- ๐๏ธ November 30, 2013 โ Target's FireEye intrusion detection system fires on POS-malware traffic to Russia
- ๐ Same week: a second alert, same exfiltration pattern, same destination
- ๐ง Both alerts route to a SOC in Bangalore. They flow up to HQ โ and get set aside
- ๐ณ By the time anyone responds: 40 million card numbers + 70 million customer records are gone
- ๐ฐ Final settlement: $18.5M to 47 states. Bryan Krebs breaks the story two weeks later โ Target heard it from a journalist first
- ๐ฅ The defense wasn't broken. The feedback loop was.
๐ค Think: If your scanner finds 200 criticals but nobody reads the report, did you detect anything? A finding without a workflow is noise.
| # | ๐ Outcome |
|---|---|
| 1 | โ Explain why runtime detection complements (does not replace) shift-left checks |
| 2 | โ Write a Falco rule that detects a specific runtime behavior, using eBPF |
| 3 | โ Express deployment-hardening rules as Rego policies executed by Conftest |
| 4 | โ Choose security metrics that drive behavior change (MTTD, MTTR, vuln age) |
| 5 | โ Place a team on the OWASP SAMM maturity ladder and propose one concrete next step |
graph LR
L5["๐งช L5 SAST/DAST<br/>Find pre-prod"] --> L9
L6["๐๏ธ L6 IaC scan<br/>Find at apply"] --> L9
L7["๐ฆ L7 Container scan<br/>Find at build"] --> L9
L8["๐ L8 Supply chain<br/>Trust the artifact"] --> L9
L9["๐ L9 Runtime + Program<br/>Detect, measure, mature"] --> L10["๐ฏ L10 Vuln mgmt<br/>Close the loop"]
style L9 fill:#FF9800,color:#fff
style L10 fill:#4CAF50,color:#fff
- ๐ช Lectures 1โ8 taught you to find issues at increasingly earlier stages
- ๐ Lecture 9 covers what happens once code is running and how the program itself matures
- ๐ Lecture 10 will close the loop: triage every finding from Labs 4โ9 in DefectDojo
๐ฌ "You can shift left as far as you want โ attackers still get to attack the running system." โ Liz Rice, Container Security (O'Reilly, 2020)
| ๐ท๏ธ Stage | ๐ Checks | ๐ ๏ธ Tools (from this course) | โ What it can't catch |
|---|---|---|---|
| ๐ Pre-commit | Secret scan, signed commits | gitleaks, SSH signing (L3) | Anything you don't commit |
| ๐๏ธ Build | SAST, SCA, image scan | Semgrep, Grype, Trivy (L4,5,7) | Vulns in transitive deps loaded at runtime |
| ๐ Deploy | Policy-as-code, supply-chain verify | Conftest (this lecture), Cosign verify (L8) | A compromised registry serving a different image |
| ๐ Runtime | Behavior detection, anomaly | Falco (this lecture) | Drift between IaC source and live cluster |
- ๐ฏ The point: each stage catches a different failure class. Runtime is the last line of defense โ and the only one that sees what an attacker actually does
Static tools answer "could this be exploited?". Runtime tools answer "is this being exploited right now?"
flowchart LR
K[๐ง Kernel syscalls] -->|๐ eBPF probes| F[๐ Falco engine]
F -->|Match rules| A[๐จ Alerts]
A -->|JSON| S[๐ฆ SIEM / file / stdout]
A -->|gRPC| R[๐ค Response automation]
style K fill:#607D8B,color:#fff
style F fill:#FF9800,color:#fff
style A fill:#F44336,color:#fff
- ๐ eBPF = "extended Berkeley Packet Filter" โ sandboxed programs run in the kernel without loading a module
- ๐ฏ Falco taps syscalls (process exec, file open, network connect) and matches them against a rule library
- ๐ Rule language is YAML; conditions are a small expression DSL over syscall fields
๐ง Why eBPF won: the older kernel-module driver required matching the host kernel version. eBPF is portable across recent kernels (5.8+ for the modern driver), runs in user-controlled bytecode, and is verifiable before load.
- ๐ข Created at Sysdig by Loris Degioanni (also co-author of Wireshark) in 2016
- ๐ Donated to the CNCF as a Sandbox project on October 10, 2018
- ๐ Promoted to Incubating on January 8, 2020
- ๐ Graduated to CNCF Graduated on February 29, 2024 โ alongside KEDA, joining only a handful of security-focused CNCF projects
- ๐ข Course pins Falco v0.43.x (January 2026) โ the version your lab uses
- ๐งฑ Three engines historically: legacy kernel module โ eBPF probe โ modern eBPF (default since 0.34). Lab uses modern eBPF.
