DevSecOps

by

828409pwpadmin
DevSecOps Training Materials — Secure In Security
Secure In Security — DevSecOps Training Materials Cybersecurity & Information Security
DevSecOps &
Information Security
Dev  /  Sec  /  Ops
Protecting Confidentiality, Integrity, and Availability
Prepared by: Cybersecurity Practice  |  Classification: UNCLASSIFIED // FOUO  |  May 2026
Executive Summary

Executive Summary

DevSecOps represents a paradigm shift in how organizations design, develop, and deliver software by embedding security practices directly into the DevOps lifecycle. Rather than treating security as a gate at the end of development, DevSecOps integrates security controls, testing, and governance at every stage — from initial planning through production monitoring.

In the context of cybersecurity, this approach is directly aligned with the three foundational principles of the CIA Triad: Confidentiality, Integrity, and Availability. By automating security checks within continuous integration and continuous delivery (CI/CD) pipelines, organizations can detect and remediate vulnerabilities earlier, reduce risk exposure, and maintain compliance without sacrificing delivery velocity.

This document provides a comprehensive examination of DevSecOps principles, methodologies, pipeline architectures, and how each maps to the protection of sensitive information across its lifecycle.

Core Philosophy
DevSecOps makes security a shared responsibility. Security is no longer a phase — it is a continuous practice embedded in every commit, build, test, and deployment across the software development lifecycle.
Introduction to DevSecOps

1. Introduction to DevSecOps

1.1 From DevOps to DevSecOps

DevOps emerged from the need to bridge the longstanding divide between software development teams focused on change and operations teams focused on stability. By introducing automation, shared tooling, and a culture of collaboration, DevOps dramatically accelerated release cycles. However, the rapid pace of delivery created a critical gap: security.

In traditional software development models, security assessments were performed at the end of the Software Development Lifecycle (SDLC). Penetration tests, vulnerability scans, and compliance reviews happened just before release — often resulting in costly rework, delayed timelines, or worse, undetected vulnerabilities reaching production. This model proved increasingly untenable as attack surfaces expanded, threat actors grew more sophisticated, and regulatory requirements intensified.

DevSecOps addresses this gap by making security a shared responsibility across development, security, and operations teams. The philosophy is often summarized as shifting security left — integrating security considerations as early as the planning and design phases, and sustaining them continuously through the pipeline.

Why It Matters
The IBM Systems Sciences Institute found that the cost to fix a security defect found in the design phase can be up to 100× lower than fixing the same defect post-release. Shifting security left is not just best practice — it is an economic imperative.

1.2 Core Principles of DevSecOps

  • Security as CodeSecurity policies, tests, and controls are version-controlled and treated as code artifacts, ensuring consistency and auditability.
  • Automation FirstManual security reviews cannot scale with modern release velocities. Automated scanning, testing, and policy enforcement are essential.
  • Continuous FeedbackSecurity findings are surfaced in real time to developers, enabling rapid remediation within the development context.
  • Shared ResponsibilitySecurity is not the exclusive domain of a security team. Every engineer owns security outcomes for their code.
  • Least PrivilegeAccess rights for users, services, and systems are scoped to the minimum required to perform a function.
  • Immutable InfrastructureSystems are replaced rather than patched in place, reducing configuration drift and unauthorized change.
  • Audit & TraceabilityEvery action within the pipeline — from code commits to deployment approvals — is logged and traceable.

1.3 Why DevSecOps Matters for Cybersecurity

The cybersecurity landscape in 2026 is defined by escalating threats including nation-state actors, ransomware ecosystems, software supply chain attacks, and AI-augmented adversarial techniques. High-profile incidents such as the SolarWinds supply chain compromise and Log4Shell vulnerability underscored the risk of insecure software development practices.

DevSecOps provides a systemic defense by ensuring that every artifact — source code, dependencies, container images, infrastructure templates, and deployment manifests — passes through security validation before reaching production. When implemented correctly, DevSecOps compresses the time between vulnerability discovery and remediation from weeks to hours, dramatically reducing attacker dwell time and exploitability windows.

The CIA Triad & DevSecOps

2. The CIA Triad and DevSecOps

The CIA Triad — Confidentiality, Integrity, and Availability — provides the foundational framework for evaluating and managing information security. DevSecOps must address all three dimensions simultaneously across the software supply chain and production environments.

