SlideShare a Scribd company logo

Secure Your Code Implement DevSecOps in Azure

kloia
kloia

The document discusses the integration of DevSecOps practices in Azure, emphasizing the importance of security throughout the development lifecycle. It covers topics such as security automation, vulnerability assessment, and implementing best practices using Azure tools, GitHub, and third-party solutions. Additionally, it provides a step-by-step demo for setting up a secure CI/CD pipeline in Azure DevOps using various integrated services.

Software
1 of 72
Downloaded 31 times
1
2
3
4
5
6
7
8
Most read
9
10
Most read
11
12
13
14
15
16
17
18
19
20
21
22
Most read
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Secure Your Code : Implement DevSecOps in Azure 21 Feb 2021 @srkbngl
Who am I? Serkan Bingöl Cloud & DevOps Consultant @kloia MCSD / MCT / AAI / AWS Certified Blog : medium.com/@serkanbingoll Tweet : @srkbngl LinkedIn : /in/sbingol GitHub : github.com/serkanbingol
Agenda • What is Dev{Sec}Ops ? • DevSecOps in GitHub & Demos • DevSecOps in Azure • 3rd Party DevSecOps Tools • DEMO : Implement Security in Azure DevOps CI/CD • Q & A
What is Dev{Sec}Ops ? DevOps is the union of people, process, and technology to enable continuous delivery of value to your end users. DevSecOps is a cultural movement that furthers the movements of Agile and DevOps into Security Automation + Security image from https://www.recordedfuture.com/ image from https://stackify.com/devops-engineer-starter-guide/
What is Dev{Sec}Ops ? DEV : OPS :SEC Ratio - 100:10:1 “The ratio of engineers in Development, Operations, and Infosec in a typical technology organization is 100:10:1. When Infosec is that outnumbered, without automation and integrating information security into the daily work of Dev and Ops, Infosec can only do compliance checking, which is the opposite of security engineering—and besides, it also makes everyone hate us.” image from https://twitter.com/joshcorman/status/644153295464960000
What is Dev{Sec}Ops ? Discover vulnerability during the development. * Slide 9 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
What is Dev{Sec}Ops ? More we code , more we need security. Insecure code causes breaches Source: 2019 Data Breach Investigations Report, Verizon 53% of breaches are caused by weaknesses in applications. Report link : https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
What is Dev{Sec}Ops ? Security Patterns : Old Path Vs. New Path • Embrace Secrecy • Just Pass Audit! • Enforce Stability • Build a Wall • Slow Validation • Certainly Testing • Test When DONE ! • Process Driven • Create Feedback Loops • Compliance adds Value • Create Chaos • Zero Trust Networks • Fast and Non-Blocking • Adversity Testing • Shift Left • The Paved Road image from https://wellbeingeconomy.org/
What is Dev{Sec}Ops ? Azure Patterns: Infrastructure Planning ✘Subscription per environment ✘Apply policies to control transparently and proactively ✘ Security Center ON from day 1 ✘Infrastructure as code. Period ✘ Production ONLY for CI/CD pipelines ✘ CI/CD pipeline is a heart of security image from https://bridgecrew.io/blog/infrastructure-as-code-security-101/
What is Dev{Sec}Ops ? Azure Patterns: Watch Every Step • Threat modeling • IDE Security plugins • Pre-commit hooks • Peer review • Static code analysis • Security unit tests • Container Security • Dependency management • IaC • Security scanning • Cloud configuration • Security acceptance tests • Security smoke tests • Security Configuration • Secret Management • Server Hardening • Continuous monitoring • Threat intelligence • Penetration Testing • Blameless postmortems
DevSecOps in GitHub • Browser-based IDEs with built-in security extensions. • Agents that continuously monitor security advisories and replace vulnerable and out-of-date dependencies. • Search capabilities that scan source code for vulnerabilities. • Action-based workflows that automate every step of development, testing, and deployment. • Spaces that provide a way to privately discuss and resolve security threats and then publish the information. * Combined with the monitoring and evaluation power of Azure, these features provide a superb service for building secure cloud solutions. * https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-github
DevSecOps in GitHub Foundation of the Enterprise in Cloud : Azure AD • Azure AD auth to GitHub • GitHub auth to Azure portal - SAML SSO - LDAP - RBAC - Required 2FA - GitHub Connect - Audit log
DevSecOps in GitHub Secure your supply chain * Slide 22 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
DevSecOps in GitHub Secure your supply chain: GitHub Dependabot Alerts • Automate dependency updates • Identificate vulnerable dependencies Managing Vulnerabilities in your project Dependencies : https://docs.github.com/en/github/managing-security-vulnerabilities/managing-vulnerabilities-in- your-projects-dependencies
DevSecOps in GitHub Secure your supply chain: GitHub Dependabot Alerts * Slide 30 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
DevSecOps in GitHub Secure your repository: GitHub Secret Scanning • Scan and detect secrets in your repository • Lots of service providers * Secret scanning is available in public repositories, and in private repositories owned by organizations with an Advanced Security license. Configuring secret scanning for your repositories : https://docs.github.com/en/github/administering-a-repository/configuring-secret-scanning-for- your-repositories - Atlassian - Azure - AWS - Alibaba Cloud - Google Cloud - Stripe - ……
DevSecOps in GitHub Analyse your code * Slide 37 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
DevSecOps in GitHub Analyse your code: GitHub Code Scanning • Automate your code review. • CodeQL has leading security teams and individuals. • CodeQL has more CVEs than any other static application security testing vendor team. • GitHub is now a CNA. About code scanning : https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about- code-scanning * CVE : Common Vulnerabilities and Exposures ** CNA : CVE Numbering Authority *** Zero-Day : Software vulnerability that is unknown to, or unaddressed by, those who are interested in mitigating it.
DevSecOps in Azure • Azure AD can be configured as the identity provider for GitHub. • GitHub Enterprise can integrate automatic security and dependency scanning. • Azure Pipelines generates a Docker container image that is stored to Azure Container Registry, which is to be used at release time by Azure Kubernetes Service. • A release on Azure Pipelines integrates the Terraform tool, managing both the cloud infrastructure as code, provisioning resources such as Azure Kubernetes Service, Application Gateway, and Azure Cosmos DB. • Azure Security Center will be able to do active threat monitoring on the Azure Kubernetes Service, on both Node level (VM threats) and internals. * https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-azure
DevSecOps in Azure Infrastructure as Code : Terraform • Deliver Infrastructure as Code Terraform is commercial templating tool that can provision cloud-native applications across all the major cloud players: Azure, Google Cloud Platform, AWS, and AliCloud. Instead of using JSON as the template definition language, it uses the slightly more terse YAML. Infrastructure as code with Microsoft: https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code - Write : Write infrastructure as code using declarative configuration files. - Plan : Check whether the execution plan for a configuration matches your expectations before provisioning or changing infrastructure. - Apply : Apply changes to hundreds of cloud providers to reach the desired state of the configuration. image from https://adinermie.com/
