Secure Your Code Implement DevSecOps in Azure

Secure Your Code :

Implement DevSecOps in Azure

21 Feb 2021

@srkbngl

Who am I?

Serkan Bingöl

Cloud & DevOps Consultant @kloia

MCSD / MCT / AAI / AWS Certified

Blog : medium.com/@serkanbingoll

Tweet : @srkbngl

LinkedIn : /in/sbingol

GitHub : github.com/serkanbingol

Agenda
• What is Dev{Sec}Ops ?

• DevSecOps in GitHub & Demos

• DevSecOps in Azure

• 3rd Party DevSecOps Tools

• DEMO : Implement Security in Azure DevOps CI/CD

• Q & A

What is Dev{Sec}Ops ?
DevOps is the union of people, process, and
technology to enable continuous delivery of
value to your end users.
DevSecOps is a cultural movement that furthers
the movements of Agile and DevOps into
Security
Automation + Security
image from https://www.recordedfuture.com/
image from https://stackify.com/devops-engineer-starter-guide/

DEV : OPS :SEC Ratio - 100:10:1
“The ratio of engineers in Development, Operations,
and Infosec in a typical technology organization is
100:10:1. When Infosec is that outnumbered,
without automation and integrating information
security into the daily work of Dev and Ops, Infosec
can only do compliance checking, which is the
opposite of security engineering—and besides, it
also makes everyone hate us.” image from https://twitter.com/joshcorman/status/644153295464960000

Discover vulnerability during the development.
* Slide 9 : https://speaking.sasharosenbaum.com/EI8Ioj/slides

More we code , more we need security.
Insecure code causes breaches Source: 2019 Data
Breach Investigations Report, Verizon 53% of
breaches are caused by weaknesses in applications.
Report link :

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

Security Patterns : Old Path Vs. New Path
• Embrace Secrecy

• Just Pass Audit!

• Enforce Stability

• Build a Wall

• Slow Validation

• Certainly Testing

• Test When DONE !

• Process Driven
• Create Feedback Loops

• Compliance adds Value

• Create Chaos

• Zero Trust Networks

• Fast and Non-Blocking

• Adversity Testing

• Shift Left

• The Paved Road
image from https://wellbeingeconomy.org/

Azure Patterns: Infrastructure Planning
✘Subscription per environment

✘Apply policies to control transparently and proactively

✘ Security Center ON from day 1

✘Infrastructure as code. Period

✘ Production ONLY for CI/CD pipelines

✘ CI/CD pipeline is a heart of security
image from https://bridgecrew.io/blog/infrastructure-as-code-security-101/

Azure Patterns: Watch Every Step
• Threat modeling

• IDE Security plugins

• Pre-commit hooks

• Peer review
• Static code analysis

• Security unit tests

• Container Security

• Dependency management
• IaC

• Security scanning

• Cloud configuration

• Security acceptance tests
• Security smoke tests

• Security Configuration

• Secret Management

• Server Hardening
• Continuous monitoring

• Threat intelligence

• Penetration Testing

• Blameless postmortems

DevSecOps in GitHub
• Browser-based IDEs with built-in security extensions.

• Agents that continuously monitor security advisories
and replace vulnerable and out-of-date dependencies.

• Search capabilities that scan source code for
vulnerabilities.

• Action-based workflows that automate every step of
development, testing, and deployment.

• Spaces that provide a way to privately discuss and
resolve security threats and then publish the
information.
* Combined with the monitoring and evaluation power of Azure, these features provide a
superb service for building secure cloud solutions.
* https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-github

DevSecOps in GitHub
Foundation of the Enterprise in Cloud : Azure AD
• Azure AD auth to GitHub

• GitHub auth to Azure portal
- SAML SSO

- LDAP

- RBAC

- Required 2FA

- GitHub Connect

- Audit log

DevSecOps in GitHub
Secure your supply chain

DevSecOps in GitHub
Secure your supply chain: GitHub Dependabot Alerts
• Automate dependency updates

• Identificate vulnerable dependencies
Managing Vulnerabilities in your project Dependencies :

https://docs.github.com/en/github/managing-security-vulnerabilities/managing-vulnerabilities-in-
your-projects-dependencies