CIA PrincipleDefinitionDevSecOps Controls
Confidentiality Ensures information is accessible only to those authorized to have access. Prevents unauthorized disclosure of sensitive data. Secrets management, encryption-at-rest/in-transit, RBAC, SAST/DAST scans, least-privilege IAM policies.
Integrity Safeguards the accuracy and completeness of information and processing methods. Prevents unauthorized modification. Code signing, signed container images, immutable infrastructure, cryptographic hashing, audit logs, branch protection rules.
Availability Ensures authorized users have reliable and timely access to information and resources when needed. Blue/green deployments, auto-scaling, chaos engineering, DDoS mitigation, redundant pipelines, SLA-driven monitoring.

2.1 Confidentiality in DevSecOps

Confidentiality ensures that sensitive information — including source code, credentials, customer data, and intellectual property — is accessible only to authorized individuals and systems. In a DevSecOps context, confidentiality failures are particularly dangerous because the development pipeline itself is a high-value target: it contains secrets, access tokens, and privileged credentials that could be leveraged to compromise production environments.

Key Confidentiality Controls

  • Secrets ManagementTools such as HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault provide dynamic, audited secret injection, eliminating hardcoded credentials in source code or configuration files.
  • Encryption at Rest & in TransitAll sensitive data — including build artifacts, logs, and database backups — must be encrypted using industry-standard algorithms (AES-256, TLS 1.3). CI/CD pipeline communications should enforce mutual TLS (mTLS).
  • Role-Based Access ControlPipeline permissions should be granular, ensuring developers can only access the repositories, environments, and secrets necessary for their role.
  • Secret ScanningTools such as Gitleaks, TruffleHog, and GitHub Advanced Security detect accidentally committed secrets before they are pushed to shared repositories.
  • Data Classification IntegrationPipelines should apply enhanced controls automatically for systems that process sensitive, regulated, or personally identifiable information (PII).
Critical Risk
Hardcoded secrets in source code are one of the most common and impactful security failures in modern software delivery. A single leaked API key or private certificate in a public repository can result in full environment compromise within minutes of exposure.

2.2 Integrity in DevSecOps

Integrity ensures that software artifacts, data, and infrastructure configurations are not modified in an unauthorized or undetected manner. In modern software delivery, integrity threats include malicious code injection, dependency tampering, and unauthorized configuration changes — all of which can introduce backdoors or alter system behavior to serve attacker objectives.

Key Integrity Controls

  • Code SigningEvery commit, artifact, and container image should be cryptographically signed. The Sigstore project and tools like Cosign provide open-source signing infrastructure compatible with modern CI/CD platforms.
  • Software Composition AnalysisTools such as Snyk, OWASP Dependency-Check, and Dependabot identify open-source dependencies with known vulnerabilities or malicious packages, protecting against supply chain attacks.
  • SASTAutomated code analysis tools scan source code for security flaws — including injection vulnerabilities, insecure deserialization, and hard-coded credentials — without executing the application.
  • Branch Protection & Code ReviewRepository policies should require pull request approvals, prevent force pushes to main branches, and enforce signed commits, ensuring all changes undergo peer review before merging.
  • Immutable Artifact RegistriesBuild artifacts stored in registries (container images, binaries, packages) should be immutable post-publication. Any modification should trigger an alert and re-verification.
  • IaC ScanningTools such as Checkov, Terrascan, and tfsec analyze Terraform, CloudFormation, and Kubernetes manifests for misconfigurations that could compromise integrity or expose sensitive resources.

2.3 Availability in DevSecOps

Availability ensures that systems, applications, and data are accessible to authorized users when needed. DevSecOps contributes to availability through resilient deployment practices, automated recovery mechanisms, and proactive threat mitigation — while simultaneously avoiding security measures that themselves introduce availability risks.

