Opening Framing: Shift-Left Security
Modern security programs are preventive, not reactive. Instead of finding vulnerabilities late, Secure SDLC practices detect them as code is written and tested. This reduces risk, cost, and incident response time.
This week focuses on integrating security into CI/CD pipelines using SAST, DAST, and SCA, plus DevSecOps practices that make security repeatable and measurable.
Key insight: The safest vulnerabilities are the ones never released.
Building on Prior Knowledge
This capstone week brings together defensive concepts from across CSY203:
- CSY101 Week 13: Threat modeling principles applied to secure design review and architecture patterns
- CSY203 Weeks 03-10: All vulnerability classes (auth, SQLi, XSS, etc.) that SAST/DAST tools detect
- CSY203 Defensive Sections: Secure coding patterns and architecture from previous weeks
- CSY302 Week 09: IaC security and CI/CD pipeline hardening for cloud deployments
1) Secure SDLC Overview
Security belongs in every phase of development:
Secure SDLC stages:
1. Requirements - define security objectives and abuse cases
2. Design - threat modeling and architecture review
3. Build - secure coding standards + peer review
4. Test - SAST/DAST/SCA automation
5. Release - security gates + monitoring
6. Operate - patching and continuous improvementKey insight: Continuous security beats one-time assessments.
2) SAST: Static Application Security Testing
SAST analyzes source code without running it to identify insecure patterns and unsafe APIs.
Common SAST tools:
- Semgrep (language-agnostic rules)
- CodeQL (GitHub Advanced Security)
- SonarQube (quality + security)
- Checkmarx (enterprise)SAST best practices:
- Run on every pull request
- Baseline existing issues
- Fail builds on critical findings
- Track false positives and tune rules3) DAST: Dynamic Application Security Testing
DAST tests a running application like an attacker would, scanning endpoints and analyzing responses.
Common DAST tools:
- OWASP ZAP (baseline and active scan)
- Burp Suite CI integration
- Nuclei (template-based scans)DAST considerations:
- Run against staging environments
- Authenticate scans for deeper coverage
- Use allowlists to prevent unsafe actions
- Record baseline findings per release4) SCA: Software Composition Analysis
SCA identifies vulnerable dependencies, licensing risks, and supply-chain exposure in third-party code.
SCA tools:
- Snyk
- OWASP Dependency-Check
- GitHub Dependabot
- Syft/Grype + SBOMsSCA best practices:
- Generate SBOMs
- Block builds on critical CVEs
- Pin and update dependencies regularly
- Monitor dependency confusion risks5) CI/CD Security Gates
Security gates ensure risky code never ships:
Security gates:
- Secrets scanning (pre-commit + CI)
- SAST/DAST/SCA thresholds
- Approval workflow for high-risk changes
- Audit logs and release provenanceKey insight: Security gates are enforceable policy, not optional guidance.
Real-World Context: SolarWinds 2020
SolarWinds attackers compromised the build pipeline and injected malicious code into signed updates. Lessons learned: secure build systems, enforce least privilege, monitor pipeline integrity, and validate artifact provenance.
Key insight: CI/CD is a high-value target. Protect the pipeline.
Guided Lab: Secure SDLC Integration
Build a secure CI/CD pipeline with automated security checks.
Step 1: Add SAST
# Add Semgrep or CodeQL to CI
# Run on each pull request
# Fail build on critical findingsStep 2: Add DAST
# Run OWASP ZAP baseline scan
# Target staging URL
# Store reports as build artifactsStep 3: Add SCA
# Use Snyk or Dependency-Check
# Generate SBOM
# Block build on critical CVEsStep 4: Enforce Security Gates
# Configure thresholds:
# - Fail on critical vulnerabilities
# - Require approval for high-risk changes
# - Log all security findingsReflection (mandatory)
- Which security check caught the most issues?
- What false positives did you encounter?
- How would you handle vulnerabilities in legacy code?
- Which gate is most important in your pipeline?
