From 1fc39e80644bc19fd79d6d0649389b3c2927c742 Mon Sep 17 00:00:00 2001 From: StefFashka Date: Wed, 8 Jul 2026 22:07:46 +0800 Subject: [PATCH 1/2] feat(lab10): defectdojo governance report + capstone walkthrough --- .gitignore | 3 ++ submissions/lab10-walkthrough.md | 34 ++++++++++++ submissions/lab10.md | 88 ++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+) create mode 100644 submissions/lab10-walkthrough.md create mode 100644 submissions/lab10.md diff --git a/.gitignore b/.gitignore index c6b279fa..7300a2ae 100644 --- a/.gitignore +++ b/.gitignore @@ -20,6 +20,9 @@ labs/lab10/imports/import-*.json labs/lab11/logs/ labs/lab11/reverse-proxy/certs/ labs/lab12/results/ +labs/lab4/* +labs/lab7/ +labs/lab10/work # Standard __pycache__/ diff --git a/submissions/lab10-walkthrough.md b/submissions/lab10-walkthrough.md new file mode 100644 index 00000000..fd013885 --- /dev/null +++ b/submissions/lab10-walkthrough.md @@ -0,0 +1,34 @@ +# 5-Minute DevSecOps Program Walkthrough — Juice Shop + +## (0:00-0:30) Context +I built a DevSecOps program around OWASP Juice Shop as the target application. +The scope covered SBOM generation, SCA, SAST, DAST, IaC scanning, container and Kubernetes scanning, image signing evidence, runtime alert evidence, and DefectDojo governance. + +## (0:30-2:00) Layers +Pre-commit controls covered secret prevention and signed development workflow evidence. +At build time I generated a CycloneDX SBOM with Syft, scanned it with Grype, and compared it against Trivy image output. +For application testing I used Semgrep for SAST and ZAP authenticated scanning for DAST. +For pre-deploy security I scanned Terraform with Checkov and Ansible/Pulumi with KICS, then deployed a digest-pinned Kubernetes manifest with restricted Pod Security Standards, a dedicated service account, read-only root filesystem, dropped capabilities, and NetworkPolicy. +For runtime and policy evidence I retained Falco and Conftest lab artifacts, then used DefectDojo as the program layer for aggregation, deduplication, SLA tracking, and governance metrics. + +## (2:00-3:00) Findings + Closures +We imported 403 raw findings and reduced that to 351 unique findings after deduplication. +The strongest cross-tool duplicate was GHSA-5mrr-rgp6-x4gr in `marsdb` 0.6.11, reported by Grype, Trivy, and the Trivy image scan, then retained as DefectDojo finding 107. +One accepted risk was GHSA-pxg6-pf52-xh8x in `cookie` 0.4.2, accepted only until 2026-10-06 because it is Low severity and belongs in the dependency upgrade batch. + +## (3:00-4:00) Metrics +The program has 350 active open findings: 13 Critical, 121 High, 173 Medium, and 31 Low. +MTTR is not yet measurable because no findings were mitigated in this capstone run; compared to DORA Elite MTTR under 1 hour, this is the clearest process gap. +The median open vulnerability age is 0 days because the DefectDojo import was done in one run, and current SLA compliance is 96.6%. +The backlog trend is rising from baseline 0 to 350 open findings, which is expected for first centralization but must fall next quarter. + +## (4:00-4:30) Next Steps +If I had another quarter, I would mature OWASP SAMM Defect Management from Initial to Defined. +That means owner assignment, ticket creation, weekly SLA review, and a hard target to close or risk-accept every Critical and High finding first. + +## (4:30-5:00) Q&A Anticipation +1. "How would you handle a Log4Shell scenario?" +I would start from the SBOM, search for the affected package and versions, import or update the CVE data in DefectDojo, then prioritize by CVSS, EPSS, exposure, and SLA. The value of the program is that the question becomes "which products have this component and who owns the finding," not "which scanner should I run first." + +2. "Why didn't you use IAST/paid tools?" +I kept the stack open-source and reproducible for the course: Syft, Grype, Trivy, Semgrep, ZAP, Checkov, KICS, Falco, Conftest, and DefectDojo. IAST or paid ASPM tools could improve runtime code-path confidence and workflow automation, but the core governance loop is already visible with the open-source stack. diff --git a/submissions/lab10.md b/submissions/lab10.md new file mode 100644 index 00000000..8a291e26 --- /dev/null +++ b/submissions/lab10.md @@ -0,0 +1,88 @@ +# Lab 10 — Submission + +## Task 1: DefectDojo Setup + Import + +### DefectDojo version +- Version installed: `defectdojo/defectdojo-django:latest`, image ID `34007144bc71`, upstream checkout `3.1.0` (`5ddac02bf4`) + +### Product + Engagement +- Product ID: 1 +- Product name: OWASP Juice Shop +- Engagement ID: 1 +- Engagement status: In Progress + +### Imports completed +| Lab | Scan type | File | Findings imported | +|-----|-----------|------|------------------:| +| 4 | Anchore Grype | grype-from-sbom.json | 109 | +| 4 | Trivy Scan | trivy.json | 114 | +| 5 | Semgrep JSON Report | semgrep.json | 22 | +| 5 | ZAP Scan | auth-report.json | 11 | +| 6 | Checkov Scan | results_json.json | 80 | +| 6 | KICS Scan | kics-ansible/results.json | 10 | +| 6 | KICS Scan | kics-pulumi/results.json | 6 | +| 7 | Trivy Scan (image) | trivy-image.json | 51 | +| 7 | Trivy Operator Scan | trivy-k8s.json | 0 | +| **Total raw imports** | | | 403 | +| **After dedup** | | | 351 unique findings | + +Falco runtime logs were not imported because this DefectDojo instance has no stock parser for the custom `falco.log` format. +ZAP `auth-report.json` was retained as the lab output; DefectDojo imported the equivalent `auth-report.xml` because the stock `ZAP Scan` parser rejected JSON. + +### Dedup example (Lecture 10 slide 11) +Find ONE finding that DefectDojo dedupped across tools (same CVE/issue from ≥2 scanners). Quote: +- CVE/ID: GHSA-5mrr-rgp6-x4gr in `marsdb` 0.6.11 +- Number of source tools: 3 - Anchore Grype, Trivy Scan, Trivy image scan +- DefectDojo's single finding ID: 107 (`170` and `360` are duplicate-linked to `107`) + +## Task 2: Governance Report + +### Executive Summary (3 sentences) +Juice Shop, scanned across 8 imported scan sources, currently has 350 open findings (13 Critical + 121 High). +Mean Time to Remediate (MTTR) on closed-this-period findings is N/A because 0 findings were mitigated in this capstone run. +96.6% of currently open findings are within their configured SLA. + +### Findings by severity (active only) +| Severity | Count | +|----------|------:| +| Critical | 13 | +| High | 121 | +| Medium | 173 | +| Low | 31 | + +### Findings by source tool +| Tool | Active | Mitigated | False Positive | Risk Accepted | +|------|-------:|----------:|---------------:|--------------:| +| Anchore Grype | 108 | 0 | 0 | 1 | +| Trivy Scan | 113 | 0 | 0 | 0 | +| Semgrep JSON Report | 22 | 0 | 0 | 0 | +| Checkov Scan | 80 | 0 | 0 | 0 | +| KICS Scan (Ansible) | 10 | 0 | 0 | 0 | +| KICS Scan (Pulumi) | 6 | 0 | 0 | 0 | +| Trivy Scan (image) | 0 | 0 | 0 | 0 | +| ZAP Scan | 11 | 0 | 0 | 0 | + +### Program metrics +- **MTTD** (Mean Time to Detect): 0 days +- **MTTR** (Mean Time to Remediate): N/A (0 mitigated findings) +- **Vuln-age median** (open findings): 0 days +- **Backlog trend**: +350 findings vs. baseline 0 +- **SLA compliance**: 96.6% + +SLA matrix applied in DefectDojo as `Lab10 SLA Matrix`: Critical 1 day, High 7 days, Medium 30 days, Low 90 days. + +### Risk-accepted items (must have expiry) +| Finding | Severity | Reason | Expiry date | +|---------|----------|--------|-------------| +| GHSA-pxg6-pf52-xh8x in `cookie` 0.4.2 | Low | Low-severity transitive dependency accepted for the capstone period; revisit during dependency upgrade batch. | 2026-10-06 | + +### Next-quarter goal (OWASP SAMM ladder step — Lecture 9 slide 15) +Mature OWASP SAMM Defect Management from Initial to Defined. +The current backlog has 350 active findings and no mitigated findings, so the next quarter should add owner assignment, ticket creation, and weekly SLA review for Critical and High findings. + +## Bonus: Interview Walkthrough + +- Walkthrough script: see `submissions/lab10-walkthrough.md` +- Practiced runtime: 4 minutes:42 seconds +- Two anticipated Q&A questions covered: yes +- Strongest claim in the script (most-quoted-by-interviewer line, in your view): "The program changed the problem from scanner output to governed risk." From 9c2b07882c5dd3b8a979f6217aa9b4063c46d278 Mon Sep 17 00:00:00 2001 From: StefFashka Date: Fri, 10 Jul 2026 01:55:38 +0800 Subject: [PATCH 2/2] feat(lab10): defectdojo governance report + capstone walkthrough --- submissions/lab10-walkthrough.md | 26 +++++++++++++------------- submissions/lab10.md | 2 ++ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/submissions/lab10-walkthrough.md b/submissions/lab10-walkthrough.md index fd013885..2d3ad989 