DevSecOps in Azure Policy-as-code : Azure Policy • Understand evaluation outcomes • Control the response to an evaluation • Remediate non-compliant resources • Single source of truth Azure Policy is a service that offers both built-in and user-defined policies across categories mapping the various Azure services such as Compute, Storage or even AKS. These policies can be defined on the Azure Portal and assigned to one or more subscriptions/resource groups. Azure Policy documentation : https://docs.microsoft.com/en-us/azure/governance/policy/ image from https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-terraform
DevSecOps in Azure Maintain your keys : Azure Key Vault • Centralize application secrets • Securely store secrets and keys • Simplified administration of application secrets • Integrate with other Azure services Azure Key Vault helps solve “Secrets Management” , “Key Management” and “Certificate Management” problems. Azure Key Vault documentation : https://docs.microsoft.com/en-us/azure/key-vault/general/overview image from https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal
DevSecOps in Azure Keep your resources safe: Azure Security Center • Strengthen security posture • Protect against threats • Get secure faster • Prioritize your security work Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises. Azure Security Center documentation : https://docs.microsoft.com/en-us/azure/security-center/ image from https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction
3rd Party DevSecOps Tools Check open source components : Whitesource Bolt • WhiteSource Secures & Manages Your Open Source Usage • Get Real-Time Alerts on Security Vulnerabilities • Ensure license compliance • Automated Up-to-Date Inventory Reports WhiteSource Bolt scans all your projects and detects open source components, their license and known vulnerabilities. Not to mention, it also provide fixes. Whitesource Bolt Ver. 1.0 documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt Whitesource Bolt Ver. 2.0 documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2 image from https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2
3rd Party DevSecOps Tools Demonstrate security and penetration testing: WebGoat • Learn the hack - Stop the attack • Test vulnerabilities • Create a de-facto interactive teaching environment WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. WebGoat documentation : https://github.com/WebGoat/WebGoat image from https://www.zupzup.org/websecurity-with-webgoat
3rd Party DevSecOps Tools Create security report : Microsoft Security Code Analysis • Simple configuration and execution • Keep builds clean • Auto-Update • Break the build • Scan Credentials The Microsoft Security Code Analysis extension empowers you to do so, easily integrating the running of static analysis tools in your Azure DevOps pipelines.. Microsoft Security Code Analysis Extension documentation : https://secdevtools.azurewebsites.net/ image from https://techdailychronicle.com/
3rd Party DevSecOps Tools Scan containers for the security and compliance: Anchore The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. The Anchore Engine is provided as a Docker container image that can be run standalone or within an orchestration platform such as Kubernetes, Docker Swarm, Rancher, Amazon ECS, and other container orchestration platforms. Anchore documentation : https://anchore.com/opensource/ image from https://anchore.com/blog/enhanced-vulnerability-data/ Configure Anchore to authenticate with Azure Container Registry (ACR) and analyze an image.
DEMO: Implement Security in Azure DevOps CI/CD Prerequisites • An Azure subscription • Azure DevOps account • GitHub Account Steps • Create Azure DevOps project and prepare WebGoat source code • Create container registry with ACR and Azure Key Vault • Configure CI/CD pipeline for Webgoat • Check open source components with Whitesource Bolt • Scan containers with Anchore for the security with AKS • Helm CLI • Anchore CLI • Kubectl
DEMO: Implement Security in Azure DevOps CI/CD Install Required CLI’s Azure CLI : https://docs.microsoft.com/en-us/cli/azure/install-azure-cli Helm CLI : https://helm.sh/docs/intro/install/ Kubectl : https://kubernetes.io/docs/tasks/tools/install-kubectl/ Anchore CLI : https://github.com/anchore/anchore-cli Anchore CLI for Mac M1 : https://www.dynamsoft.com/codepool/python-barcode-apple-m1-mac.html
DEMO: Implement Security in Azure DevOps CI/CD Azure DevOps & Azure Subscription Connections Connect your organization to Azure Active Directory : https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to- azure-ad?view=azure-devops
DEMO: Implement Security in Azure DevOps CI/CD Create Azure DevOps Project Create a project in Azure DevOps : https://docs.microsoft.com/en-us/azure/devops/organizations/projects/create-project? view=azure-devops&tabs=preview-page
DEMO: Implement Security in Azure DevOps CI/CD Create a new Git repo in your project Create a new Git repo in your project : https://docs.microsoft.com/en-us/azure/devops/repos/git/create-new-repo?view=azure-devops WebGoat GitHub project : https://github.com/WebGoat/WebGoat
DEMO: Implement Security in Azure DevOps CI/CD Update WebGoat dockerfile version
DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Login & Set Subscription Sign in with Azure CLI : https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli
DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Create Resource Group Create Azure Resource Group : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli azure-cli command az group create --name webGoatKonfRG --location westeurope
DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Create Azure Container Registry azure-cli command az acr create --resource-group webGoatKonfRG --name webGoatKonfACR --sku Basic --admin-enabled true -- location westeurope Create Azure Container Registry : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli
DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Azure Key Vault azure-cli command az keyvault create --name "webGoatKonfKV" --resource-group "webGoatKonfRG" --location westeurope Create Azure Key Vault : https://docs.microsoft.com/bs-cyrl-ba/Azure/key-vault/general/quick-create-cli
DEMO: Implement Security in Azure DevOps CI/CD Check Azure Resources - Resource Group , ACR , Key Vault
DEMO: Implement Security in Azure DevOps CI/CD Get Azure CR Credentials Azure Container Registry Documentation : https://docs.microsoft.com/en-us/azure/container-registry/
DEMO: Implement Security in Azure DevOps CI/CD Create secrets Azure Key Vault Use acrUsername and acrPassword names and set ACR credentials as value.
DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Use the classic editor to create a pipeline without YAML. Create your first pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure- devops&tabs=java%2Ctfs-2018-2%2Cbrowser
DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Use Empty job to start. Select ubuntu-18.04 agent for agent job.
DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Add Maven task to then “Advanced” step set MAVEN_OPT to -Xmx3072m .
DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Add Docker task. Select webgoat-server folder dockerfile to build. Add Latest to tags. Create new Container Registry connection with New button. Last step Save & Queue .
DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Build will take approximately 5 mins then check build pipeline finished with successful.
DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Artifact Define your multi-stage continuous deployment (CD) pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops
DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Define your multi-stage continuous deployment (CD) pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops
DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Tasks azure-cli command az container create --resource-group $(resourceGroup) --name $(containerGroup) --image $(acrRegistry)/$(imageRepository):$(Build.BuildId) --dns-name-label $ (containerDNS) --ports 8080 --registry-username $(acrUsername) --registry-password $(acrPassword) Add Azure CLI task. Select Azure Subscription created before. Select Inline Script. Add cli command given above to Inline Script area.
DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Variables - Non-sensitive In variables section for non-sensitive variables add resourceGroup , containerGroup , acrRegistry , containerDNS , imageRepository names with values of webGoatKonfRG , webgoatkonfcg , webgoatkonfacr.azurecr.io, webgoatkonfdns , webgoat-8.1 in a row under Pipeline variables area. Get values from webGoatKonfACR named container registry to use in release pipeline variables.
DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Variables - Sensitive For sensitive variables select variable groups under release pipeline variables title and link it with created from Azure Key Vault service. Create Variable Group from Azure Key Vault under library menu from Pipelines section.
DEMO: Implement Security in Azure DevOps CI/CD Create Release You need a manually approve to deploy created artifact by pushing deploy button in Stage 1 Create a new release under release pipeline by clicking Create New Release button.
DEMO: Implement Security in Azure DevOps CI/CD Check Azure Container Instances After create a successful deployment go to Azure Container Instance service to get our container published web link.
DEMO: Implement Security in Azure DevOps CI/CD Browse WebGoat and Learn Security ! WebGoat Container Browse Link : http://ACI_FQDN:8080/WebGoat WebGoat Official Page : https://owasp.org/www-project-webgoat/ *ACI_FQDN is our container instance FQDN
DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components Add Whitesource Bolt extension to build pipeline from Visual Studio Marketplace
DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components WhiteSource Bolt Documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt
DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components After adding Whitesource Bolt extension rebuild pipeline to get reports.
DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: Check Vulnerability Reports After build pipeline Whitesource Bolt extension creates vulnerability reports.
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Create AKS Cluster on WebGout Resource Group Install Anchore server on AKS with Helm : https://anchore.com/blog/azure-anchore-kubernetes-service-cluster-with-helm/ azure-cli command az aks create --resource-group webGoatKonfRG --name anchoreAKSCluster --node-count 3 --enable- addons monitoring --generate-ssh-keys
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Get credentials for AKS cluster and check credentials cli commands Get credentials : az aks get-credentials --resource-group webGoatKonfRG --name anchoreAKSCluster Get nodes : kubectl get nodes Browse aks cluster : az aks browse --resource-group webGoatKonfRG --name anchoreAKSCluster
DEMO: Implement Security in Azure DevOps CI/CD Anchore : HELM Configuration apiVersion: v 1 kind: ServiceAccoun t metadata : name: tille r namespace: kube-syste m -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRol e metadata : name: kube-dashboar d rules : - apiGroups: ["*" ] resources: ["*" ] verbs: ["*" ] -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRoleBindin g metadata : name: tille r roleRef : apiGroup: rbac.authorization.k8s.i o kind: ClusterRol e name: cluster-admi n subjects : - kind: ServiceAccoun t name: tille r namespace: kube-syste m -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRoleBindin g metadata : name: rook-operato r namespace: rook-syste m roleRef : apiGroup: rbac.authorization.k8s.i o kind: ClusterRol e name: kube-dashboar d subjects : - kind: ServiceAccoun t name: kubernetes-dashboar d namespace: kube-system • create a file name helm-rbac.yaml • execute sudo vim helm-rbac.yaml • add configuration same as given code block • execute kubectl apply - f helm-brac.yaml command
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Install Anchore cli commands Add anchore helm repo : helm repo add anchore https://charts.anchore.io Install anchore helm chart : helm install anchore-demo anchore/anchore-engine cli commands Get deployments : kubectl get deployments Expose API port externally : kubectl expose deployment anchore-demo-anchore-engine-api —type=LoadBalancer --name=anchore-engine —port=8228 View service and external IP : kubectl get service anchore-engine
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Check Anchore Status cli commands Check status of Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret -- namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -- decode; echo) system status
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add Registry and Image to Anchore cli commands Add Registry to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret -- namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -- decode; echo) registry add --registry-type docker_v2 webgoatkonfacr.azurecr.io webGoatKonfACR LHZiFHz/ YeuQL=wQhHgRGva5MDOMCWdE cli commands Add Image to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret --namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) image add webgoatkonfacr.azurecr.io/webgoat-8.1:Latest
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add credentials to Azure Vault For sensitive variables add anchorPassword , anchorUser , anchorServer , azure key vault wallet to use in vulnerability scan task. Don’t forget to link variable group to pipeline. And also don’t forget to add non-sensitive variables to pipeline variables as imageRepository and acrRegistry. cli command for get anchore-cli password kubectl get secret --namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add new job agent to build pipeline In the Dependencies select agent job, which is responsible for compiling and pushing WebGoat container to ACR. It is important to have that job finished before scans gets triggered as we want to scan the lates image.
DEMO: Implement Security in Azure DevOps CI/CD Anchore : First Task - Install anchore cli First Bash task is reponsible for installing anchore-cli tool on agent.
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Second Task - Vulnerability scanner Second Bash task is reponsible for scan for vulnerabilities in the image. Bash task command anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) image vuln $(acrRegistry)/$ (imageRepository):Latest os > image-vuln.json
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Third Task - Policy scanner Third Bash task is reponsible for scan for policies in the image. Bash task command anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) evaluate check $(acrRegistry)/$ (imageRepository):Latest --detail > image-policy.json
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Generate Anchore Report Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks: • Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory) • Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
DEMO: Implement Security in Azure DevOps CI/CD Anchore : Generate Anchore Report Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks: • Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory) • Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
We are a team of experienced and happy high achievers, Knowing that ‘Great vision without great people is irrelevant.’ So: ● Talents determine the positions, we do not miss the best, ● We hire the best and providing them the best, pecuniary and non-pecuniary, ● We set high standards, so you better have those as well, ● Stunning colleagues means a great workplace, and the motive to be online. If you have the Stunning ‘Kloian’ essence or potential by being: ● No Bullshit ● Self-motivated and Reliable ● Optimistic and Focused ● Happy and Fun ● Flexible and Trustworthy ● Willing and Creative ● Open minded and Kind (Majority of above, if not all.) You are more than welcome to apply: career@kloia.com Come Join Us, The Kloians:
Q & A RESOURCES MENTIONED IN THIS SESSION https://github.com/kloia/dotnetkonf21-Azure-DevSecOps Thank you for listening. blog.kloia.com @kloia_com kloia.com

More Related Content

What's hot (20)

PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PDF
Infrastructure as Code
Albert Suwandhi
 
PPTX
Azure DevOps
Felipe Artur Feltes
 
PPTX
DevSecOps
Joel Divekar
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps
Cheah Eng Soon
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PPTX
Jenkins CI presentation
Jonathan Holloway
 
PDF
DevOps Best Practices
Giragadurai Vallirajan
 
PPTX
Azure devops
Mohit Chhabra
 
PPTX
Azure DevOps
Juan Fabian
 
PPTX
DEVSECOPS.pptx
MohammadSaif904342
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PDF
Slide DevSecOps Microservices
Hendri Karisma
 
PPTX
CI/CD on AWS
Bhargav Amin
 
PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps | DevOps Sec
Rubal Jain
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Introduction to DevSecOps
abhimanyubhogwan
 
Infrastructure as Code
Albert Suwandhi
 
Azure DevOps
Felipe Artur Feltes
 
DevSecOps
Joel Divekar
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps
Cheah Eng Soon
 
Introduction to DevSecOps
Setu Parimi
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
Jenkins CI presentation
Jonathan Holloway
 
DevOps Best Practices
Giragadurai Vallirajan
 
Azure devops
Mohit Chhabra
 
Azure DevOps
Juan Fabian
 
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps reference architectures 2018
Sonatype
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Slide DevSecOps Microservices
Hendri Karisma
 
CI/CD on AWS
Bhargav Amin
 
DevSecOps Implementation Journey
DevOps Indonesia
 

Similar to Secure Your Code Implement DevSecOps in Azure (20)

PPTX
Azure DevSecOps Training | Azure DevOps Certification Course.pptx
TalluriRenuka
 
PDF
Azure Security Check List - Final.pdf
Okan YILDIZ
 
PPTX
DevSecOps - automating security
John Staveley
 
PDF
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
Duran Hsieh
 
PDF
.NET Online TechTalk “Azure Cloud for DEV”
GlobalLogic Ukraine
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
PPTX
Azure Security Compass v1.1 - Presentation.pptx
ZaheerEbrahim5
 
PPTX
DevSecOps OWASP
Priyanka Raghavan
 
PPTX
Securing Applications
Mark Harrison
 
PPTX
Power of the cloud - Introduction to azure security
Bruno Capuano
 
PDF
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
PPTX
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
Lorenzo Barbieri
 
PPTX
Control Freak: Risk and Control in Azure DevOps
AgileThought
 
PDF
Security Scanning Solutions_ Protecting Applications in the DevOps Era.pdf
Devseccops.ai
 
PDF
Azure governance v4.0
Marcos Oikawa
 
PPTX
Deploying Azure DevOps using Terraform
Adin Ermie
 
PDF
Azure DevOps & GitHub... Better Together!
Lorenzo Barbieri
 
PDF
GitHub for partners
Lorenzo Barbieri
 
PPTX
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
PPTX
Tour of Azure DevOps
Callon Campbell
 
Azure DevSecOps Training | Azure DevOps Certification Course.pptx
TalluriRenuka
 
Azure Security Check List - Final.pdf
Okan YILDIZ
 
DevSecOps - automating security
John Staveley
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
Duran Hsieh
 
.NET Online TechTalk “Azure Cloud for DEV”
GlobalLogic Ukraine
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
stevecooper930744
 
Azure Security Compass v1.1 - Presentation.pptx
ZaheerEbrahim5
 
DevSecOps OWASP
Priyanka Raghavan
 
Securing Applications
Mark Harrison
 
Power of the cloud - Introduction to azure security
Bruno Capuano
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
Lorenzo Barbieri
 
Control Freak: Risk and Control in Azure DevOps
AgileThought
 
Security Scanning Solutions_ Protecting Applications in the DevOps Era.pdf
Devseccops.ai
 
Azure governance v4.0
Marcos Oikawa
 
Deploying Azure DevOps using Terraform
Adin Ermie
 
Azure DevOps & GitHub... Better Together!
Lorenzo Barbieri
 
GitHub for partners
Lorenzo Barbieri
 
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Tour of Azure DevOps
Callon Campbell
 
Ad

More from kloia (20)

PPTX
Converged Infrastructures on Kubernetes with Kubevirt
kloia
 
PPTX
Kloia AWS IBM Hashicorp Day Presentation
kloia
 
PPTX
AWS reInvent recap 2024 - Dorian/Derya SEZEN
kloia
 
PPTX
re:Invent recap - Application Modernization
kloia
 
PDF
Isovalent-kloia Cilium Workshop
kloia
 
PPTX
Kloia - Why Microsoft Modernisation Matters
kloia
 
PDF
DotNetKonf23 - NET Modernization Problems & Solutions.pdf
kloia
 
PPTX
AWS User Group Meetup Feb2023.pptx
kloia
 
PDF
re:Invent Recap
kloia
 
PPTX
The New era in QA: k6
kloia
 
PPTX
Etkili Blog Yazım Teknikleri - Tuğba Sertkaya
kloia
 
PPTX
AWS re:Invent 2021 Recap by APN Ambassador
kloia
 
PPTX
Camunda BPM - Said Mengi
kloia
 
PPTX
AlOps - Yetişkan Eliaçık
kloia
 
PPTX
Zaman Yönetimi - Aras Bilgen
kloia
 
PDF
Gravitee API Management - Ahmet AYDIN
kloia
 
PPTX
React Bootcamp Day 2 - Yunus Demirpolat
kloia
 
PPTX
React Bootcamp Day 1 - Yunus Demirpolat
kloia
 
PDF
Contract testing - Baran Gayretli
kloia
 
PDF
Contract Testing
kloia
 
Converged Infrastructures on Kubernetes with Kubevirt
kloia
 
Kloia AWS IBM Hashicorp Day Presentation
kloia
 
AWS reInvent recap 2024 - Dorian/Derya SEZEN
kloia
 
re:Invent recap - Application Modernization
kloia
 
Isovalent-kloia Cilium Workshop
kloia
 
Kloia - Why Microsoft Modernisation Matters
kloia
 
DotNetKonf23 - NET Modernization Problems & Solutions.pdf
kloia
 
AWS User Group Meetup Feb2023.pptx
kloia
 
re:Invent Recap
kloia
 
The New era in QA: k6
kloia
 
Etkili Blog Yazım Teknikleri - Tuğba Sertkaya
kloia
 
AWS re:Invent 2021 Recap by APN Ambassador
kloia
 
Camunda BPM - Said Mengi
kloia
 
AlOps - Yetişkan Eliaçık
kloia
 
Zaman Yönetimi - Aras Bilgen
kloia
 
Gravitee API Management - Ahmet AYDIN
kloia
 
React Bootcamp Day 2 - Yunus Demirpolat
kloia
 
React Bootcamp Day 1 - Yunus Demirpolat
kloia
 
Contract testing - Baran Gayretli
kloia
 
Contract Testing
kloia
 
Ad

Recently uploaded (20)

PDF
Cloud computing Lec 02 - virtualization.pdf
asokawennawatte
 
PPTX
Iobit Driver Booster Pro 12 Crack Free Download
chaudhryakashoo065
 
PPTX
NeuroStrata: Harnessing Neuro-Symbolic Paradigms for Improved Testability and...
Ivan Ruchkin
 
PPTX
declaration of Variables and constants.pptx
meemee7378
 
PPTX
IDM Crack with Internet Download Manager 6.42 [Latest 2025]
HyperPc soft
 
PPTX
Android Notifications-A Guide to User-Facing Alerts in Android .pptx
Nabin Dhakal
 
PDF
capitulando la keynote de GrafanaCON 2025 - Madrid
Imma Valls Bernaus
 
PPTX
IObit Uninstaller Pro 14.3.1.8 Crack Free Download 2025
sdfger qwerty
 
PPTX
ERP - FICO Presentation BY BSL BOKARO STEEL LIMITED.pptx
ravisranjan
 
PDF
IObit Uninstaller Pro 14.3.1.8 Crack for Windows Latest
utfefguu
 
PPTX
computer forensics encase emager app exp6 1.pptx
ssuser343e92
 
PDF
How DeepSeek Beats ChatGPT: Cost Comparison and Key Differences
sumitpurohit810
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 41
utfefguu
 
PDF
Laboratory Workflows Digitalized and live in 90 days with Scifeon´s SAPPA P...
info969686
 
PPTX
EO4EU Ocean Monitoring: Maritime Weather Routing Optimsation Use Case
EO4EU
 
PPTX
Wondershare Filmora Crack 14.5.18 + Key Full Download [Latest 2025]
HyperPc soft
 
PPTX
Seamless-Image-Conversion-From-Raster-to-wrt-rtx-rtx.pptx
Quick Conversion Services
 
PDF
AWS Consulting Services: Empowering Digital Transformation with Nlineaxis
Nlineaxis IT Solutions Pvt Ltd
 
PDF
Automated Test Case Repair Using Language Models
Lionel Briand
 
PPTX
B2C EXTRANET | EXTRANET WEBSITE | EXTRANET INTEGRATION
philipnathen82
 
Cloud computing Lec 02 - virtualization.pdf
asokawennawatte
 
Iobit Driver Booster Pro 12 Crack Free Download
chaudhryakashoo065
 
NeuroStrata: Harnessing Neuro-Symbolic Paradigms for Improved Testability and...
Ivan Ruchkin
 
declaration of Variables and constants.pptx
meemee7378
 
IDM Crack with Internet Download Manager 6.42 [Latest 2025]
HyperPc soft
 
Android Notifications-A Guide to User-Facing Alerts in Android .pptx
Nabin Dhakal
 
capitulando la keynote de GrafanaCON 2025 - Madrid
Imma Valls Bernaus
 
IObit Uninstaller Pro 14.3.1.8 Crack Free Download 2025
sdfger qwerty
 
ERP - FICO Presentation BY BSL BOKARO STEEL LIMITED.pptx
ravisranjan
 
IObit Uninstaller Pro 14.3.1.8 Crack for Windows Latest
utfefguu
 
computer forensics encase emager app exp6 1.pptx
ssuser343e92
 
How DeepSeek Beats ChatGPT: Cost Comparison and Key Differences
sumitpurohit810
 
IDM Crack with Internet Download Manager 6.42 Build 41
utfefguu
 
Laboratory Workflows Digitalized and live in 90 days with Scifeon´s SAPPA P...
info969686
 
EO4EU Ocean Monitoring: Maritime Weather Routing Optimsation Use Case
EO4EU
 
Wondershare Filmora Crack 14.5.18 + Key Full Download [Latest 2025]
HyperPc soft
 
Seamless-Image-Conversion-From-Raster-to-wrt-rtx-rtx.pptx
Quick Conversion Services
 
AWS Consulting Services: Empowering Digital Transformation with Nlineaxis
Nlineaxis IT Solutions Pvt Ltd
 
Automated Test Case Repair Using Language Models
Lionel Briand
 
B2C EXTRANET | EXTRANET WEBSITE | EXTRANET INTEGRATION
philipnathen82
 

Secure Your Code Implement DevSecOps in Azure

  • 1. Secure Your Code : Implement DevSecOps in Azure 21 Feb 2021 @srkbngl
  • 2. Who am I? Serkan Bingöl Cloud & DevOps Consultant @kloia MCSD / MCT / AAI / AWS Certified Blog : medium.com/@serkanbingoll Tweet : @srkbngl LinkedIn : /in/sbingol GitHub : github.com/serkanbingol
  • 3. Agenda • What is Dev{Sec}Ops ? • DevSecOps in GitHub & Demos • DevSecOps in Azure • 3rd Party DevSecOps Tools • DEMO : Implement Security in Azure DevOps CI/CD • Q & A
  • 4. What is Dev{Sec}Ops ? DevOps is the union of people, process, and technology to enable continuous delivery of value to your end users. DevSecOps is a cultural movement that furthers the movements of Agile and DevOps into Security Automation + Security image from https://www.recordedfuture.com/ image from https://stackify.com/devops-engineer-starter-guide/
  • 5. What is Dev{Sec}Ops ? DEV : OPS :SEC Ratio - 100:10:1 “The ratio of engineers in Development, Operations, and Infosec in a typical technology organization is 100:10:1. When Infosec is that outnumbered, without automation and integrating information security into the daily work of Dev and Ops, Infosec can only do compliance checking, which is the opposite of security engineering—and besides, it also makes everyone hate us.” image from https://twitter.com/joshcorman/status/644153295464960000
  • 6. What is Dev{Sec}Ops ? Discover vulnerability during the development. * Slide 9 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
  • 7. What is Dev{Sec}Ops ? More we code , more we need security. Insecure code causes breaches Source: 2019 Data Breach Investigations Report, Verizon 53% of breaches are caused by weaknesses in applications. Report link : https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
  • 8. What is Dev{Sec}Ops ? Security Patterns : Old Path Vs. New Path • Embrace Secrecy • Just Pass Audit! • Enforce Stability • Build a Wall • Slow Validation • Certainly Testing • Test When DONE ! • Process Driven • Create Feedback Loops • Compliance adds Value • Create Chaos • Zero Trust Networks • Fast and Non-Blocking • Adversity Testing • Shift Left • The Paved Road image from https://wellbeingeconomy.org/
  • 9. What is Dev{Sec}Ops ? Azure Patterns: Infrastructure Planning ✘Subscription per environment ✘Apply policies to control transparently and proactively ✘ Security Center ON from day 1 ✘Infrastructure as code. Period ✘ Production ONLY for CI/CD pipelines ✘ CI/CD pipeline is a heart of security image from https://bridgecrew.io/blog/infrastructure-as-code-security-101/
  • 10. What is Dev{Sec}Ops ? Azure Patterns: Watch Every Step • Threat modeling • IDE Security plugins • Pre-commit hooks • Peer review • Static code analysis • Security unit tests • Container Security • Dependency management • IaC • Security scanning • Cloud configuration • Security acceptance tests • Security smoke tests • Security Configuration • Secret Management • Server Hardening • Continuous monitoring • Threat intelligence • Penetration Testing • Blameless postmortems
  • 11. DevSecOps in GitHub • Browser-based IDEs with built-in security extensions. • Agents that continuously monitor security advisories and replace vulnerable and out-of-date dependencies. • Search capabilities that scan source code for vulnerabilities. • Action-based workflows that automate every step of development, testing, and deployment. • Spaces that provide a way to privately discuss and resolve security threats and then publish the information. * Combined with the monitoring and evaluation power of Azure, these features provide a superb service for building secure cloud solutions. * https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-github
  • 12. DevSecOps in GitHub Foundation of the Enterprise in Cloud : Azure AD • Azure AD auth to GitHub • GitHub auth to Azure portal - SAML SSO - LDAP - RBAC - Required 2FA - GitHub Connect - Audit log
  • 13. DevSecOps in GitHub Secure your supply chain * Slide 22 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
  • 14. DevSecOps in GitHub Secure your supply chain: GitHub Dependabot Alerts • Automate dependency updates • Identificate vulnerable dependencies Managing Vulnerabilities in your project Dependencies : https://docs.github.com/en/github/managing-security-vulnerabilities/managing-vulnerabilities-in- your-projects-dependencies
  • 15. DevSecOps in GitHub Secure your supply chain: GitHub Dependabot Alerts * Slide 30 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
  • 16. DevSecOps in GitHub Secure your repository: GitHub Secret Scanning • Scan and detect secrets in your repository • Lots of service providers * Secret scanning is available in public repositories, and in private repositories owned by organizations with an Advanced Security license. Configuring secret scanning for your repositories : https://docs.github.com/en/github/administering-a-repository/configuring-secret-scanning-for- your-repositories - Atlassian - Azure - AWS - Alibaba Cloud - Google Cloud - Stripe - ……
  • 17. DevSecOps in GitHub Analyse your code * Slide 37 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
  • 18. DevSecOps in GitHub Analyse your code: GitHub Code Scanning • Automate your code review. • CodeQL has leading security teams and individuals. • CodeQL has more CVEs than any other static application security testing vendor team. • GitHub is now a CNA. About code scanning : https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about- code-scanning * CVE : Common Vulnerabilities and Exposures ** CNA : CVE Numbering Authority *** Zero-Day : Software vulnerability that is unknown to, or unaddressed by, those who are interested in mitigating it.
  • 19. DevSecOps in Azure • Azure AD can be configured as the identity provider for GitHub. • GitHub Enterprise can integrate automatic security and dependency scanning. • Azure Pipelines generates a Docker container image that is stored to Azure Container Registry, which is to be used at release time by Azure Kubernetes Service. • A release on Azure Pipelines integrates the Terraform tool, managing both the cloud infrastructure as code, provisioning resources such as Azure Kubernetes Service, Application Gateway, and Azure Cosmos DB. • Azure Security Center will be able to do active threat monitoring on the Azure Kubernetes Service, on both Node level (VM threats) and internals. * https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-azure
  • 20. DevSecOps in Azure Infrastructure as Code : Terraform • Deliver Infrastructure as Code Terraform is commercial templating tool that can provision cloud-native applications across all the major cloud players: Azure, Google Cloud Platform, AWS, and AliCloud. Instead of using JSON as the template definition language, it uses the slightly more terse YAML. Infrastructure as code with Microsoft: https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code - Write : Write infrastructure as code using declarative configuration files. - Plan : Check whether the execution plan for a configuration matches your expectations before provisioning or changing infrastructure. - Apply : Apply changes to hundreds of cloud providers to reach the desired state of the configuration. image from https://adinermie.com/
  • 21. DevSecOps in Azure Policy-as-code : Azure Policy • Understand evaluation outcomes • Control the response to an evaluation • Remediate non-compliant resources • Single source of truth Azure Policy is a service that offers both built-in and user-defined policies across categories mapping the various Azure services such as Compute, Storage or even AKS. These policies can be defined on the Azure Portal and assigned to one or more subscriptions/resource groups. Azure Policy documentation : https://docs.microsoft.com/en-us/azure/governance/policy/ image from https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-terraform
  • 22. DevSecOps in Azure Maintain your keys : Azure Key Vault • Centralize application secrets • Securely store secrets and keys • Simplified administration of application secrets • Integrate with other Azure services Azure Key Vault helps solve “Secrets Management” , “Key Management” and “Certificate Management” problems. Azure Key Vault documentation : https://docs.microsoft.com/en-us/azure/key-vault/general/overview image from https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal
  • 23. DevSecOps in Azure Keep your resources safe: Azure Security Center • Strengthen security posture • Protect against threats • Get secure faster • Prioritize your security work Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises. Azure Security Center documentation : https://docs.microsoft.com/en-us/azure/security-center/ image from https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction
  • 24. 3rd Party DevSecOps Tools Check open source components : Whitesource Bolt • WhiteSource Secures & Manages Your Open Source Usage • Get Real-Time Alerts on Security Vulnerabilities • Ensure license compliance • Automated Up-to-Date Inventory Reports WhiteSource Bolt scans all your projects and detects open source components, their license and known vulnerabilities. Not to mention, it also provide fixes. Whitesource Bolt Ver. 1.0 documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt Whitesource Bolt Ver. 2.0 documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2 image from https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2
  • 25. 3rd Party DevSecOps Tools Demonstrate security and penetration testing: WebGoat • Learn the hack - Stop the attack • Test vulnerabilities • Create a de-facto interactive teaching environment WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. WebGoat documentation : https://github.com/WebGoat/WebGoat image from https://www.zupzup.org/websecurity-with-webgoat
  • 26. 3rd Party DevSecOps Tools Create security report : Microsoft Security Code Analysis • Simple configuration and execution • Keep builds clean • Auto-Update • Break the build • Scan Credentials The Microsoft Security Code Analysis extension empowers you to do so, easily integrating the running of static analysis tools in your Azure DevOps pipelines.. Microsoft Security Code Analysis Extension documentation : https://secdevtools.azurewebsites.net/ image from https://techdailychronicle.com/
  • 27. 3rd Party DevSecOps Tools Scan containers for the security and compliance: Anchore The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. The Anchore Engine is provided as a Docker container image that can be run standalone or within an orchestration platform such as Kubernetes, Docker Swarm, Rancher, Amazon ECS, and other container orchestration platforms. Anchore documentation : https://anchore.com/opensource/ image from https://anchore.com/blog/enhanced-vulnerability-data/ Configure Anchore to authenticate with Azure Container Registry (ACR) and analyze an image.
  • 28. DEMO: Implement Security in Azure DevOps CI/CD Prerequisites • An Azure subscription • Azure DevOps account • GitHub Account Steps • Create Azure DevOps project and prepare WebGoat source code • Create container registry with ACR and Azure Key Vault • Configure CI/CD pipeline for Webgoat • Check open source components with Whitesource Bolt • Scan containers with Anchore for the security with AKS • Helm CLI • Anchore CLI • Kubectl
  • 29. DEMO: Implement Security in Azure DevOps CI/CD Install Required CLI’s Azure CLI : https://docs.microsoft.com/en-us/cli/azure/install-azure-cli Helm CLI : https://helm.sh/docs/intro/install/ Kubectl : https://kubernetes.io/docs/tasks/tools/install-kubectl/ Anchore CLI : https://github.com/anchore/anchore-cli Anchore CLI for Mac M1 : https://www.dynamsoft.com/codepool/python-barcode-apple-m1-mac.html
  • 30. DEMO: Implement Security in Azure DevOps CI/CD Azure DevOps & Azure Subscription Connections Connect your organization to Azure Active Directory : https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to- azure-ad?view=azure-devops
  • 31. DEMO: Implement Security in Azure DevOps CI/CD Create Azure DevOps Project Create a project in Azure DevOps : https://docs.microsoft.com/en-us/azure/devops/organizations/projects/create-project? view=azure-devops&tabs=preview-page
  • 32. DEMO: Implement Security in Azure DevOps CI/CD Create a new Git repo in your project Create a new Git repo in your project : https://docs.microsoft.com/en-us/azure/devops/repos/git/create-new-repo?view=azure-devops WebGoat GitHub project : https://github.com/WebGoat/WebGoat
  • 33. DEMO: Implement Security in Azure DevOps CI/CD Update WebGoat dockerfile version
  • 34. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Login & Set Subscription Sign in with Azure CLI : https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli
  • 35. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Create Resource Group Create Azure Resource Group : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli azure-cli command az group create --name webGoatKonfRG --location westeurope
  • 36. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Create Azure Container Registry azure-cli command az acr create --resource-group webGoatKonfRG --name webGoatKonfACR --sku Basic --admin-enabled true -- location westeurope Create Azure Container Registry : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli
  • 37. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Azure Key Vault azure-cli command az keyvault create --name "webGoatKonfKV" --resource-group "webGoatKonfRG" --location westeurope Create Azure Key Vault : https://docs.microsoft.com/bs-cyrl-ba/Azure/key-vault/general/quick-create-cli
  • 38. DEMO: Implement Security in Azure DevOps CI/CD Check Azure Resources - Resource Group , ACR , Key Vault
  • 39. DEMO: Implement Security in Azure DevOps CI/CD Get Azure CR Credentials Azure Container Registry Documentation : https://docs.microsoft.com/en-us/azure/container-registry/
  • 40. DEMO: Implement Security in Azure DevOps CI/CD Create secrets Azure Key Vault Use acrUsername and acrPassword names and set ACR credentials as value.
  • 41. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Use the classic editor to create a pipeline without YAML. Create your first pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure- devops&tabs=java%2Ctfs-2018-2%2Cbrowser
  • 42. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Use Empty job to start. Select ubuntu-18.04 agent for agent job.
  • 43. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Add Maven task to then “Advanced” step set MAVEN_OPT to -Xmx3072m .
  • 44. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Add Docker task. Select webgoat-server folder dockerfile to build. Add Latest to tags. Create new Container Registry connection with New button. Last step Save & Queue .
  • 45. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Build will take approximately 5 mins then check build pipeline finished with successful.
  • 46. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Artifact Define your multi-stage continuous deployment (CD) pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops
  • 47. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Define your multi-stage continuous deployment (CD) pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops
  • 48. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Tasks azure-cli command az container create --resource-group $(resourceGroup) --name $(containerGroup) --image $(acrRegistry)/$(imageRepository):$(Build.BuildId) --dns-name-label $ (containerDNS) --ports 8080 --registry-username $(acrUsername) --registry-password $(acrPassword) Add Azure CLI task. Select Azure Subscription created before. Select Inline Script. Add cli command given above to Inline Script area.
  • 49. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Variables - Non-sensitive In variables section for non-sensitive variables add resourceGroup , containerGroup , acrRegistry , containerDNS , imageRepository names with values of webGoatKonfRG , webgoatkonfcg , webgoatkonfacr.azurecr.io, webgoatkonfdns , webgoat-8.1 in a row under Pipeline variables area. Get values from webGoatKonfACR named container registry to use in release pipeline variables.
  • 50. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Variables - Sensitive For sensitive variables select variable groups under release pipeline variables title and link it with created from Azure Key Vault service. Create Variable Group from Azure Key Vault under library menu from Pipelines section.
  • 51. DEMO: Implement Security in Azure DevOps CI/CD Create Release You need a manually approve to deploy created artifact by pushing deploy button in Stage 1 Create a new release under release pipeline by clicking Create New Release button.
  • 52. DEMO: Implement Security in Azure DevOps CI/CD Check Azure Container Instances After create a successful deployment go to Azure Container Instance service to get our container published web link.
  • 53. DEMO: Implement Security in Azure DevOps CI/CD Browse WebGoat and Learn Security ! WebGoat Container Browse Link : http://ACI_FQDN:8080/WebGoat WebGoat Official Page : https://owasp.org/www-project-webgoat/ *ACI_FQDN is our container instance FQDN
  • 54. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components Add Whitesource Bolt extension to build pipeline from Visual Studio Marketplace
  • 55. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components WhiteSource Bolt Documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt
  • 56. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components After adding Whitesource Bolt extension rebuild pipeline to get reports.
  • 57. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: Check Vulnerability Reports After build pipeline Whitesource Bolt extension creates vulnerability reports.
  • 58. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Create AKS Cluster on WebGout Resource Group Install Anchore server on AKS with Helm : https://anchore.com/blog/azure-anchore-kubernetes-service-cluster-with-helm/ azure-cli command az aks create --resource-group webGoatKonfRG --name anchoreAKSCluster --node-count 3 --enable- addons monitoring --generate-ssh-keys
  • 59. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Get credentials for AKS cluster and check credentials cli commands Get credentials : az aks get-credentials --resource-group webGoatKonfRG --name anchoreAKSCluster Get nodes : kubectl get nodes Browse aks cluster : az aks browse --resource-group webGoatKonfRG --name anchoreAKSCluster
  • 60. DEMO: Implement Security in Azure DevOps CI/CD Anchore : HELM Configuration apiVersion: v 1 kind: ServiceAccoun t metadata : name: tille r namespace: kube-syste m -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRol e metadata : name: kube-dashboar d rules : - apiGroups: ["*" ] resources: ["*" ] verbs: ["*" ] -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRoleBindin g metadata : name: tille r roleRef : apiGroup: rbac.authorization.k8s.i o kind: ClusterRol e name: cluster-admi n subjects : - kind: ServiceAccoun t name: tille r namespace: kube-syste m -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRoleBindin g metadata : name: rook-operato r namespace: rook-syste m roleRef : apiGroup: rbac.authorization.k8s.i o kind: ClusterRol e name: kube-dashboar d subjects : - kind: ServiceAccoun t name: kubernetes-dashboar d namespace: kube-system • create a file name helm-rbac.yaml • execute sudo vim helm-rbac.yaml • add configuration same as given code block • execute kubectl apply - f helm-brac.yaml command
  • 61. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Install Anchore cli commands Add anchore helm repo : helm repo add anchore https://charts.anchore.io Install anchore helm chart : helm install anchore-demo anchore/anchore-engine cli commands Get deployments : kubectl get deployments Expose API port externally : kubectl expose deployment anchore-demo-anchore-engine-api —type=LoadBalancer --name=anchore-engine —port=8228 View service and external IP : kubectl get service anchore-engine
  • 62. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Check Anchore Status cli commands Check status of Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret -- namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -- decode; echo) system status
  • 63. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add Registry and Image to Anchore cli commands Add Registry to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret -- namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -- decode; echo) registry add --registry-type docker_v2 webgoatkonfacr.azurecr.io webGoatKonfACR LHZiFHz/ YeuQL=wQhHgRGva5MDOMCWdE cli commands Add Image to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret --namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) image add webgoatkonfacr.azurecr.io/webgoat-8.1:Latest
  • 64. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add credentials to Azure Vault For sensitive variables add anchorPassword , anchorUser , anchorServer , azure key vault wallet to use in vulnerability scan task. Don’t forget to link variable group to pipeline. And also don’t forget to add non-sensitive variables to pipeline variables as imageRepository and acrRegistry. cli command for get anchore-cli password kubectl get secret --namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo
  • 65. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add new job agent to build pipeline In the Dependencies select agent job, which is responsible for compiling and pushing WebGoat container to ACR. It is important to have that job finished before scans gets triggered as we want to scan the lates image.
  • 66. DEMO: Implement Security in Azure DevOps CI/CD Anchore : First Task - Install anchore cli First Bash task is reponsible for installing anchore-cli tool on agent.
  • 67. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Second Task - Vulnerability scanner Second Bash task is reponsible for scan for vulnerabilities in the image. Bash task command anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) image vuln $(acrRegistry)/$ (imageRepository):Latest os > image-vuln.json
  • 68. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Third Task - Policy scanner Third Bash task is reponsible for scan for policies in the image. Bash task command anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) evaluate check $(acrRegistry)/$ (imageRepository):Latest --detail > image-policy.json
  • 69. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Generate Anchore Report Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks: • Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory) • Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
  • 70. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Generate Anchore Report Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks: • Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory) • Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
  • 71. We are a team of experienced and happy high achievers, Knowing that ‘Great vision without great people is irrelevant.’ So: ● Talents determine the positions, we do not miss the best, ● We hire the best and providing them the best, pecuniary and non-pecuniary, ● We set high standards, so you better have those as well, ● Stunning colleagues means a great workplace, and the motive to be online. If you have the Stunning ‘Kloian’ essence or potential by being: ● No Bullshit ● Self-motivated and Reliable ● Optimistic and Focused ● Happy and Fun ● Flexible and Trustworthy ● Willing and Creative ● Open minded and Kind (Majority of above, if not all.) You are more than welcome to apply: [email protected] Come Join Us, The Kloians:
  • 72. Q & A RESOURCES MENTIONED IN THIS SESSION https://github.com/kloia/dotnetkonf21-Azure-DevSecOps Thank you for listening. blog.kloia.com @kloia_com kloia.com