๐ฌ "Falco isn't trying to be your IDS. It's trying to be the runtime equivalent of
grepโ fast, predictable, and composable." โ Leonardo Grasso, Falco maintainer
- rule: Write to /etc by container
desc: Container modifying system config under /etc
condition: >
open_write and
container.id != host and
fd.name startswith /etc/
output: >
Config write in container (user=%user.name container=%container.name
file=%fd.name proc=%proc.cmdline)
priority: WARNING
tags: [container, drift, mitre_persistence]| ๐ท๏ธ Field | ๐ฏ Purpose |
|---|---|
rule |
Human-readable name (unique) |
desc |
Why this rule exists |
condition |
Boolean expression on syscall fields |
output |
Alert message template, %field interpolated |
priority |
EMERGENCY..DEBUG โ mostly used for routing |
tags |
Free-form labels; common to map to MITRE ATT&CK techniques |
- ๐งช Macros (
open_write,container_started, ...) ship with the default ruleset โ read/etc/falco/falco_rules.yamlonce - ๐ฏ In the lab you'll add one custom rule; the default ruleset already covers ~200 conditions
- ๐จ Default rules fire on legitimate behavior all the time โ
apt-get updatewrites under/var/lib/dpkg, kubelet writes to/var/lib/kubelet - ๐ค Tuning options, in order of preference:
- Refine the condition โ add an exception clause (
and not proc.name=apt-get) - Use the
exceptions:block (Falco 0.28+) โ structured, easier to audit than longand notchains - Disable the rule โ last resort, document why
- Refine the condition โ add an exception clause (
- ๐ Signal-to-noise is the only metric that matters for a detection program. A rule that fires 200ร/day with 0 incidents will be silenced โ by humans or by mute filters
๐ค Think: Why is "false positive" the wrong word for security detections? (Hint: a noisy true-positive is still useless if no one looks at it.)
Falco catches behavior after it happens. Policy-as-code prevents bad config from ever being applied.
flowchart LR
Y[๐ K8s YAML] --> C[๐ conftest test]
C -->|Rego eval| P[๐ policy/*.rego]
P -->|โ fail| Block[โ CI fails / Admission denies]
P -->|โ
pass| Apply[โ
kubectl apply]
style C fill:#2196F3,color:#fff
style P fill:#9C27B0,color:#fff
style Block fill:#F44336,color:#fff
style Apply fill:#4CAF50,color:#fff
- ๐ง Conftest (CNCF, by Garet Hilliard, 2019) wraps OPA (Open Policy Agent) so you can run Rego policies against any structured file: YAML, JSON, HCL, Dockerfile, INI
- ๐ข Course pins Conftest v0.68.2 (April 2026)
- ๐ Conftest is CLI/CI; the same Rego runs server-side as a Gatekeeper or Kyverno webhook (Kyverno uses its own DSL, but the role is identical)
package main
deny[msg] {
input.kind == "Deployment"
c := input.spec.template.spec.containers[_]
c.securityContext.runAsNonRoot != true
msg := sprintf("container %q must set runAsNonRoot: true", [c.name])
}| ๐งฉ Construct | ๐ฏ Meaning |
|---|---|
package main |
Default package Conftest evaluates |
deny[msg] { ... } |
A rule that, when body is true, adds msg to the deny set |
input |
The parsed YAML/JSON document |
[_] |
"For each element" โ implicit iteration |
sprintf |
Built-in for formatted messages |
- ๐ง Rego is declarative: you write conditions for failure, not procedures
- ๐ OPA documentation has a 30-minute interactive tutorial (
play.openpolicyagent.org) โ worth doing before Lab 9 Task 2
๐ฌ "What gets measured gets managed." โ often attributed to Peter Drucker (no record of him saying it). Either way it's true for security programs.