DevSecOps in GitHub
Secure your supply chain: GitHub Dependabot Alerts

DevSecOps in GitHub
Secure your repository: GitHub Secret Scanning
• Scan and detect secrets in your repository

• Lots of service providers
* Secret scanning is available in public repositories, and in private repositories owned by
organizations with an Advanced Security license.
Configuring secret scanning for your repositories :

https://docs.github.com/en/github/administering-a-repository/configuring-secret-scanning-for-
your-repositories
- Atlassian

- Azure

- AWS

- Alibaba Cloud

- Google Cloud

- Stripe

- ……

DevSecOps in GitHub
Analyse your code

DevSecOps in GitHub
Analyse your code: GitHub Code Scanning
• Automate your code review.

• CodeQL has leading security teams and individuals.

• CodeQL has more CVEs than any other static
application security testing vendor team.

• GitHub is now a CNA.
About code scanning :

https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-
code-scanning
* CVE : Common Vulnerabilities and Exposures

** CNA : CVE Numbering Authority

*** Zero-Day : Software vulnerability that is unknown to, or unaddressed by, those who are interested in mitigating it.

DevSecOps in Azure
• Azure AD can be configured as the identity provider for GitHub.

• GitHub Enterprise can integrate automatic security and
dependency scanning.

• Azure Pipelines generates a Docker container image that is
stored to Azure Container Registry, which is to be used at
release time by Azure Kubernetes Service.

• A release on Azure Pipelines integrates the Terraform tool,
managing both the cloud infrastructure as code, provisioning
resources such as Azure Kubernetes Service, Application
Gateway, and Azure Cosmos DB.

• Azure Security Center will be able to do active threat
monitoring on the Azure Kubernetes Service, on both Node
level (VM threats) and internals.

* https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-azure

DevSecOps in Azure
Infrastructure as Code : Terraform
• Deliver Infrastructure as Code
Terraform is commercial templating tool that can provision cloud-native applications across all the
major cloud players: Azure, Google Cloud Platform, AWS, and AliCloud. Instead of using JSON as
the template definition language, it uses the slightly more terse YAML.
Infrastructure as code with Microsoft:

https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code
- Write : Write infrastructure as code using declarative
configuration files.

- Plan : Check whether the execution plan for a
configuration matches your expectations before
provisioning or changing infrastructure.

- Apply : Apply changes to hundreds of cloud providers to
reach the desired state of the configuration. image from https://adinermie.com/

DevSecOps in Azure
Policy-as-code : Azure Policy
• Understand evaluation outcomes

• Control the response to an evaluation

• Remediate non-compliant resources

• Single source of truth
Azure Policy is a service that offers both built-in and user-defined policies across categories mapping
the various Azure services such as Compute, Storage or even AKS. These policies can be defined on
the Azure Portal and assigned to one or more subscriptions/resource groups.

Azure Policy documentation :

https://docs.microsoft.com/en-us/azure/governance/policy/
image from https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-terraform

DevSecOps in Azure
Maintain your keys : Azure Key Vault
• Centralize application secrets

• Securely store secrets and keys

• Simplified administration of application secrets

• Integrate with other Azure services
Azure Key Vault helps solve “Secrets Management” , “Key Management” and “Certificate Management”
problems.
Azure Key Vault documentation :

https://docs.microsoft.com/en-us/azure/key-vault/general/overview
image from https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal

DevSecOps in Azure
Keep your resources safe: Azure Security Center
• Strengthen security posture

• Protect against threats

• Get secure faster

• Prioritize your security work
Azure Security Center is a unified infrastructure security management system that strengthens the
security posture of your data centers, and provides advanced threat protection across your hybrid
workloads in the cloud - whether they're in Azure or not - as well as on premises.

Azure Security Center documentation :

https://docs.microsoft.com/en-us/azure/security-center/
image from https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction

3rd Party DevSecOps Tools
Check open source components : Whitesource Bolt

• WhiteSource Secures & Manages Your Open
Source Usage

• Get Real-Time Alerts on Security Vulnerabilities

• Ensure license compliance

• Automated Up-to-Date Inventory Reports
WhiteSource Bolt scans all your projects and detects open source components, their license and
known vulnerabilities. Not to mention, it also provide fixes.
Whitesource Bolt Ver. 1.0 documentation :

https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt

Whitesource Bolt Ver. 2.0 documentation :

https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2
image from https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2

Demonstrate security and penetration testing: WebGoat

• Learn the hack - Stop the attack

• Test vulnerabilities

• Create a de-facto interactive teaching environment
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web
application security lessons.
WebGoat documentation :

https://github.com/WebGoat/WebGoat
image from https://www.zupzup.org/websecurity-with-webgoat

Create security report : Microsoft Security Code Analysis

• Simple configuration and execution

• Keep builds clean

• Auto-Update

• Break the build

• Scan Credentials
The Microsoft Security Code Analysis extension empowers you to do so, easily integrating the running
of static analysis tools in your Azure DevOps pipelines..

Microsoft Security Code Analysis Extension documentation :

https://secdevtools.azurewebsites.net/
image from https://techdailychronicle.com/

Scan containers for the security and compliance: Anchore

The Anchore Engine is an open-source project that
provides a centralized service for inspection, analysis,
and certification of container images. The Anchore
Engine is provided as a Docker container image that
can be run standalone or within an orchestration
platform such as Kubernetes, Docker Swarm, Rancher,
Amazon ECS, and other container orchestration
platforms.
Anchore documentation :

https://anchore.com/opensource/
image from https://anchore.com/blog/enhanced-vulnerability-data/
Configure Anchore to authenticate with Azure Container
Registry (ACR) and analyze an image.

DEMO: Implement Security in Azure DevOps CI/CD
Prerequisites

• An Azure subscription

• Azure DevOps account

• GitHub Account
Steps

• Create Azure DevOps project and prepare WebGoat source code

• Create container registry with ACR and Azure Key Vault

• Configure CI/CD pipeline for Webgoat

• Check open source components with Whitesource Bolt

• Scan containers with Anchore for the security with AKS
• Helm CLI

• Anchore CLI

• Kubectl

Install Required CLI’s
Azure CLI :

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

Helm CLI :

https://helm.sh/docs/intro/install/

Kubectl :

https://kubernetes.io/docs/tasks/tools/install-kubectl/

Anchore CLI :

https://github.com/anchore/anchore-cli

Anchore CLI for Mac M1 :

https://www.dynamsoft.com/codepool/python-barcode-apple-m1-mac.html

Azure DevOps & Azure Subscription Connections
Connect your organization to Azure Active Directory :

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-
azure-ad?view=azure-devops

Create Azure DevOps Project
Create a project in Azure DevOps :

https://docs.microsoft.com/en-us/azure/devops/organizations/projects/create-project?
view=azure-devops&tabs=preview-page

Create a new Git repo in your project
Create a new Git repo in your project :

https://docs.microsoft.com/en-us/azure/devops/repos/git/create-new-repo?view=azure-devops
WebGoat GitHub project :

https://github.com/WebGoat/WebGoat

Update WebGoat dockerfile version

Azure CLI : Login & Set Subscription
Sign in with Azure CLI :

https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli

Azure CLI : Create Resource Group
Create Azure Resource Group :

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli
azure-cli command

az group create --name webGoatKonfRG --location westeurope

Azure CLI : Create Azure Container Registry
azure-cli command

az acr create --resource-group webGoatKonfRG --name webGoatKonfACR --sku Basic --admin-enabled true --
location westeurope
Create Azure Container Registry :

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli

Azure CLI : Azure Key Vault
azure-cli command

az keyvault create --name "webGoatKonfKV" --resource-group "webGoatKonfRG" --location westeurope
Create Azure Key Vault :

https://docs.microsoft.com/bs-cyrl-ba/Azure/key-vault/general/quick-create-cli

Check Azure Resources - Resource Group , ACR , Key Vault

Get Azure CR Credentials
Azure Container Registry Documentation :

https://docs.microsoft.com/en-us/azure/container-registry/

Create secrets Azure Key Vault
Use acrUsername and acrPassword names and set ACR credentials as value.

Configure Build Pipeline
Use the classic editor to create a pipeline without YAML.
Create your first pipeline :

https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure-
devops&tabs=java%2Ctfs-2018-2%2Cbrowser

Use Empty job to start. Select ubuntu-18.04 agent for agent job.

Add Maven task to then “Advanced” step set MAVEN_OPT to -Xmx3072m .

Add Docker task. Select webgoat-server folder dockerfile to build. Add Latest to tags. Create new Container Registry
connection with New button. Last step Save & Queue .

Build will take approximately 5 mins then check build pipeline finished with successful.

Configure Release Pipeline : Add Artifact
Define your multi-stage continuous deployment (CD) pipeline :

https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops

Configure Release Pipeline : Add Stage
Define your multi-stage continuous deployment (CD) pipeline :

https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops

Configure Release Pipeline : Add Stage Tasks
azure-cli command

az container create --resource-group $(resourceGroup) --name $(containerGroup) --image $(acrRegistry)/$(imageRepository):$(Build.BuildId) --dns-name-label $
(containerDNS) --ports 8080 --registry-username $(acrUsername) --registry-password $(acrPassword)
Add Azure CLI task. Select Azure Subscription created before. Select Inline Script. Add cli command given above
to Inline Script area.

Configure Release Pipeline : Add Stage Variables - Non-sensitive
In variables section for non-sensitive variables add resourceGroup , containerGroup , acrRegistry , containerDNS , imageRepository
names with values of webGoatKonfRG , webgoatkonfcg , webgoatkonfacr.azurecr.io, webgoatkonfdns , webgoat-8.1 in a row under
Pipeline variables area.
Get values from webGoatKonfACR named container registry to use in release pipeline variables.

Configure Release Pipeline : Add Stage Variables - Sensitive
For sensitive variables select variable groups under release pipeline variables title and link it with created from Azure Key Vault service.
Create Variable Group from Azure Key Vault under library menu from Pipelines section.

Create Release
You need a manually approve to deploy created artifact by pushing deploy button in Stage 1
Create a new release under release pipeline by clicking Create New Release button.

Check Azure Container Instances
After create a successful deployment go to Azure Container Instance service to get our container published web link.

Browse WebGoat and Learn Security !
WebGoat Container Browse Link : http://ACI_FQDN:8080/WebGoat
WebGoat Official Page : https://owasp.org/www-project-webgoat/
*ACI_FQDN is our container instance FQDN

Whitesource Bolt: check open source components
Add Whitesource Bolt extension to build pipeline from Visual Studio Marketplace

WhiteSource Bolt Documentation :

https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt

After adding Whitesource Bolt extension rebuild pipeline to get reports.

Whitesource Bolt: Check Vulnerability Reports
After build pipeline Whitesource Bolt extension creates vulnerability reports.

Anchore : Create AKS Cluster on WebGout Resource Group
Install Anchore server on AKS with Helm :

https://anchore.com/blog/azure-anchore-kubernetes-service-cluster-with-helm/
azure-cli command

az aks create --resource-group webGoatKonfRG --name anchoreAKSCluster --node-count 3 --enable-
addons monitoring --generate-ssh-keys

Anchore : Get credentials for AKS cluster and check credentials
cli commands

Get credentials : az aks get-credentials --resource-group webGoatKonfRG --name anchoreAKSCluster

Get nodes : kubectl get nodes

Browse aks cluster : az aks browse --resource-group webGoatKonfRG --name anchoreAKSCluster

Anchore : HELM Configuration
apiVersion: v
1

kind: ServiceAccoun
t

metadata
:

name: tille
r

namespace: kube-syste
m

--
-

apiVersion: rbac.authorization.k8s.io/v
1

kind: ClusterRol
e

metadata
:

name: kube-dashboar
d

rules
:

- apiGroups: ["*"
]

resources: ["*"
]

verbs: ["*"
]

--
-

1

kind: ClusterRoleBindin
g

metadata
:

name: tille
r

roleRef
:

apiGroup: rbac.authorization.k8s.i
o

kind: ClusterRol
e

name: cluster-admi
n

subjects
:

