Day 3 — DevSecOps and API Security
Day 3 — DevSecOps and API Security
Day 3 focuses on secure delivery — the pipeline, practices, and controls that determine what enters your cloud environment and how it gets there.
Day 3 Start Files
Day 3 labs
Info
We will be using docker in some of the labs, so we will need to install.
The Day 3 storyline
Before code becomes cloud infrastructure, we prove that it is typed, tested, scanned, packaged once, promoted safely, and deployed by an identity with limited permissions.
This gives Day 3 a clean security cycle:
Validate → Scan → Build Once → Promote → Deploy with Least Privilege → Verify Deployed APIYou will build toward that target progressively. First, Lab 3.1 uses Azure DevOps to provision fresh Day 3 infrastructure and deploy a basic app. Then each later lab hardens the same pipeline by adding gates, scans, post-deployment checks, promotion, and rollback.
Every step answers a security question:
| Step | Security Question |
|---|---|
| Validate | Does the code compile? Do tests pass? |
| Scan | Are there known vulnerabilities in code, dependencies, or infrastructure? |
| Build Once | Can we prove this exact artifact was tested and scanned? |
| Promote | Can we deploy the same artifact to multiple environments? |
| Deploy with Least Privilege | Does the service connection have only the permissions it needs? |
| Verify Deployed API | Does the running application expose security issues? |
This fits the "one app evolves over multiple days" course architecture:
- Day 1: Deploy the application (manually, insecurely)
- Day 2: Secure it with identity, encryption, and network controls
- Day 3: Automate secure delivery with gates, scans, and promotion
- Day 4: Monitor, detect threats, and respond
Core principle
A secure delivery pipeline first proves the application is correct enough to ship, then checks whether it is safe enough to promote, then deploys the same verified artifact without rebuilding it for each environment.
What you will learn
After Day 3, you will know how to:
- Run quality gates (type checks, unit tests, integration tests) before building
- Scan code for security issues with Semgrep (SAST)
- Scan dependencies and secrets with Trivy
- Generate an SBOM (Software Bill of Materials) for the application artifact
- Scan infrastructure code with Checkov
- Test deployed APIs with OWASP ZAP (DAST)
- Build an artifact once and promote it through environments
- Use pipeline identities with least privilege
- Handle secrets securely in pipelines (Key Vault integration)
- Triage security findings (true positive, false positive, accepted risk)
- Define pipeline failure policies (which findings block deployment?)
- Implement rollback strategies for failed deployments
Day 3 labs
| Lab | Topic |
|---|---|
| Lab 3.1 | Fresh Day 3 infrastructure, service connection, and basic app deployment |
| Lab 3.2 | Quality gates: TypeScript, unit tests, integration tests |
| Lab 3.3 | Security gates: Semgrep, Trivy, secret scanning and SBOM |
| Lab 3.4 | Infrastructure security: Checkov for Terraform |
| Lab 3.5 | API security: OWASP ZAP |
| Lab 3.6 | Artifact promotion, environment gates and rollback |