The document discusses the integration of DevSecOps practices in Azure, emphasizing the importance of security throughout the development lifecycle. It covers topics such as security automation, vulnerability assessment, and implementing best practices using Azure tools, GitHub, and third-party solutions. Additionally, it provides a step-by-step demo for setting up a secure CI/CD pipeline in Azure DevOps using various integrated services.
Overview of DevSecOps in Azure by Serkan Bingöl, including agenda and objectives.
Explains the concept, emphasizing automation, security, and the Dev:Ops:Sec ratio highlighting the need for security integration.
Describes tools and methods in GitHub for ensuring security, including IDE security, workflows, and supply chain management.
Focuses on integrating security in Azure environments, including Azure AD, security monitoring, and key management.
Introduces third-party tools enhancing DevSecOps like WhiteSource, WebGoat for vulnerabilities, and Microsoft Security Code Analysis.Step-by-step hands-on demonstration for implementing security in Azure DevOps CI/CD pipelines, using tools and commands.
Concludes the presentation with team values and resources, inviting questions and further engagement.
Secure Your Code:
Implement DevSecOps in Azure
21 Feb 2021
@srkbngl
2.
Who am I?
SerkanBingöl
Cloud & DevOps Consultant @kloia
MCSD / MCT / AAI / AWS Certified
Blog : medium.com/@serkanbingoll
Tweet : @srkbngl
LinkedIn : /in/sbingol
GitHub : github.com/serkanbingol
3.
Agenda
• What isDev{Sec}Ops ?
• DevSecOps in GitHub & Demos
• DevSecOps in Azure
• 3rd Party DevSecOps Tools
• DEMO : Implement Security in Azure DevOps CI/CD
• Q & A
4.
What is Dev{Sec}Ops?
DevOps is the union of people, process, and
technology to enable continuous delivery of
value to your end users.
DevSecOps is a cultural movement that furthers
the movements of Agile and DevOps into
Security
Automation + Security
image from https://www.recordedfuture.com/
image from https://stackify.com/devops-engineer-starter-guide/
5.
What is Dev{Sec}Ops?
DEV : OPS :SEC Ratio - 100:10:1
“The ratio of engineers in Development, Operations,
and Infosec in a typical technology organization is
100:10:1. When Infosec is that outnumbered,
without automation and integrating information
security into the daily work of Dev and Ops, Infosec
can only do compliance checking, which is the
opposite of security engineering—and besides, it
also makes everyone hate us.” image from https://twitter.com/joshcorman/status/644153295464960000
6.
What is Dev{Sec}Ops?
Discover vulnerability during the development.
* Slide 9 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
7.
What is Dev{Sec}Ops?
More we code , more we need security.
Insecure code causes breaches Source: 2019 Data
Breach Investigations Report, Verizon 53% of
breaches are caused by weaknesses in applications.
Report link :
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
8.
What is Dev{Sec}Ops?
Security Patterns : Old Path Vs. New Path
• Embrace Secrecy
• Just Pass Audit!
• Enforce Stability
• Build a Wall
• Slow Validation
• Certainly Testing
• Test When DONE !
• Process Driven
• Create Feedback Loops
• Compliance adds Value
• Create Chaos
• Zero Trust Networks
• Fast and Non-Blocking
• Adversity Testing
• Shift Left
• The Paved Road
image from https://wellbeingeconomy.org/
9.
What is Dev{Sec}Ops?
Azure Patterns: Infrastructure Planning
✘Subscription per environment
✘Apply policies to control transparently and proactively
✘ Security Center ON from day 1
✘Infrastructure as code. Period
✘ Production ONLY for CI/CD pipelines
✘ CI/CD pipeline is a heart of security
image from https://bridgecrew.io/blog/infrastructure-as-code-security-101/
DevSecOps in GitHub
•Browser-based IDEs with built-in security extensions.
• Agents that continuously monitor security advisories
and replace vulnerable and out-of-date dependencies.
• Search capabilities that scan source code for
vulnerabilities.
• Action-based workflows that automate every step of
development, testing, and deployment.
• Spaces that provide a way to privately discuss and
resolve security threats and then publish the
information.
* Combined with the monitoring and evaluation power of Azure, these features provide a
superb service for building secure cloud solutions.
* https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-github
12.
DevSecOps in GitHub
Foundationof the Enterprise in Cloud : Azure AD
• Azure AD auth to GitHub
• GitHub auth to Azure portal
- SAML SSO
- LDAP
- RBAC
- Required 2FA
- GitHub Connect
- Audit log
DevSecOps in GitHub
Secureyour repository: GitHub Secret Scanning
• Scan and detect secrets in your repository
• Lots of service providers
* Secret scanning is available in public repositories, and in private repositories owned by
organizations with an Advanced Security license.
Configuring secret scanning for your repositories :
https://docs.github.com/en/github/administering-a-repository/configuring-secret-scanning-for-
your-repositories
- Atlassian
- Azure
- AWS
- Alibaba Cloud
- Google Cloud
- Stripe
- ……
DevSecOps in GitHub
Analyseyour code: GitHub Code Scanning
• Automate your code review.