- kind: ServiceAccoun
t

name: tille
r

namespace: kube-syste
m

--
-

1

kind: ClusterRoleBindin
g

metadata
:

name: rook-operato
r

namespace: rook-syste
m

roleRef
:

apiGroup: rbac.authorization.k8s.i
o

kind: ClusterRol
e

name: kube-dashboar
d

subjects
:

- kind: ServiceAccoun
t

name: kubernetes-dashboar
d

namespace: kube-system
• create a file name helm-rbac.yaml

• execute sudo vim helm-rbac.yaml

• add configuration same as given code block

• execute kubectl apply - f helm-brac.yaml command

Anchore : Install Anchore
cli commands

Add anchore helm repo : helm repo add anchore https://charts.anchore.io

Install anchore helm chart : helm install anchore-demo anchore/anchore-engine
cli commands

Get deployments : kubectl get deployments

Expose API port externally : kubectl expose deployment anchore-demo-anchore-engine-api —type=LoadBalancer --name=anchore-engine —port=8228

View service and external IP : kubectl get service anchore-engine

Anchore : Check Anchore Status
cli commands

Check status of Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret --
namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --
decode; echo) system status

Anchore : Add Registry and Image to Anchore
cli commands

Add Registry to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret --
namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --
decode; echo) registry add --registry-type docker_v2 webgoatkonfacr.azurecr.io webGoatKonfACR LHZiFHz/
YeuQL=wQhHgRGva5MDOMCWdE
cli commands

Add Image to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret --namespace
default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode;
echo) image add webgoatkonfacr.azurecr.io/webgoat-8.1:Latest

Anchore : Add credentials to Azure Vault
For sensitive variables add anchorPassword , anchorUser , anchorServer , azure key vault wallet to use in vulnerability scan task. Don’t forget to
link variable group to pipeline. And also don’t forget to add non-sensitive variables to pipeline variables as imageRepository and acrRegistry.
cli command for get anchore-cli password

kubectl get secret --namespace default anchore-demo-anchore-engine -o
jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo

Anchore : Add new job agent to build pipeline
In the Dependencies select agent job, which is responsible for compiling and pushing WebGoat container to ACR. It is important to have that job
finished before scans gets triggered as we want to scan the lates image.

Anchore : First Task - Install anchore cli
First Bash task is reponsible for installing anchore-cli tool on agent.

Anchore : Second Task - Vulnerability scanner
Second Bash task is reponsible for scan for vulnerabilities in the image.
Bash task command

anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) image vuln $(acrRegistry)/$
(imageRepository):Latest os > image-vuln.json

Anchore : Third Task - Policy scanner
Third Bash task is reponsible for scan for policies in the image.
Bash task command

anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) evaluate check $(acrRegistry)/$
(imageRepository):Latest --detail > image-policy.json

Anchore : Generate Anchore Report
Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks:

• Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory)

• Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports

We are a team of experienced and happy high achievers,

Knowing that ‘Great vision without great people is irrelevant.’

So:

● Talents determine the positions, we do not miss the best,

● We hire the best and providing them the best, pecuniary and non-pecuniary,

● We set high standards, so you better have those as well,

● Stunning colleagues means a great workplace, and the motive to be online.

If you have the Stunning ‘Kloian’ essence or potential by being:

● No Bullshit

● Self-motivated and Reliable

● Optimistic and Focused

● Happy and Fun

● Flexible and Trustworthy

● Willing and Creative

● Open minded and Kind (Majority of above, if not all.)

You are more than welcome to apply: career@kloia.com

Come Join Us, The Kloians:

Q & A
RESOURCES MENTIONED IN THIS SESSION

https://github.com/kloia/dotnetkonf21-Azure-DevSecOps

Thank you for listening.
blog.kloia.com @kloia_com
kloia.com

Secure Your Code Implement DevSecOps in Azure

In this document

More Related Content

What's hot

Similar to Secure Your Code Implement DevSecOps in Azure

More from kloia

Recently uploaded

Secure Your Code Implement DevSecOps in Azure