The availability of powerful head-mounted displays (HMDs) has made virtual reality (VR) a mainstream technology and spearheaded the idea of immersive virtual experiences within the Metaverse -- a shared and persistent virtual world. Companies are eagerly investing in various VR products and services, aiming to be early adopters and create new revenue streams by taking advantage of the hype surrounding VR and the Metaverse. However, unique privacy and security issues associated with VR arise from the data collected by both VR applications and peripherals. Given that VR HMDs equipped with intrusive sensors designed to track eye movements, facial expressions, and other biometric data are already available in the market, it is essential to integrate security and privacy into the VR application development lifecycle. This study presents a hypothetical case that revolves around a team of programmers and cybersecurity experts tasked to develop new VR applications for a technology conglomerate that recently shifted its attention towards the Metaverse. Building on development, security, and operations (DevSecOps) practice, the case study tasks participants to consider secure software development, threat modeling, and adoption of security and privacy frameworks in the context of VR application development. This study contributes to IS education by emphasizing potential privacy and security issues associated with this rapidly evolving technology. Additionally, it demonstrates how the implementation of DevSecOps practices can effectively address potential security challenges throughout the software development process.