Key Availability Controls

  • Blue/Green & Canary DeploymentsThese deployment strategies allow rapid rollback to known-good versions if a new release introduces a defect or security issue, minimizing downtime.
  • Chaos EngineeringPractices such as Netflix’s Chaos Monkey deliberately introduce failures to validate that systems and pipelines can withstand disruption and self-heal.
  • DDoS MitigationCloud-native and on-premise DDoS protection services should be integrated into deployment architectures, with thresholds and response playbooks defined in code.
  • Auto-Scaling & Load BalancingInfrastructure defined as code should include auto-scaling policies that respond to traffic spikes, preventing resource exhaustion that could be exploited or triggered by attackers.
  • Redundant Pipeline ArchitectureCI/CD pipelines themselves should be designed with redundancy, preventing a single point of failure in the delivery infrastructure from halting deployments during an incident.
  • RTO in TestingDisaster recovery and business continuity tests should be automated and executed regularly as part of the operational DevSecOps practice.
DevSecOps Pipeline Architecture

3. DevSecOps Pipeline Architecture

A DevSecOps pipeline integrates security at every stage of the software delivery process. The following table maps each pipeline stage to its associated security activities, representative tooling, and relative risk posture.

Pipeline StageSecurity ActivityExample ToolsRisk Level
PlanThreat modeling, security requirementsSTRIDE/DREAD, JIRA security ticketsLow
CodePeer review, pre-commit hooks, SCASemgrep, Snyk Open Source, Git hooksLow–Medium
BuildSAST, secret scanning, license checksCheckmarx, Semgrep, Gitleaks, FOSSAMedium
TestDAST, fuzzing, IAST, pen testingOWASP ZAP, Burp Suite, AFL++Medium–High
ReleaseArtifact signing, policy gatesSigstore/Cosign, OPA, ConftestHigh
DeployIaC scanning, container image signingCheckov, Trivy, FalcoHigh
OperateSIEM, CSPM, runtime protectionSplunk, Wiz, Prisma Cloud, FalcoCritical
MonitorThreat intelligence, anomaly detectionDatadog, Elastic SIEM, CrowdStrikeCritical

3.1 Shift-Left Security Practices

The concept of shifting left refers to moving security activities earlier in the SDLC, where they are less expensive to implement and more impactful. Studies by the Systems Sciences Institute at IBM have found that the cost to fix a security defect found in the design phase can be 6 times lower than fixing the same defect found in testing, and up to 100 times lower than fixing it post-release.

Shift-left practices in DevSecOps include threat modeling during the design phase, pre-commit hooks that prevent secrets from entering source control, and developer security training that embeds security literacy directly into engineering culture. Security champions programs — in which trained developers serve as security advocates within their teams — are an effective organizational pattern for scaling shift-left practices.

Pro Tip
Integrate security tooling directly into developer IDEs (e.g., Snyk for VS Code, Semgrep for JetBrains). When developers see vulnerability findings before they commit, remediation is faster, cheaper, and less disruptive than pipeline gate failures.

3.2 Pipeline Security Gates

Security gates are automated checkpoints within the CI/CD pipeline that block progression of an artifact or deployment unless specific security criteria are satisfied. Gates operationalize security policy as code, ensuring consistent enforcement without requiring manual intervention for every build.

Examples of Pipeline Security Gates

  • SAST gate: Build fails if any Critical or High severity vulnerability is detected in first-party code.
  • SCA gate: Build fails if any direct dependency contains a CVSS 9.0+ vulnerability without an approved exception.
  • Secret scanning gate: Build fails if any credential pattern (API key, private key, token) is detected in source or configuration files.
  • Container scanning gate: Deployment is blocked if the container image contains OS-level vulnerabilities above a defined threshold.
  • Policy compliance gate: Infrastructure changes are blocked if IaC templates violate organizational security baseline policies.

3.3 Software Supply Chain Security

The software supply chain encompasses every component, dependency, tool, and service that contributes to a software product — from open-source libraries to build systems, from third-party APIs to cloud provider services. High-profile supply chain attacks, including the SolarWinds SUNBURST attack and the compromise of the codecov bash uploader, have demonstrated that adversaries increasingly target development infrastructure rather than production systems directly.

Supply Chain Risk
The SolarWinds SUNBURST attack compromised over 18,000 organizations by injecting malicious code into the build process of a widely used IT monitoring platform. No organization was breached directly — attackers exploited the software supply chain.