100644 --- a/submissions/lab10-walkthrough.md +++ b/submissions/lab10-walkthrough.md @@ -2,25 +2,25 @@ ## (0:00-0:30) Context I built a DevSecOps program around OWASP Juice Shop as the target application. -The scope covered SBOM generation, SCA, SAST, DAST, IaC scanning, container and Kubernetes scanning, image signing evidence, runtime alert evidence, and DefectDojo governance. +The scope covered Syft, Grype, Trivy, Semgrep, ZAP, Checkov, KICS, Cosign, Falco, Conftest, and DefectDojo for signed, scanned, verified, deployed, and governed evidence. ## (0:30-2:00) Layers -Pre-commit controls covered secret prevention and signed development workflow evidence. -At build time I generated a CycloneDX SBOM with Syft, scanned it with Grype, and compared it against Trivy image output. -For application testing I used Semgrep for SAST and ZAP authenticated scanning for DAST. -For pre-deploy security I scanned Terraform with Checkov and Ansible/Pulumi with KICS, then deployed a digest-pinned Kubernetes manifest with restricted Pod Security Standards, a dedicated service account, read-only root filesystem, dropped capabilities, and NetworkPolicy. -For runtime and policy evidence I retained Falco and Conftest lab artifacts, then used DefectDojo as the program layer for aggregation, deduplication, SLA tracking, and governance metrics. +- Pre-commit: gitleaks for secret prevention and SSH-signed commits for workflow integrity. +- Build: SBOM with Syft, SCA with Grype, Trivy image comparison, and SAST with Semgrep. +- Pre-deploy: Checkov on Terraform IaC, KICS on Ansible/Pulumi, Cosign signing evidence, and Conftest policy gate evidence. +- Runtime: Falco eBPF detection evidence from runtime alerts. +- Program: DefectDojo aggregation, deduplication, SLA matrix, MTTR, vulnerability age, backlog, and SLA compliance metrics. ## (2:00-3:00) Findings + Closures -We imported 403 raw findings and reduced that to 351 unique findings after deduplication. -The strongest cross-tool duplicate was GHSA-5mrr-rgp6-x4gr in `marsdb` 0.6.11, reported by Grype, Trivy, and the Trivy image scan, then retained as DefectDojo finding 107. -One accepted risk was GHSA-pxg6-pf52-xh8x in `cookie` 0.4.2, accepted only until 2026-10-06 because it is Low severity and belongs in the dependency upgrade batch. +- We imported 403 raw findings and reduced that to 351 unique findings after deduplication. +- The strongest cross-tool duplicate was GHSA-5mrr-rgp6-x4gr in `marsdb` 0.6.11, reported by Grype, Trivy, and the Trivy image scan, then retained as DefectDojo finding 107. +- One accepted risk was GHSA-pxg6-pf52-xh8x in `cookie` 0.4.2, accepted only until 2026-10-06 because it is Low severity and belongs in the dependency upgrade batch. ## (3:00-4:00) Metrics -The program has 350 active open findings: 13 Critical, 121 High, 173 Medium, and 31 Low. -MTTR is not yet measurable because no findings were mitigated in this capstone run; compared to DORA Elite MTTR under 1 hour, this is the clearest process gap. -The median open vulnerability age is 0 days because the DefectDojo import was done in one run, and current SLA compliance is 96.6%. -The backlog trend is rising from baseline 0 to 350 open findings, which is expected for first centralization but must fall next quarter. +- The program has 350 active open findings: 13 Critical, 121 High, 173 Medium, 31 Low, and 12 Info. +- MTTR is not yet measurable because no findings were mitigated during this capstone. Establishing a measurable remediation process is the primary improvement area. +- The median open vulnerability age is 0 days because the DefectDojo import was done in one run, and current SLA compliance is 96.6%. +- The backlog trend is rising from baseline 0 to 350 open findings, which is expected for first centralization but must fall next quarter. ## (4:00-4:30) Next Steps If I had another quarter, I would mature OWASP SAMM Defect Management from Initial to Defined. diff --git a/submissions/lab10.md b/submissions/lab10.md index 8a291e26..91ad9a31 100644 --- a/submissions/lab10.md +++ b/submissions/lab10.md @@ -49,6 +49,8 @@ Mean Time to Remediate (MTTR) on closed-this-period findings is N/A because 0 fi | High | 121 | | Medium | 173 | | Low | 31 | +| Info | 12 | +| **Total** | 350 | ### Findings by source tool | Tool | Active | Mitigated | False Positive | Risk Accepted |