| ๐ Metric | ๐งฎ Formula | ๐ฏ What it answers |
|---|---|---|
| โฑ๏ธ MTTD (Mean Time To Detect) | avg(detect_time โ introduction_time) | How fast does our pipeline find issues? |
| ๐ฉน MTTR (Mean Time To Remediate) | avg(close_time โ detect_time) | How fast do we fix? |
| โ Vuln Age | now โ first_seen, per finding | What's our debt distribution? |
| ๐ Backlog Trend | open_findings(t) โ open_findings(tโฮ) | Are we keeping up with new findings? |
| ๐ฏ SLA Compliance | % findings closed within severity-based SLA | Are we triaging by risk? |
- ๐ซ Anti-metrics (look impressive, change nothing): number of scans run, total alerts generated, lines of policy. They reward activity, not outcomes
- โ The lab and Lecture 10 will compute MTTR + vuln-age from real DefectDojo data
| ๐จ Severity | ๐ฉน Fix SLA | ๐ Owner | ๐ฃ Escalation |
|---|---|---|---|
| ๐ด Critical (CVSS 9โ10) | 24h | On-call + Security Lead | Page on creation |
| ๐ High (7โ8.9) | 7 days | Service team | Slack channel + ticket |
| ๐ก Medium (4โ6.9) | 30 days | Service team | Backlog grooming |
| ๐ต Low (0.1โ3.9) | 90 days / accept | Tech lead | Quarterly review |
- ๐งญ Without an SLA matrix, every finding becomes "P3 โ someday"
- ๐ฏ The matrix is also your defense for risk acceptance โ if you choose not to fix a Medium, you've explicitly accepted a 30-day exposure that the matrix says is acceptable
The 2018 Accelerate book (Forsgren, Humble, Kim) defined four DORA metrics for engineering performance:
| ๐ท๏ธ DORA metric | ๐ Engineering meaning | ๐ DevSecOps adaptation |
|---|---|---|
| ๐ข Deployment Frequency | How often you ship | How often you ship a security fix |
| โฑ๏ธ Lead Time for Changes | Commit โ prod | Vuln discovery โ patch in prod |
| โ Change Failure Rate | % deploys causing prod incidents | % security-fix deploys causing rollback |
| ๐ฉน MTTR (service) | Time to restore service | Time to remediate a vuln |
- ๐ The annual DORA report (Google Cloud since 2014) is the most cited engineering-performance research; the 2024 report added security practices as a top performance predictor
- ๐งช Elite performers deploy >1ร/day, have lead time <1 hour, change failure rate <15%, MTTR <1 hour โ security teams that match these numbers tend to ship patches in hours, not weeks
You won't implement a framework in this course. You should be able to recognize what each one cares about so you can talk to a compliance officer without freezing.
| ๐ Framework | ๐ฏ Scope | ๐ What it cares about | ๐ Key date |
|---|---|---|---|
| ๐ช๐บ GDPR | Personal data of EU residents | Lawful basis, breach notification (72h), data subject rights | Enforced 25 May 2018 |
| ๐บ๐ธ NIST CSF 2.0 | US critical infra (voluntary, widely adopted) | Govern, Identify, Protect, Detect, Respond, Recover | Released February 2024 (added "Govern") |
| ๐ ISO/IEC 27001:2022 | Information Security Management System | Risk-based ISMS + Annex A controls | Latest revision October 2022 |
| ๐ณ PCI DSS 4.0 | Card payment data | Network seg, encryption, log retention | Mandatory from March 2025 |
- ๐งญ Pattern: they all want the same things โ risk register, controls mapped to risks, logged evidence, periodic review. The vocabulary differs
- ๐ช GDPR's 72-hour breach notification is the single rule most likely to bite an engineering team unaware
The Software Assurance Maturity Model (OWASP project, originally by Pravir Chandra 2009; SAMM 2.0 released 2019) gives a 4-level maturity ladder across 5 business functions ร 15 security practices.
graph LR
L0["0๏ธโฃ No practice"] --> L1["1๏ธโฃ Initial<br/>Ad-hoc, person-dependent"]
L1 --> L2["2๏ธโฃ Defined<br/>Documented, repeatable"]
L2 --> L3["3๏ธโฃ Optimized<br/>Measured, continuously improved"]
style L0 fill:#9E9E9E,color:#fff
style L1 fill:#FF5722,color:#fff
style L2 fill:#FFC107,color:#fff
style L3 fill:#4CAF50,color:#fff
| ๐๏ธ Business function | ๐งฉ Practices (3 each) |
|---|---|
| Governance | Strategy & Metrics ยท Policy & Compliance ยท Education & Guidance |
| Design | Threat Assessment ยท Security Requirements ยท Security Architecture |
| Implementation | Secure Build ยท Secure Deployment ยท Defect Management |
| Verification | Architecture Assessment ยท Requirements-Driven Testing ยท Security Testing |
| Operations | Incident Management ยท Environment Management ยท Operational Management |
- ๐ BSIMM (Building Security In Maturity Model, Synopsys/Black Duck) does the same thing descriptively โ annual report on what real orgs do. Latest is BSIMM16 (January 2026, 111 orgs)
- ๐งญ Use SAMM to set goals; read BSIMM to see what your industry peers actually do
- ๐๏ธ March 7, 2017 โ Apache Struts CVE-2017-5638 published (CVSS 10.0). Patch available same day
- ๐ก๏ธ Equifax's security team emails the patch directive across the org on March 9
- ๐ The vulnerable web portal was not on the inventory the directive used. It is missed
- ๐ก Scans run two weeks later โ but the SSL certificate on the IDS was expired for 10 months. Encrypted attack traffic flows past the inspector unread
- ๐ธ Attackers exfiltrate 147 million records between May and July; CEO and CISO resign; total cost > $1.4B
- ๐ง What failed: inventory (Identify), patch process (Protect), monitoring (Detect), comms (Respond). NIST CSF functions in a row
๐ค Think: Which OWASP SAMM practice would have caught this earliest โ Defect Management, Environment Management, or Incident Management? (Trick: all three; one would have been enough.)