DevSecOps Supply Chain Security Practices

  • Software Bill of Materials (SBOM)A machine-readable inventory of all components in a software artifact, including open-source dependencies, their versions, and their licenses. SBOMs — standardized in formats such as CycloneDX and SPDX — enable rapid exposure assessment when new vulnerabilities are disclosed. Executive Order 14028 mandated SBOM generation for software sold to the U.S. federal government.
  • Dependency PinningRather than specifying semver ranges that resolve to the latest compatible version at build time, pinning dependencies to specific cryptographic hashes ensures that the exact same code is used in every build, preventing dependency substitution attacks.
  • Private Artifact RegistriesOrganizations should mirror approved open-source packages in private registries, validating their provenance before use and protecting against typosquatting and dependency confusion attacks.
  • Build Provenance (SLSA)Tools aligned with the SLSA (Supply-chain Levels for Software Artifacts) framework generate cryptographically signed build provenance records that attest to what inputs were used and what steps were taken during the build process.
Regulatory Compliance

4. DevSecOps and Regulatory Compliance

Regulatory frameworks increasingly require organizations to demonstrate that security is embedded into their software development practices. DevSecOps provides a structured, auditable approach to satisfying these requirements through automated evidence collection and policy-as-code enforcement.

4.1 Relevant Frameworks and Standards

Framework / StandardScopeRelevant DevSecOps Requirements
NIST SP 800-218 (SSDF) U.S. federal software vendors; broadly adopted Automated testing, vulnerability management, secure build environments, SBOM generation.
NIST SP 800-53 / FedRAMP U.S. federal agencies & cloud service providers SA-11 (Developer Testing), SA-15 (Development Process), CM-14 (Signed Components).
DORA EU financial entities & critical ICT providers ICT risk management, incident response, supply chain oversight, resilience testing.
PCI DSS v4.0 Organizations processing payment card data Req 6.2 (Code Review), Req 6.3 (Automated Scanning), Req 6.4 (Web App Protection).

NIST SP 800-218 (SSDF)

The Secure Software Development Framework (SSDF) published by NIST provides a core set of secure software development practices mapped to four groups: Prepare the Organization, Protect the Software, Produce Well-Secured Software, and Respond to Vulnerabilities. DevSecOps directly implements many SSDF practices, particularly those relating to automated testing, vulnerability management, and secure build environments.

NIST SP 800-53 / FedRAMP

For U.S. federal agencies and cloud service providers seeking FedRAMP authorization, NIST SP 800-53 controls such as SA-11 (Developer Testing and Evaluation), SA-15 (Development Process, Standards, and Tools), and CM-14 (Signed Components) are directly addressed by DevSecOps pipeline controls including SAST, DAST, and artifact signing.

DORA (Digital Operational Resilience Act)

The European Union’s DORA regulation, applicable to financial entities and their critical ICT third-party providers, requires robust ICT risk management, incident response capabilities, and supply chain oversight — all areas where DevSecOps provides measurable, automatable controls.

PCI DSS v4.0

Payment Card Industry Data Security Standard version 4.0 introduced new requirements for software development security, including requirements for code review (Requirement 6.2), the use of automated technical security scanning (Requirement 6.3), and protection of web-facing applications (Requirement 6.4). A DevSecOps pipeline with SAST, DAST, and SCA tooling directly satisfies these requirements with machine-generated audit evidence.

4.2 Compliance as Code

Compliance as Code is the practice of encoding regulatory and organizational security requirements into machine-executable policies that are enforced automatically within the pipeline and at runtime. Tools such as Open Policy Agent (OPA), AWS Config Rules, and Azure Policy enable organizations to define compliance guardrails that are evaluated continuously rather than periodically.

When a deployment is blocked because a Kubernetes pod security policy violation is detected, or when a cloud resource creation is denied because it would expose a storage bucket publicly, these are examples of Compliance as Code in action. This approach transforms compliance from a periodic audit exercise into a continuous, automated control.

Key Benefit
Compliance as Code produces machine-generated audit evidence at every pipeline run. Auditors receive timestamped, signed records of every scan, gate decision, and policy evaluation — dramatically reducing the manual effort of compliance assessments.
Organizational & Cultural Considerations

5. Organizational and Cultural Considerations

Technology alone is insufficient for DevSecOps success. The cultural and organizational dimensions are equally critical — and often more challenging to transform.

