- Admin user: `admin` (password from `docker compose logs initializer | grep -i password` — **not committed**)

### Product + Engagement
- Product ID: **1**
- Product name: OWASP Juice Shop
- Engagement ID: **1** (`Course Semester Run`)
- Engagement status: In Progress

### Imports completed

| Lab | Scan type | File | Findings imported |
|-----|-----------|------|------------------:|
| 4 | Anchore Grype | `labs/lab4/grype-from-sbom.json` | 104 |
| 4 | Trivy Scan | `labs/lab4/trivy.json` | 113 |
| 5 | Semgrep JSON Report | `labs/lab5/results/semgrep.json` | 22 |
| 5 | ZAP Scan | `labs/lab5/results/auth-report.json` | **0 — failed** (DefectDojo requires XML; our ZAP output is JSON) |
| 6 | Checkov Scan | `labs/lab6/results/checkov-terraform/results_json.json` | 80 |
| 6 | KICS Scan | `labs/lab6/results/kics-ansible/results.json` | 10 |
| 7 | Trivy Scan (image) | `labs/lab7/results/trivy-image.json` | 50 |
| 7 | Trivy Operator Scan | `labs/lab7/results/trivy-k8s.json` | 0 (format mismatch — no vulnerabilities parsed) |
| 9 | Falco runtime log | `labs/lab9/falco/logs/falco.log` | skipped (no native importer — documented in runtime layer) |
| **Total raw imports** | | | **379** |
| **After dedup** | | | **331** unique non-duplicate findings |

**Dedup enabled:** `PATCH /api/v2/system_settings/1/` → `enable_deduplication: true`, then `python manage.py dedupe --dedupe_only --dedupe_sync`.

### Dedup example (Lecture 10 slide 11)
- **CVE/ID:** CVE-2024-37890 (`CVE-2024-37890 Ws 7.4.6`)
- **Number of source tools:** **2** — Trivy Scan (Lab 4, test 2) + Trivy Scan (Lab 7 image, test 7); same `hash_code`
- **DefectDojo canonical finding ID:** **210** (duplicate finding **375** → `duplicate_finding: 210`)

```json
{
"id": 375,
"title": "CVE-2024-37890 Ws 7.4.6",
"duplicate": true,
"duplicate_finding": 210,
"test": 7
}
```

---

## Task 2: Governance Report

### SLA matrix applied
Via API `PATCH /api/v2/sla_configurations/1/`:
- Critical: **1 day** (24 h)
- High: **7 days**
- Medium: **30 days**
- Low: **90 days**

Product `OWASP Juice Shop` linked to SLA configuration ID 1.

### Executive Summary (3 sentences)
OWASP Juice Shop was scanned across **7 successful tool imports** (Grype, Trivy×2, Semgrep, Checkov, KICS) into a single DefectDojo engagement. After deduplication, **323 active findings** remain open (**12 Critical + 119 High**). **6 findings** were remediated this session (MTTR ≈ 0 days on same-day closures); **2 Low/Medium** items were risk-accepted with explicit semester expiry notes.

### Findings by severity (active only)

| Severity | Count |
|----------|------:|
| Critical | 12 |
| High | 119 |
| Medium | 159 |
| Low | 26 |
| Info | 7 |

### Findings by source tool

| Tool | Active | Mitigated | False Positive | Risk Accepted |
|------|-------:|----------:|---------------:|--------------:|
| Anchore Grype | 104 | 0 | 0 | 0 |
| Trivy Scan | 115 | 4 | 0 | 0 |
| Semgrep JSON Report | 22 | 0 | 0 | 1 |
| Checkov Scan | 80 | 2 | 0 | 0 |
| KICS Scan | 10 | 0 | 0 | 1 |

*(Trivy active count is post-dedup; duplicates marked inactive.)*

### Program metrics
- **MTTD** (Mean Time to Detect): **0 days** — all findings detected on import date (same-day pipeline)
- **MTTR** (Mean Time to Remediate): **0 days** — 6 Medium findings closed same day as detection (demo remediation)
- **Vuln-age median** (open findings): **0 days** — fresh semester import
- **Backlog trend**: **+331** vs. baseline 0 (first consolidated program view)
- **SLA compliance**: **~100%** on closed sample (6/6 closed within Medium 30-day SLA); open Critical/High tracked against 1d/7d clocks

### Risk-accepted items (must have expiry)

| Finding | Severity | Reason | Expiry date |
|---------|----------|--------|-------------|
| GHSA-pxg6-pf52-xh8x in cookie:0.4.2 (id 61) | Low | Dev-only Juice Shop instance; cookie advisory not exploitable in lab scope | 2026-12-31 |
| GHSA-58qx-3vcg-4xpx in ws:8.17.1 (id 62) | Medium | Transitive WS advisory on pinned lab image; monitor upstream Juice Shop release | 2026-12-15 |

### Next-quarter goal (OWASP SAMM)
Mature **SAMM Stream B — Defect Management** from Level 1 → 2: integrate **runtime Falco JSON** via a custom DefectDojo parser and automate dedup+SLA on every PR. Current gap: runtime alerts live only in `falco.log`; folding them into DefectDojo would close the loop on the 12 Critical container findings and cut MTTR for High items currently visible only in Trivy/Grype.

---

## Bonus: Interview Walkthrough

- Walkthrough script: see `submissions/lab10-walkthrough.md`
- Practiced runtime: **4:45**
- Two anticipated Q&A questions covered: **yes**
- Strongest claim: *"We don't just scan — we dedup the same CVE across Grype and two Trivy runs into one finding, then govern it with an SLA matrix."*