In this lesson, learners will explore the OWASP Top-10 vulnerabilities and how to prevent security incidents through proactive secure coding practices and effective analysis tools. The lesson emphasizes why fixing security flaws late in the process is costly and unsustainable, and how systematic prevention—through secure coding and regular testing—offers a better approach. Real-world security incidents, such as the Fortnite XSS vulnerability, are highlighted to illustrate the practical consequences of common coding mistakes. Learners will be introduced to essential tools including Static Application Security Testing (SAST) and dynamic scanning with OWASP ZAP. Through a blend of videos, readings, discussions, and hands-on labs, learners will gain the skills and confidence to systematically build secure, robust applications—transforming their coding approach from reactive fixes to proactive prevention.

In this lesson, learners examine how embedding security into Continuous Integration and Continuous Deployment (CI/CD) pipelines transforms release processes into continuous guardians of trust rather than mere delivery engines. Through a scenario illustrating a late-night deployment where a known vulnerable library slipped into production, the lesson highlights why automated security checks must be integrated from the very first pipeline stage. Learners will investigate practical tool implementations—such as Snyk for dependency scanning, OWASP Dependency-Check for open-source vulnerability detection, and GitHub Actions workflows for automation—to ensure issues are caught before code reaches production. Case studies of CI/CD misconfigurations, such as the Capital One cloud breach, demonstrate how small oversights in pipeline or infrastructure-as-code settings can lead to major incidents, reinforcing the need for continuous oversight. Hands-on demonstrations guide learners through setting up security gates that fail builds on critical findings, interpreting scan results, and configuring policy-as-code enforcement, all without impeding development velocity. By the end of the lesson, participants will understand both how to configure and integrate these security tools into real pipelines and why treating security as a separate stage is no longer acceptable—security must be continuous, integrated, and owned by every stakeholder in the delivery workflow.