- ๐๏ธ March 2020 โ attackers (later attributed to APT29 / Cozy Bear) inject SUNBURST into the SolarWinds Orion build pipeline
- ๐ฆ Backdoored update ships to ~18,000 customers including DoD, Treasury, FireEye
- ๐๏ธ FireEye discovers it December 8, 2020 โ after the malware tries to enroll a second auth device for an employee. The MFA workflow alerts. That alert was read
- ๐ฏ The supply chain check missed, but runtime + IAM monitoring caught it โ about 9 months in, but caught
- ๐ช This is why this course teaches you both L8 (signing/verification) and L9 (runtime detection) โ neither is sufficient alone
flowchart TB
subgraph "Shift-Left (Pre-Prod)"
SAST[๐งช SAST L5]
SCA[๐ SCA L4]
IaC[๐๏ธ IaC scan L6]
Img[๐ฆ Image scan L7]
Sign[๐ Sign L8]
end
subgraph "Shift-Right (Runtime)"
Falco[๐ฆ
Falco runtime L9]
PaC[๐ Conftest admission L9]
end
subgraph "Program Layer"
DD[๐ DefectDojo L10]
Met[๐ MTTD/MTTR/age]
SLA[๐ฆ SLA matrix]
SAMM[๐ช SAMM review]
end
SAST --> DD
SCA --> DD
IaC --> DD
Img --> DD
Sign -.verify.-> Falco
PaC --> Falco
Falco --> DD
DD --> Met
Met --> SLA
SLA --> SAMM
SAMM -.feeds back.-> SAST
style DD fill:#FF9800,color:#fff
style SAMM fill:#4CAF50,color:#fff
- ๐ฏ Each box was a lab. Lecture 10 wires the program layer together
- ๐ช The feedback arrow is the whole point โ a security program that doesn't re-prioritize its scanning based on what it found is just a budget line
Lecture 10 takes everything in the program layer above and walks the vulnerability management lifecycle:
- ๐ Discovery โ ingest from all the tools you've configured (Labs 4โ9)
- ๐ท๏ธ Triage โ dedup, assign severity, push to SLA queue
- ๐ฉน Remediation โ fix, suppress with reason, or accept with expiry
- ๐ Reporting โ close the loop to the program metrics on the previous slide
- ๐ช Improvement โ feed findings into next-cycle SAMM goals
- ๐งช Lab 10 brings up DefectDojo v2.58.x locally and imports every report you've generated in Labs 4โ9
- ๐ By the end of Lab 10 you'll have a single dashboard showing every CVE the course exposed you to โ and an MTTR distribution to argue about
Books (pick one to read this term):
| ๐ Book | โ๏ธ Why |
|---|---|
| Securing DevOps โ Julien Vehent (Manning, 2018) | Runs through real Mozilla pipelines; ch. 5โ7 on monitoring are the closest match to this lecture |
| Container Security โ Liz Rice (O'Reilly, 2020) | Best single chapter (ch. 11) on runtime security; explains why eBPF won |
| Accelerate โ Forsgren, Humble, Kim (IT Revolution, 2018) | The DORA metrics, with the research methodology behind them |
| Building Secure & Reliable Systems โ Google (O'Reilly, 2020, free PDF) | Chapter on detection + response from people running it at planetary scale |
Talks:
- ๐ฅ "What Happens When Falco Detects?" โ KubeCon EU 2024, Loris Degioanni
- ๐ฅ "OPA: The Universal Policy Engine" โ Tim Hinrichs, Styra (2021)
- ๐ฅ "The DevOps Handbook in 2024" โ Gene Kim, DevOps Enterprise Summit
Standards & specs:
- ๐ OWASP SAMM v2.0 โ full assessment toolkit, free
- ๐ NIST CSF 2.0 โ released Feb 2024, includes the new Govern function
- ๐ Falco Rules Reference โ every default rule, with examples
- ๐ Rego Playground โ interactive tutorial, 30 minutes
Takeaways:
| # | ๐ง Insight |
|---|---|
| 1 | Shift-left finds; shift-right catches what shift-left missed. You need both. |
| 2 | A finding without an owner and an SLA is noise. The matrix is the program. |
| 3 | MTTD/MTTR/vuln-age beat scan counts. Reward outcomes, not activity. |
| 4 | SAMM tells you where to go; BSIMM tells you where your peers actually are. |
| 5 | Compliance is downstream of risk management, not the other way around. |
๐ฌ "The goal of detection is response. The goal of response is learning. The goal of learning is preventing the next one." โ adapted from Richard Bejtlich, The Practice of Network Security Monitoring (No Starch, 2013)