• CodeQL has leading security teams and individuals.
• CodeQL has more CVEs than any other static
application security testing vendor team.
• GitHub is now a CNA.
About code scanning :
https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-
code-scanning
* CVE : Common Vulnerabilities and Exposures
** CNA : CVE Numbering Authority
*** Zero-Day : Software vulnerability that is unknown to, or unaddressed by, those who are interested in mitigating it.
19.
DevSecOps in Azure
•Azure AD can be configured as the identity provider for GitHub.
• GitHub Enterprise can integrate automatic security and
dependency scanning.
• Azure Pipelines generates a Docker container image that is
stored to Azure Container Registry, which is to be used at
release time by Azure Kubernetes Service.
• A release on Azure Pipelines integrates the Terraform tool,
managing both the cloud infrastructure as code, provisioning
resources such as Azure Kubernetes Service, Application
Gateway, and Azure Cosmos DB.
• Azure Security Center will be able to do active threat
monitoring on the Azure Kubernetes Service, on both Node
level (VM threats) and internals.
* https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-azure
20.
DevSecOps in Azure
Infrastructureas Code : Terraform
• Deliver Infrastructure as Code
Terraform is commercial templating tool that can provision cloud-native applications across all the
major cloud players: Azure, Google Cloud Platform, AWS, and AliCloud. Instead of using JSON as
the template definition language, it uses the slightly more terse YAML.
Infrastructure as code with Microsoft:
https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code
- Write : Write infrastructure as code using declarative
configuration files.
- Plan : Check whether the execution plan for a
configuration matches your expectations before
provisioning or changing infrastructure.
- Apply : Apply changes to hundreds of cloud providers to
reach the desired state of the configuration. image from https://adinermie.com/
21.
DevSecOps in Azure
Policy-as-code: Azure Policy
• Understand evaluation outcomes
• Control the response to an evaluation
• Remediate non-compliant resources
• Single source of truth
Azure Policy is a service that offers both built-in and user-defined policies across categories mapping
the various Azure services such as Compute, Storage or even AKS. These policies can be defined on
the Azure Portal and assigned to one or more subscriptions/resource groups.
Azure Policy documentation :
https://docs.microsoft.com/en-us/azure/governance/policy/
image from https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-terraform
22.
DevSecOps in Azure
Maintainyour keys : Azure Key Vault
• Centralize application secrets
• Securely store secrets and keys
• Simplified administration of application secrets
• Integrate with other Azure services
Azure Key Vault helps solve “Secrets Management” , “Key Management” and “Certificate Management”
problems.
Azure Key Vault documentation :
https://docs.microsoft.com/en-us/azure/key-vault/general/overview
image from https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal
23.
DevSecOps in Azure
Keepyour resources safe: Azure Security Center
• Strengthen security posture
• Protect against threats
• Get secure faster
• Prioritize your security work
Azure Security Center is a unified infrastructure security management system that strengthens the
security posture of your data centers, and provides advanced threat protection across your hybrid
workloads in the cloud - whether they're in Azure or not - as well as on premises.
Azure Security Center documentation :
https://docs.microsoft.com/en-us/azure/security-center/
image from https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction
24.
3rd Party DevSecOpsTools
Check open source components : Whitesource Bolt
• WhiteSource Secures & Manages Your Open
Source Usage
• Get Real-Time Alerts on Security Vulnerabilities
• Ensure license compliance
• Automated Up-to-Date Inventory Reports
WhiteSource Bolt scans all your projects and detects open source components, their license and
known vulnerabilities. Not to mention, it also provide fixes.
Whitesource Bolt Ver. 1.0 documentation :
https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt
Whitesource Bolt Ver. 2.0 documentation :
https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2
image from https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2
25.
3rd Party DevSecOpsTools
Demonstrate security and penetration testing: WebGoat
• Learn the hack - Stop the attack
• Test vulnerabilities
• Create a de-facto interactive teaching environment
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web
application security lessons.
WebGoat documentation :
https://github.com/WebGoat/WebGoat
image from https://www.zupzup.org/websecurity-with-webgoat
26.
3rd Party DevSecOpsTools
Create security report : Microsoft Security Code Analysis
• Simple configuration and execution
• Keep builds clean
• Auto-Update
• Break the build
• Scan Credentials
The Microsoft Security Code Analysis extension empowers you to do so, easily integrating the running
of static analysis tools in your Azure DevOps pipelines..
Microsoft Security Code Analysis Extension documentation :
https://secdevtools.azurewebsites.net/
image from https://techdailychronicle.com/
27.
3rd Party DevSecOpsTools
Scan containers for the security and compliance: Anchore
The Anchore Engine is an open-source project that
provides a centralized service for inspection, analysis,
and certification of container images. The Anchore
Engine is provided as a Docker container image that
can be run standalone or within an orchestration
platform such as Kubernetes, Docker Swarm, Rancher,
Amazon ECS, and other container orchestration
platforms.
Anchore documentation :
https://anchore.com/opensource/
image from https://anchore.com/blog/enhanced-vulnerability-data/
Configure Anchore to authenticate with Azure Container
Registry (ACR) and analyze an image.