5.1 Breaking Down Silos

Historically, development, security, and operations teams operated with separate objectives, tooling, and incentive structures. Developers were measured by feature velocity; security teams by risk reduction; operations teams by uptime. These misaligned incentives created adversarial relationships where security was perceived as a blocker to delivery.

DevSecOps requires organizational structures and leadership alignment that enable collaboration. This may involve embedding security engineers within development teams, establishing shared metrics such as Mean Time to Remediate (MTTR) for vulnerabilities, and ensuring that security findings are surfaced in developer-native tools such as IDEs and version control platforms rather than separate security portals that developers rarely access.

5.2 Developer Security Education

Security awareness training for developers must go beyond annual compliance requirements. Effective DevSecOps programs provide developers with hands-on, contextual security education through platforms such as OWASP WebGoat, HackTheBox, or vendor-specific secure coding courses. Security champions programs empower interested developers to deepen their security knowledge and serve as first-line security resources for their teams.

5.3 Metrics and Continuous Improvement

A DevSecOps program that cannot be measured cannot be improved. Key performance indicators for DevSecOps maturity include:

KPIDescriptionTarget Direction
Vulnerability Detection RatePercentage of known vulnerabilities detected by pipeline controls versus discovered in production.Maximize ↑
Mean Time to Remediate (MTTR)Average time from vulnerability discovery to confirmed remediation.Minimize ↓
Security Debt RatioVolume of open security findings relative to total code complexity.Minimize ↓
False Positive RatePercentage of scanner findings that do not represent actual vulnerabilities.Minimize ↓
Deployment FrequencyMeasure of pipeline health; DevSecOps should not reduce deployment frequency from pre-adoption baselines.Maintain / Increase ↑
Gate Pass Rate (First Attempt)Percentage of builds that pass all security gates on first attempt, indicating shift-left effectiveness.Maximize ↑
Emerging Trends in DevSecOps

6. Emerging Trends in DevSecOps

6.1 AI-Augmented Security Testing

Artificial intelligence and machine learning are being integrated into DevSecOps tooling to improve vulnerability detection accuracy, reduce false positives, and prioritize remediation. AI-assisted SAST tools can understand code context more deeply than pattern-matching approaches, identifying complex multi-step vulnerabilities that traditional scanners miss. Large Language Models (LLMs) are increasingly used to explain vulnerabilities in developer-friendly language and suggest specific remediation code, reducing the cognitive burden on developers.

6.2 Platform Engineering and Internal Developer Platforms

Platform engineering teams are building Internal Developer Platforms (IDPs) that abstract the complexity of DevSecOps tooling behind self-service interfaces. Developers request pre-configured, security-hardened application templates, pipeline blueprints, and infrastructure modules through a platform portal. Security controls are embedded in the platform by default — developers benefit from them without needing to configure them individually.

Key Concept
Paved roads, not guardrails. The most effective DevSecOps programs make the secure path the path of least resistance. Internal Developer Platforms embed security so deeply into the developer workflow that doing the right thing requires no additional effort.

6.3 Zero Trust Architecture Integration

Zero Trust Architecture (ZTA) principles — never trust, always verify — are being applied not just to network access but to the DevSecOps pipeline itself. Pipeline components authenticate to each other using workload identity rather than long-lived credentials. Access to production environments is granted just-in-time through PAM (Privileged Access Management) systems. Every pipeline action is logged, and anomalous behavior triggers automated investigation workflows.

6.4 AI-Generated Code and Security Implications

The widespread adoption of AI coding assistants such as GitHub Copilot, Amazon CodeWhisperer, and similar tools introduces new security considerations. Research has demonstrated that AI-generated code can contain security vulnerabilities, including injection flaws, insecure cryptographic implementations, and hard-coded credentials. DevSecOps pipelines must be calibrated to treat AI-generated code with the same rigor as human-written code, and organizations should establish policies governing the use of AI coding tools and the review requirements for AI-generated contributions.

Emerging Risk
AI coding assistants trained on public repositories may reproduce insecure patterns from low-quality training data. Every line of AI-generated code must pass the same SAST, SCA, and code review controls applied to human-authored code — no exceptions.
Conclusion

7. Conclusion

DevSecOps represents a mature, systematic approach to embedding cybersecurity into the fabric of software delivery. By integrating security controls at every stage of the pipeline — from design through production monitoring — organizations can protect information confidentiality, integrity, and availability without sacrificing the speed and agility that modern business demands.

