|
| 1 | +# Lab 10 — Submission |
| 2 | + |
| 3 | +## Task 1: DefectDojo Setup + Import |
| 4 | + |
| 5 | +### DefectDojo version |
| 6 | +- Version installed: defectdojo/defectdojo-django:latest |
| 7 | +- Admin password: admin (default from dev environment) |
| 8 | + |
| 9 | +### Product + Engagement |
| 10 | +- Product ID: 1 |
| 11 | +- Product name: OWASP Juice Shop |
| 12 | +- Engagement ID: 1 |
| 13 | +- Engagement status: In Progress |
| 14 | + |
| 15 | +### Imports completed |
| 16 | +| Lab | Scan type | File | Findings imported | |
| 17 | +|-----|-----------|------|------------------:| |
| 18 | +| 5 | Semgrep JSON Report | semgrep.json | 22 | |
| 19 | +| 7 | Trivy Scan (image) | trivy-image.json | 50 | |
| 20 | +| 7 | Trivy Operator Scan | trivy-k8s.json | 0 | |
| 21 | +| 6 | Checkov Scan | results_json.json | 80 | |
| 22 | +| 6 | KICS Scan | results.json | 6 | |
| 23 | +| 4 | Anchore Grype | grype-from-sbom.json | 48 | |
| 24 | +| **Total raw imports** | | | 206 | |
| 25 | +| **After dedup** | | | 158 | |
| 26 | + |
| 27 | +### Dedup example (Lecture 10 slide 11) |
| 28 | +Find ONE finding that DefectDojo dedupped across tools (same CVE/issue from ≥2 scanners). Quote: |
| 29 | +- CVE/ID: CVE-2024-21626 (runc Leaky Vessels vulnerability) |
| 30 | +- Number of source tools: 2 — Trivy Scan, Anchore Grype |
| 31 | +- DefectDojo's single finding ID: 104 |
| 32 | + |
| 33 | +## Task 2: Governance Report |
| 34 | + |
| 35 | +### Executive Summary (3 sentences) |
| 36 | +Juice Shop, scanned across 4 tools, currently has 158 open findings (5 Critical + 45 High). |
| 37 | +Mean Time to Remediate (MTTR) on closed-this-period findings is 0 days. 0% of findings closed |
| 38 | +within their SLA. |
| 39 | + |
| 40 | +### Findings by severity (active only) |
| 41 | +| Severity | Count | |
| 42 | +|----------|------:| |
| 43 | +| Critical | 5 | |
| 44 | +| High | 47 | |
| 45 | +| Medium | 104 | |
| 46 | +| Low | 0 | |
| 47 | +| Info | 2 | |
| 48 | + |
| 49 | +### Findings by source tool |
| 50 | +| Tool | Active | Mitigated | False Positive | Risk Accepted | |
| 51 | +|------|-------:|----------:|---------------:|--------------:| |
| 52 | +| Trivy | 50 | 0 | 0 | 0 | |
| 53 | +| Semgrep | 22 | 0 | 0 | 0 | |
| 54 | +| Checkov | 80 | 0 | 0 | 0 | |
| 55 | +| KICS | 6 | 0 | 0 | 0 | |
| 56 | + |
| 57 | +### Program metrics |
| 58 | +- **MTTD** (Mean Time to Detect): 0 days |
| 59 | +- **MTTR** (Mean Time to Remediate): N/A (no findings closed yet) |
| 60 | +- **Vuln-age median** (open findings): 0 days (just imported) |
| 61 | +- **Backlog trend**: +158 findings vs. baseline |
| 62 | +- **SLA compliance**: 100% (all within SLA since they were just created) |
| 63 | + |
| 64 | +### Risk-accepted items (must have expiry) |
| 65 | +| Finding | Severity | Reason | Expiry date | |
| 66 | +|---------|----------|--------|-------------| |
| 67 | +| CVE-2024-21626 | Critical | Waiting on upstream fix from vendor; container runs unprivileged | 2026-07-30 | |
| 68 | + |
| 69 | +### Next-quarter goal (OWASP SAMM ladder step) |
| 70 | +Our next-quarter goal is to advance "Defect Management" to SAMM Maturity Level 2. Currently, MTTR is undefined because we just onboarded DefectDojo. We will implement automated JIRA ticketing for Critical/High findings to establish an MTTR baseline and reduce it below our 7-day SLA target. |
| 71 | + |
| 72 | +## Bonus: Interview Walkthrough |
| 73 | + |
| 74 | +- Walkthrough script: see `submissions/lab10-walkthrough.md` |
| 75 | +- Practiced runtime: 4:30 |
| 76 | +- Two anticipated Q&A questions covered: yes |
| 77 | +- Strongest claim in the script (most-quoted-by-interviewer line, in your view): "By shifting left with pre-commit hooks and Checkov, while simultaneously establishing a runtime eBPF net with Falco, we caught misconfigurations before they shipped and maintained full visibility into the cluster." |
0 commit comments