Secure your Azure and DevOps in a smart way
2 likes1,207 views
The document outlines the integration of security within DevOps through a framework known as DevSecOps, emphasizing the importance of securing the software development lifecycle from code commit to production. It details various security practices at different stages, including pre-commit, commit, acceptance, and production, along with continuous monitoring and threat intelligence. Additionally, it provides resources and tools to enhance security across Azure and DevOps environments.
Secure your Azure and DevOps in a smart way
- 1. Secure your Azure and DevOps in a smart way
- 2. Mitä kuuluu? I am Victoria Security girl at MS Find me at @texnokot or [email protected]
- 3. 100:10:1
- 4. DevOps is the union of people, process, and technology to enable continuous delivery of value to your end users DevOps Monitor & learn Develop & TestPlan & Track Build & Release Continuous delivery
- 5. automation Why not to automate security then?
- 6. delivering the product Pre-commit Commit (CI) Acceptance (CD) Production Operations
- 7. Pre-commit stage ✘ Threat modeling ✘ IDE Security plugins ✘ Pre-commit hooks ✘ Secure coding standards ✘ Peer review Goal: fix security from the first line of a code
- 8. Commit stage ✘ Static code analysis ✘ Security unit tests ✘ Dependency management Goal: provide fast feedback to developers
- 9. Acceptance stage ✘ Infrastructure as Code ✘ Security scanning ✘ Cloud configuration ✘ Security acceptance testing Goal: comprehensive check of the application and infrastructure
- 10. Production stage ✘ Security smoke tests ✘ Configuration checks ✘ Penetration testing Goal: ensure that setup follows security traditions
- 11. Operations ✘ Continuous monitoring ✘ Threat intelligence ✘ Vulnerability assessment ✘ Blameless postmortems Goal: continuous security and lessons learned
- 12. We get DevSecOps Pre-commit ✘ Threat modeling ✘ IDE Security plugins ✘ Pre-commit hooks ✘ Secure coding standards ✘ Peer review Commit (CI) ✘ Static code analysis ✘ Security unit tests ✘ Dependency management Acceptance (CD) ✘ IaC ✘ Security scanning ✘ Cloud configuration ✘ Security acceptance testing Production ✘ Security smoke tests ✘ Configuration checks ✘ Penetration testing Operations ✘ Continuous monitoring ✘ Threat intelligence ✘ Penetration testing ✘ Blameless postmortems
- 13. Azure prod subsc Azure DevOps repository Azure DevOps pipelines Azure DevOps release VS Studio/Code Azure QA subsc Azure dev subsc develop master CI build CI build DevSkim, Puma scan, Coverity, Fortify Pre-commit hooks AzSK Secure DevOps Kit (AzSK), MS Azure Policy, Snyk, WhiteSource Bolt, Coverity, Fortify MS Azure Policy, Azure Management, Azure Monitor, Microsoft Azure Security Center
- 14. 14
- 15. Resources ✘ SANS poster: https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat- checklist/60/download ✘ Azure security best practices: https://docs.microsoft.com/en-us/azure/security/security-best-practices-and- patterns ✘ Secure DevOps Kit for Azure: https://github.com/azsk/DevOpsKit-docs ✘ Azure DevOps Services: https://azure.microsoft.com/en-us/services/devops/ ✘ Azure applications design principles: https://docs.microsoft.com/en-us/azure/architecture/guide/design- principles/ ✘ WhiteSource Bolt extension for Azure DevOps Services: https://marketplace.visualstudio.com/items? itemName=whitesource.ws-bolt ✘ The OWASP Foundation: https://www.owasp.org/index.php/Main_Page ✘ And me ☺ at github: https://github.com/texnokot/ ✘ And of course twitter: https://twitter.com/texnokot
- 16. “
- 17. thanks! Any questions? You can find me at @texnokot [email protected]