Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
## Goal
Describe what this PR delivers in one sentence.

## Changes
- Added / updated:
- `submissions/lab1.md`
- `.github/PULL_REQUEST_TEMPLATE.md`
- Other changes:
- ...

## Testing
- Commands run:
- `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v20.0.0`
- `curl http://127.0.0.1:3000`
- Observed output:
- HTTP 200 on `/`
- Juice Shop reachable at `http://127.0.0.1:3000`

## Artifacts & Screenshots
- `submissions/lab1.md`
- Screenshots / links:
- ...
- ...

## Checklist
- [ ] Title is clear (`feat(labN): <topic>` style)
- [ ] No secrets or large temp files are committed
- [ ] Submission file at `submissions/labN.md` exists
1 change: 1 addition & 0 deletions labs/lab4/grype-from-sbom.json

Large diffs are not rendered by default.

Binary file added labs/lab4/grype-from-sbom.txt
Binary file not shown.
25,658 changes: 25,658 additions & 0 deletions labs/lab4/trivy.json

Large diffs are not rendered by default.

Binary file added labs/lab4/trivy.txt
Binary file not shown.
54 changes: 54 additions & 0 deletions submissions/lab10-walkthrough.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# 5-Minute DevSecOps Program Walkthrough — Juice Shop

## (0:00–0:30) Context

I built a DevSecOps program around **OWASP Juice Shop**, a deliberately vulnerable app we use as a realistic target, the same way a team would treat an internal product.

Across Labs 4–9 we scanned **code, dependencies, containers, IaC, and runtime**: Syft SBOM, then Grype/Trivy SCA, Semgrep SAST, ZAP DAST, Checkov/KICS on Terraform/Ansible/Pulumi, Cosign image signing with a Conftest policy gate, and Falco runtime alerts. Everything rolls up into **DefectDojo** with a **DevSecOps SLA matrix**.

## (0:30–2:00) Layers

Picture the pipeline as layers, left to right, shift-left to runtime:

- **Pre-commit:** Gitleaks blocks secrets before they land; commits are **SSH-signed** so we know who shipped what.
- **Build:** **Syft** builds the SBOM, **Grype** and **Trivy** scan it for known CVEs, **Semgrep** catches unsafe code patterns in the repo.
- **Pre-deploy:** **Checkov** and **KICS** lint our IaC; **Cosign** signs the container image and **Conftest** is the gate: no unsigned or non-compliant image goes out.
- **Runtime:** **Falco** watches the cluster with eBPF rules and fires on suspicious process/network behavior.
- **Program layer:** **DefectDojo** imports all nine scan types, deduplicates overlaps, applies the **DevSecOps SLA** (1 / 7 / 30 / 90 days), and gives us **MTTR, vuln-age, and backlog** numbers leadership can track.

That's the full loop: prevent, detect, gate, observe, govern.

## (2:00–3:00) Findings + Closures

After one clean import we have **401 findings** in DefectDojo; **400 are still active**. We haven't closed anything yet, so **zero Critical findings closed this term**. That's honest for a first baseline run.

Here's one I risk-accepted — **CVE-2026-42766** — expiring **2027-01-04**, why: demo environment for the course capstone only, not production. Documented expiry so it doesn't become silent debt.

For cross-tool signal: the best overlap story in our data is **SCA dedup**. Trivy K8s manifest import added **0 new rows** because Grype and Trivy image had already reported the same CVEs. On the app side, Semgrep and ZAP both flag **client-side XSS-style issues** in Juice Shop; Semgrep sees the unsafe pattern in source, ZAP proves it in the browser. Fix: input validation and output encoding in the affected route.

## (3:00–4:00) Metrics

From DefectDojo engagement **Final Submission Run**:

- **MTTR:** N/A, nothing remediated and closed yet. DORA Elite is **under 1 day**; we're at baseline, not elite, and that's the gap we'd close next quarter.
- **Vuln-age median:** **0 days**, everything was imported this week.
- **SLA compliance:** **100%**, all open items still inside the DevSecOps windows (Critical 1d, High 7d, Medium 30d, Low 90d on Product OWASP Juice Shop).
- **Backlog trend:** **Rising**, we went from 0 to **400 active** findings once the full toolchain lit up. Expected on first comprehensive scan; next step is prioritize High/Critical with available fixes.

Active breakdown: **17 Critical, 165 High, 176 Medium, 29 Low, 13 Info**.

## (4:00–4:30) Next Steps

If I had another quarter, I'd ship **automated DefectDojo import on every release** into one engagement per tag, and burn down **High findings with `fix_available`** from Grype/Trivy first.

That's the next step on the **OWASP SAMM Defect Management** ladder: from *measure everything* to *remediate with SLA discipline*, target **High MTTR under 7 days**.

## (4:30–5:00) Q&A Anticipation

**1. "How would you handle a Log4Shell scenario?"**

I'd start with the **SBOM we already generate with Syft**, query it for `log4j` coordinates and versions across every image and dependency tree. Anything in the affected range gets **blocked in CI** (Grype/Trivy fail the build), then we **rebuild and re-sign** clean images with Cosign, redeploy through the Conftest gate, and **re-import** into DefectDojo to prove the CVE dropped off. Runtime Falco rules catch exploitation attempts while patches roll out. SBOM is the inventory; scanners are the triage; DefectDojo is the audit trail.