Week 13 Outcome Check
By the end of this week, you should be able to:
- Integrate SAST, DAST, and SCA into CI/CD pipelines
- Define security gates and release criteria
- Generate and interpret security scan results
- Implement DevSecOps workflows
- Prioritize remediation using CVSS
- Communicate security findings to engineering teams
Final step: update the course index and curriculum documentation.
🎯 Hands-On Labs (Free & Essential)
Integrate security tools into your pipeline and prove they work end-to-end.
🧪 Lab: SAST with Semgrep or CodeQL
What you'll do: Add a SAST workflow to CI, scan every pull request, and fix the
top five findings.
Why it matters: SAST catches vulnerabilities before runtime and prevents
unsafe code from landing.
Time estimate: 2-3 hours
🧪 Lab: DAST with OWASP ZAP
What you'll do: Run an automated ZAP baseline scan in CI and publish the report
as a build artifact.
Why it matters: DAST validates real application behavior and catches
runtime issues.
Time estimate: 2-3 hours
🧪 Lab: SCA with Snyk or Dependency-Check
What you'll do: Scan dependencies, generate an SBOM, and remediate critical
CVEs.
Why it matters: Third-party code is the #1 source of known vulnerabilities.
Time estimate: 2-3 hours
🧪 Lab: Security Gates and Secrets Scanning
What you'll do: Add secret scanning and enforce build failures on high-severity
findings.
Why it matters: Secrets in repos and unblocked vulnerabilities create
immediate risk.
Time estimate: 2-3 hours
💡 Lab Strategy: Start with SAST, then add DAST and SCA, and finish with security gates. This progression builds a complete DevSecOps pipeline: 1,000 total XP, 8-12 hours.
Reading Resources (Free + Authoritative)
Complete the required resources to build your foundation.
- OWASP DevSecOps Guideline · 60-90 min · 50 XP · Resource ID: csy203_w13_r1 (Required)
- OWASP SAMM v2 · 45-60 min · 50 XP · Resource ID: csy203_w13_r2 (Required)
- OWASP Top 10 CI/CD Security Risks · Reference · 25 XP · Resource ID: csy203_w13_r3 (Optional)
Lab: Secure SDLC Integration Project
Goal: Build an end-to-end DevSecOps pipeline with automated security testing and release gates.
Part 1: SAST Integration
- Add SAST tool to CI
- Baseline existing findings
- Fail builds on new critical findings
Part 2: DAST Integration
- Run DAST against staging
- Publish HTML reports
- Automate scheduled scans
Part 3: SCA Integration
- Generate SBOM
- Block critical CVEs
- Automate dependency updates
Part 4: Security Gates
- Define thresholds for release
- Implement approval workflow
- Log findings and actions
Deliverable (submit):
- CI/CD pipeline configuration files
- SAST/DAST/SCA reports
- Security gate policy
- Remediation summary
Week 13 Quiz
Test your understanding of Secure SDLC, SAST, DAST, and DevSecOps.
Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.
Take QuizCheckpoint Questions
- What is the difference between SAST and DAST?
- Why are SBOMs important for security?
- What is a security gate in CI/CD?
- How do you handle false positives from security scans?
- What risks are unique to CI/CD pipelines?
- Why should security testing run on every pull request?
Weekly Reflection
Reflection Prompt (200-300 words):
This week you integrated security into the SDLC. You deployed SAST, DAST, and SCA tools and defined security gates that prevent vulnerable code from reaching production.
Reflect on these questions:
- Which SDLC stage offered the biggest security gains?
- How do you balance security gates with developer velocity?
- What challenges did you face integrating automated tools?
- How would you scale this approach across multiple teams?
A strong reflection will connect tooling decisions to measurable security outcomes and team workflows.
Verified Resources & Videos
- Semgrep CI: Semgrep CI Guide
- OWASP ZAP: ZAP Baseline Scan
- Dependency Management: GitHub Dependabot
Secure SDLC integration is how security scales. Automated testing, security gates, and continuous monitoring turn security from a bottleneck into a predictable engineering practice. This concludes CSY203—next, update the course index and curriculum documentation.