Secure SDLC: DevSecOps, OWASP, SBOM, SAST, and BOLA

Описание: In a cloud-native world, your code is your infrastructure. If the code is hollow, the fortress falls. In this video, Sec Guy breaks down the Secure SDLC, explains how to use STRIDE for Threat Modeling, and details the difference between SAST (Whitebox) and DAST (Blackbox) testing. We also tackle the #1 API threat: BOLA (Broken Object Level Authorization).

[Exam Ready Route - FREE]
Pass your certification for $0.
✅ Training Videos & Practice Tests
✅ Sec Guy Mobile Lab (On-the-go training powered by AI voice)
✅ Discord Access (Study sessions & Industry networking)
👉 Start Here: https://secguy.org

[Job Ready Route - MEMBERSHIP]
Stop studying and start working. Get the hands-on experience hiring managers are asking for.
🔥 Hands-On Labs: Python, Encryption, Hashing, AI, & CTFs
🔥 Salary Negotiator Workshop
🔥 Experience Builder: Real-world projects to fill your resume
👉 Get Hired: https://secguy.org

[Exam Domain Checklist]
This video covers critical objectives for the following exams:

Security+
[ ] Domain 3.2: Application Security (OWASP Top 10, Injection, BOLA)
[ ] Domain 4.2: Security Operations (Vulnerability Scanning: SAST, DAST)
[ ] Domain 5.1: Risk Management (Supply Chain Risk, SBOM)

CISSP
[ ] Domain 8: Software Development Security (SDLC, STRIDE, Fuzzing)
[ ] Domain 3: Security Architecture (High Cohesion, Low Coupling, Encapsulation)

CISM
[ ] Domain 3: Information Security Program (Secure Development Practices)

CRISC
[ ] Domain 2: IT Risk Assessment (Application Vulnerabilities)

CCSP
[ ] Domain 4: Cloud Application Security (SAST/DAST in CI/CD, API Security)

SecurityX (CompTIA)
[ ] Domain 2.0: Security Architecture (Secure Coding Practices & Input Validation)

GIAC GSEC (SANS)
[ ] Application Security: OWASP, Fuzzing, & Defense in Depth

AWS CSS (Certified Security – Specialty)
[ ] Domain 5: Data Protection (Encryption at Rest/Transit in Apps)

Pentest+ (CompTIA)
[ ] Domain 3: Attacks and Exploits (SQL Injection, XSS, IDOR/BOLA)

CEH (Certified Ethical Hacker)
[ ] Domain 10: Web Server & Application Hacking (OWASP Top 10)

SecAI+
[ ] AI Security: AI-Generated Code Vulnerabilities & Supply Chain Attacks

[Timestamps]
0:00 - Intro: Code is Infrastructure
0:25 - Environment Isolation: Dev, Test, Staging, Prod (Data Masking)
0:48 - Threat Modeling: The STRIDE Framework (Spoofing, Tampering, etc.)
1:06 - Secure Design Patterns: Encapsulation & Polymorphism
1:24 - CISSP Concepts: High Cohesion vs. Low Coupling
1:40 - Testing: Fuzzing (Mutation vs. Generational)
2:06 - Defending Against Injection: Input Validation vs. Parameterization
2:31 - API Security: BOLA (Broken Object Level Authorization) & IDOR
3:00 - Supply Chain Security: SCA & SBOM (Software Bill of Materials)
3:13 - The Toolchain: SAST (Whitebox) vs. DAST (Blackbox)
3:26 - Runtime Defense: IAST & RASP (The Bodyguard)
3:44 - Summary: Security is an Architectural Requirement
3:52 - Outro: Stay Safe, Stay Secure.