**2. "Why didn't you use IAST/paid tools?"**

This course is **open-source end to end**: Semgrep, ZAP, Trivy, Grype, Checkov, Falco, DefectDojo, so any student can reproduce the pipeline locally. IAST and commercial suites add great runtime coverage but need agents, licenses, and ops overhead we don't have in a lab VM. Tradeoff: we get **breadth and repeatability** over **deep interactive tracing**; for production I'd add IAST on the highest-risk services once the baseline gates are stable.
83 changes: 83 additions & 0 deletions submissions/lab10.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# Lab 10 — Submission

## Task 1: DefectDojo Setup + Import

### DefectDojo version
- Version installed: `defectdojo/defectdojo-django:latest` (v3.1.0)

### Product + Engagement
- Product ID: 1
- Product name: OWASP Juice Shop
- Engagement ID: 4
- Engagement name: Final Submission Run
- Engagement status: In Progress

### Imports completed
| Lab | Scan type | File | Findings imported |
|-----|-----------|------|------------------:|
| 4 | Anchore Grype | grype-from-sbom.json | 104 |
| 4 | Trivy Scan | trivy.json | 112 |
| 5 | Semgrep JSON Report | semgrep.json | 27 |
| 5 | ZAP Scan | auth-report.xml | 12 |
| 6 | Checkov Scan | results_json.json | 80 |
| 6 | KICS Scan | kics-ansible/results.json | 10 |
| 6 | KICS Scan | kics-pulumi/results.json | 6 |
| 7 | Trivy Scan (image) | trivy-image.json | 50 |
| 7 | Trivy Operator Scan | trivy-k8s.json | 0 |
| **Total raw imports** | | | **401** |
| **After dedup** | | | **401** |

### Dedup example (Lecture 10 slide 11)
Trivy Operator Scan (`trivy-k8s.json`) imported **0** new findings into engagement 4 because the same CVEs were already present from Grype/Trivy image imports (`deduplication_on_engagement=true`). Quote:
- CVE/ID: CVE-2026-34181 (and related OpenSSL CVEs already in engagement from Trivy Scan imports)
- Number of source tools: 2 — Trivy Scan (image), Trivy Operator Scan (k8s manifest)
- DefectDojo result: second import added 0 duplicate rows (see `import-results-trivy-k8s.json` → `statistics.after.total.total = 0`)

## Task 2: Governance Report

### Executive Summary (3 sentences)
Juice Shop, scanned across 9 tools in engagement **Final Submission Run** (id 4), currently has 400 active findings (17 Critical + 165 High) after one Low-severity item was risk-accepted.
Mean Time to Remediate (MTTR) on closed-this-period findings is N/A (no findings closed yet). 100% of open findings in this engagement are within their SLA window: the **DevSecOps** SLA profile (Critical 1d / High 7d / Medium 30d / Low 90d) is applied at the **Product** level on OWASP Juice Shop (id 1) and inherited by all engagements under that product.

### Findings by severity (active only, engagement 4)
| Severity | Count |
|----------|------:|
| Critical | 17 |
| High | 165 |
| Medium | 176 |
| Low | 29 |
| Info | 13 |

### Findings by source tool (engagement 4)
| Tool | Active | Mitigated | False Positive | Risk Accepted |
|------|-------:|----------:|---------------:|--------------:|
| Anchore Grype | 104 | 0 | 0 | 0 |
| Trivy Scan | 161 | 0 | 0 | 1 |
| Semgrep JSON Report | 27 | 0 | 0 | 0 |
| ZAP Scan | 12 | 0 | 0 | 0 |
| Checkov Scan | 80 | 0 | 0 | 0 |
| KICS Scan | 16 | 0 | 0 | 0 |
| Trivy Operator Scan | 0 | 0 | 0 | 0 |

### Program metrics
- **MTTD** (Mean Time to Detect): 0 days
- **MTTR** (Mean Time to Remediate): N/A days
- **Vuln-age median** (open findings): 0 days
- **Backlog trend**: +400 active findings vs. baseline 0 (401 total imported, 1 risk-accepted)
- **SLA compliance**: 100%
- **SLA configuration**: DevSecOps (id 3) on Product 1

### Risk-accepted items (must have expiry)
| Finding | Severity | Reason | Expiry date |
|---------|----------|--------|-------------|
| CVE-2026-42766 Libssl3t64 3.5.5-1~deb13u2 (Trivy Scan, engagement 4, status: Inactive, Verified, Risk Accepted) | Low | Demo Juice Shop, accepted for course capstone only | 2027-01-04 |

### Next-quarter goal (OWASP SAMM ladder step — Lecture 9 slide 15)
In the next quarter I will mature the Defect Management SAMM practice. The baseline shows 165 open High findings with no remediation MTTR yet. The concrete goal is to drive High-finding MTTR under 7 days by prioritizing fix-available CVEs from Grype/Trivy imports and wiring DefectDojo imports into a single clean engagement per release.

## Bonus: Interview Walkthrough

- Walkthrough script: see `submissions/lab10-walkthrough.md`
- Practiced runtime: `~4:34`
- Two anticipated Q&A questions covered: `yes`
- Strongest claim in the script (most-quoted-by-interviewer line, in your view): *"Nine scanners, one engagement, one SLA matrix: DefectDojo turns scan noise into a program leaders can measure."*