Thinking you know what DevSecOps is a entirely different entity from actually incorporating DevSecOps into a CI/CD pipeline and using it on a daily basis. And then when it comes to figuring out where and how to start building out a CI/CD pipeline can also be daunting. Utilizing an intentionally vulnerable web application like OWASP WebGoat to use as a starting point to automatically scan, find, and resolve vulnerabilities is an excellent way to learn about web application security, AWS and cloud security, open source tools, and DevSecOps. In this talk we plan to define requirements, threat model the architecture, create an AWS account to set up a development environment and utilize different tools, build then test code, automate and monitor the pipeline, and then to continuously improve the pipeline.