The alignment of DevSecOps practices with the CIA Triad is not incidental; it is architectural. Confidentiality is protected through secrets management, encryption, and access control embedded in the pipeline. Integrity is maintained through code signing, supply chain verification, and immutable artifact management. Availability is assured through resilient deployment patterns, automated recovery, and proactive threat mitigation.

Organizations that successfully implement DevSecOps shift from a reactive security posture — responding to breaches after the fact — to a proactive one in which security defects are prevented, detected, and remediated systematically before they can be exploited. In an era of sophisticated and persistent adversaries, this transformation is not optional. It is a foundational requirement for responsible software delivery and the protection of information in an interconnected world.

Bottom Line
DevSecOps does not slow delivery — it accelerates it safely. Organizations that embed security into every pipeline stage find fewer defects in production, respond faster to incidents, and demonstrate continuous compliance to regulators and customers alike.
Glossary of Terms

Glossary

TermDefinition
CSPMCloud Security Posture Management — continuous monitoring of cloud infrastructure for misconfigurations and compliance violations.
DASTDynamic Application Security Testing — security testing performed against a running application to discover runtime vulnerabilities.
DevSecOpsDevelopment, Security, and Operations — a practice that integrates security controls throughout the CI/CD pipeline and SDLC.
IaCInfrastructure as Code — managing and provisioning infrastructure through machine-readable definition files rather than manual processes.
IASTInteractive Application Security Testing — combines elements of SAST and DAST, analyzing application behavior during testing.
IAMIdentity and Access Management — framework of policies and technologies to ensure the right users access the right resources.
mTLSMutual TLS — a form of TLS authentication where both client and server authenticate each other’s certificates.
OPAOpen Policy Agent — a general-purpose policy engine used to enforce compliance and security policies as code.
RBACRole-Based Access Control — restricting system access to authorized users based on their assigned roles.
SASTStatic Application Security Testing — analysis of source code for security vulnerabilities without executing the program.
SBOMSoftware Bill of Materials — a machine-readable inventory of all components, dependencies, and licenses in a software artifact.
SCASoftware Composition Analysis — automated identification of open-source components and their known vulnerabilities.
SDLCSoftware Development Lifecycle — the process of planning, creating, testing, and deploying software.
SIEMSecurity Information and Event Management — platform that aggregates and correlates security events for detection and response.
SLSASupply-chain Levels for Software Artifacts — a framework for assessing and improving the integrity of the software supply chain.
SOARSecurity Orchestration, Automation and Response — platform that automates incident response workflows.
Zero TrustSecurity model that requires continuous verification of every user, device, and connection with no implicit trust.
ZTAZero Trust Architecture — the implementation of Zero Trust principles across network, application, and identity layers.
References & Further Reading

References & Further Reading

Official Standards & Frameworks

  • NIST SP 800-218 (SSDF): Secure Software Development Framework — National Institute of Standards and Technology (2022).
  • NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations — U.S. Department of Commerce (2020).
  • Executive Order 14028: Improving the Nation’s Cybersecurity — The White House (2021).
  • PCI DSS v4.0 Requirements 6.2–6.4: Software Development Security — PCI Security Standards Council (2022).
  • SLSA Framework: Supply-chain Levels for Software Artifacts — Open Source Security Foundation (OpenSSF), Linux Foundation (2023).
  • OWASP DevSecOps Guideline: Integrating Security in DevOps Pipelines — Open Web Application Security Project (2023).

Open-Source Tools Referenced

Recommended Reading

  • Kim, G., Humble, J., Debois, P., & Willis, J. (2016). The DevOps Handbook. IT Revolution Press.
  • Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.). Wiley.
  • European Banking Authority. (2022). Guidelines on ICT and Security Risk Management (EBA/GL/2019/04). European Union.
  • SANS Reading Room: DevSecOps Technical Papershttps://www.sans.org/reading-room
Document Information
This training material is reviewed annually and updated to reflect current threat landscapes, regulatory changes, and technology advancements. Classification: UNCLASSIFIED // FOR OFFICIAL USE ONLY. Questions or suggested updates should be directed to the Information Security team.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *