DevOps Security Best Practices With Microsoft Azure

DevOps Security Best Practices withMicrosoft AzureWai Man Hui28 Jan 2021

Modern app engineeringis enabled by DevOpsCollaboratePlanDevelop“DevOps is the union of people,process, and technology toenable continuous delivery ofvalue to your end users.” Microsoft CorporationAzureAppOperateDeliver

Microsoft Azure DevOps Solutions ObjectivesDesign cationInfrastructureImplementContinuousFeedback

DevOps practices improve securityProper DevOps practices make your application development more secure,technology is available to help, but don’t forget about the people and the processesPEOPLEPROCESSESTECHNOLOGY Education Secure development lifecycle Release automation Security first mindset Threat modeling Infrastructure/config as code Assumed breach Security assessments Static App. Security Testing (SAST) Protect credentials Red-blue team exercises Dynamic App. Security Testing (DAST)(pen test) Code reviews Limited production access Immutable infrastructure Progressive exposure/canary deployments Microsoft CorporationAzure Credential scanning Secrets management Known vulnerabilities License risks

DevOps on Azure – native and third-party services enhanced by GitHubAzureReposAzureArtifactsAzureMonitorAzure ityCenterVisualStudioApp Center3rd Party Ecosystem Microsoft CorporationAzureAzureKubernetesServiceAzure TestPlansAzure Key VaultGitHubGitHubActionsPackageRegistryGitHub Advanced Security FeaturesAzureBoards

Securing your Software Supply ChainGitHub gives your teams powerful tools to identify issues with theopen source code your app depends on.Get automatic alerts and patcheswith vulnerability scanningand remediation.Investigate and fix vulnerabilitiessafely and privately with securityadvisory workflows.View and manage open sourcedependencies and licenses withdependencies insights.Automatic scanning and notificationsfor vulnerabilities; automatic pullrequests to patch vulnerable code.Tools for scanning, investigationand remediation of security issuesin your projects.Understand what your projectis using, and the health, security,and license information of yoursoftware dependencies. Microsoft CorporationAzure

DevSecOps in Azure1.Azure Active Directory (AD)can be configured as theidentity provider for GitHub2.GitHub Commit tracked byAzure Board3.GitHub Enterprise canintegrate automatic securityand dependency scanningthrough GitHub AdvancedSecurity and GitHub OpenSource Security. Microsoft CorporationAzure

DevSecOps in Azure4.Pull Requests trigger CIbuilds and automatedtesting in Azure Pipelines5.CI build generates dockerimage and stores in AzureContainer Registry6.Azure Security Center willscan the pushed image forAzure-native vulnerabilitiesand for securityrecommendations Microsoft CorporationAzure

DevSecOps in Azure7.Azure Active Directory (AD)can be configured as theidentity provider for GitHub8.GitHub Commit tracked byAzure Board9.Azure Pipelines integrateswith the Terraform toolwhich can managing cloudinfrastructure as code10. Azure Pipelines enableContinuous Delivery (CD) toAzure Kubernetes Service Microsoft CorporationAzure

DevSecOps in Azure11. End user access can besecured with Azure AD B2C12. Pipeline releases or rollbackcan be done based onmonitoring data from AzureMonitor13. Azure Pipelines enableContinuous Delivery (CD) toAzure Kubernetes Service Microsoft CorporationAzure

DevSecOps in GitHub1.Azure Active Directory(AD) can be configuredas the identity providerfor GitHub2.Development can bedone through GitHubCodespaces (currently inlimited public beta)3.GitHub Actionsautomatically scan thecode to findvulnerabilities whenthere are code commits Microsoft CorporationAzure

DevSecOps in GitHub4.Pull requests (PRs)trigger code builds andautomated testingthrough GitHub Actions5.GitHub Actions deploybuild artifacts to AzureApp Service6.Azure Policy evaluatesAzure resources that arein deployment Microsoft CorporationAzure

DevSecOps in GitHub7.Azure Security Centeridentifies attackstargeting applications8.Azure Monitorcontinuously tracks andevaluates app behavior,may trigger rollbackwhen necessary Microsoft CorporationAzure

Key Takeaway Include security setting and configuration in earlier stage of the development workflowdesign Using encrypted at rest service to hold credentials, e.g. GitHub Secret, Azure Key Vault Continuous monitoring on the application Microsoft CorporationAzure

yViYMM69joIAv7dlMsA

Learning path for Azure Developer AssociateAZ-204: DevelopingSolutions for MicrosoftAzureMicrosoft Certified:Azure Developer Associate

Learning path for Azure DevOps Engineer ExpertOne certification required Skills and knowledge DependencymanagementContinuousfeedbackMicrosoft Certified:Azure Administrator AssociateORStart hereAZ-400: Microsoft AzureDevOps SolutionsOnline courses and instructor-ledtraining available to support learningMicrosoft Certified:Azure DevOps Engineer ExpertMicrosoft Certified:Azure Developer development processContinuousdeliveryKeyOptional PathRequired Path

Free Digital eventOpen Azure DayHong KongFeb. 23, 2021 9:15AM-1:00PMLanguage: CantoneseRun Linux apps your way on AzureLearn about the latest Linux and open-source trendsand capabilities on Azure. Watch demos and get bestpractices to turbocharge your apps and data, whetheryou’re new to Azure or new to Linux and OSSworkloads.Topics Highlights: Secure Software Development with GitHub & Azure Architecting Secure, Enterprise Ready solutions forthe Cloud with Azure & MySQL Cloud Native Platform for your Microservice appswith Azure Spring Cloudhttps://aka.ms/openazuredayhk Running SAP with SUSE on Azure Be Future Ready with Azure: The Open Cloud

Thank you Copyright Microsoft Corporation. All rights reserved.

Azure Active Directory (AD) can be configured as the identity provider for GitHub 8. GitHub Commit tracked by Azure Board 9. Azure Pipelines integrates with the Terraform tool which can managing cloud infrastructure as code 10. Azure Pipelines enable Continuous Delivery (CD) to Azure Kubernetes Service