28.
DEMO: Implement Securityin Azure DevOps CI/CD
Prerequisites
• An Azure subscription
• Azure DevOps account
• GitHub Account
Steps
• Create Azure DevOps project and prepare WebGoat source code
• Create container registry with ACR and Azure Key Vault
• Configure CI/CD pipeline for Webgoat
• Check open source components with Whitesource Bolt
• Scan containers with Anchore for the security with AKS
• Helm CLI
• Anchore CLI
• Kubectl
DEMO: Implement Securityin Azure DevOps CI/CD
Azure DevOps & Azure Subscription Connections
Connect your organization to Azure Active Directory :
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-
azure-ad?view=azure-devops
31.
DEMO: Implement Securityin Azure DevOps CI/CD
Create Azure DevOps Project
Create a project in Azure DevOps :
https://docs.microsoft.com/en-us/azure/devops/organizations/projects/create-project?
view=azure-devops&tabs=preview-page
32.
DEMO: Implement Securityin Azure DevOps CI/CD
Create a new Git repo in your project
Create a new Git repo in your project :
https://docs.microsoft.com/en-us/azure/devops/repos/git/create-new-repo?view=azure-devops
WebGoat GitHub project :
https://github.com/WebGoat/WebGoat
DEMO: Implement Securityin Azure DevOps CI/CD
Create secrets Azure Key Vault
Use acrUsername and acrPassword names and set ACR credentials as value.
41.
DEMO: Implement Securityin Azure DevOps CI/CD
Configure Build Pipeline
Use the classic editor to create a pipeline without YAML.
Create your first pipeline :
https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure-
devops&tabs=java%2Ctfs-2018-2%2Cbrowser
42.
DEMO: Implement Securityin Azure DevOps CI/CD
Configure Build Pipeline
Use Empty job to start. Select ubuntu-18.04 agent for agent job.
43.
DEMO: Implement Securityin Azure DevOps CI/CD
Configure Build Pipeline
Add Maven task to then “Advanced” step set MAVEN_OPT to -Xmx3072m .
44.
DEMO: Implement Securityin Azure DevOps CI/CD
Configure Build Pipeline
Add Docker task. Select webgoat-server folder dockerfile to build. Add Latest to tags. Create new Container Registry
connection with New button. Last step Save & Queue .
45.
DEMO: Implement Securityin Azure DevOps CI/CD
Configure Build Pipeline
Build will take approximately 5 mins then check build pipeline finished with successful.
DEMO: Implement Securityin Azure DevOps CI/CD
Configure Release Pipeline : Add Stage Variables - Non-sensitive
In variables section for non-sensitive variables add resourceGroup , containerGroup , acrRegistry , containerDNS , imageRepository
names with values of webGoatKonfRG , webgoatkonfcg , webgoatkonfacr.azurecr.io, webgoatkonfdns , webgoat-8.1 in a row under
Pipeline variables area.
Get values from webGoatKonfACR named container registry to use in release pipeline variables.
50.
DEMO: Implement Securityin Azure DevOps CI/CD
Configure Release Pipeline : Add Stage Variables - Sensitive
For sensitive variables select variable groups under release pipeline variables title and link it with created from Azure Key Vault service.
Create Variable Group from Azure Key Vault under library menu from Pipelines section.
51.
DEMO: Implement Securityin Azure DevOps CI/CD
Create Release
You need a manually approve to deploy created artifact by pushing deploy button in Stage 1
Create a new release under release pipeline by clicking Create New Release button.
52.
DEMO: Implement Securityin Azure DevOps CI/CD
Check Azure Container Instances
After create a successful deployment go to Azure Container Instance service to get our container published web link.
53.
DEMO: Implement Securityin Azure DevOps CI/CD
Browse WebGoat and Learn Security !
WebGoat Container Browse Link : http://ACI_FQDN:8080/WebGoat
WebGoat Official Page : https://owasp.org/www-project-webgoat/
*ACI_FQDN is our container instance FQDN
54.
DEMO: Implement Securityin Azure DevOps CI/CD
Whitesource Bolt: check open source components
Add Whitesource Bolt extension to build pipeline from Visual Studio Marketplace
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Create AKS Cluster on WebGout Resource Group
Install Anchore server on AKS with Helm :
https://anchore.com/blog/azure-anchore-kubernetes-service-cluster-with-helm/
azure-cli command
az aks create --resource-group webGoatKonfRG --name anchoreAKSCluster --node-count 3 --enable-
addons monitoring --generate-ssh-keys
59.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Get credentials for AKS cluster and check credentials
cli commands
Get credentials : az aks get-credentials --resource-group webGoatKonfRG --name anchoreAKSCluster
Get nodes : kubectl get nodes
Browse aks cluster : az aks browse --resource-group webGoatKonfRG --name anchoreAKSCluster
60.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : HELM Configuration
apiVersion: v
1
kind: ServiceAccoun
t
metadata
:
name: tille
r
namespace: kube-syste
m
--
-
apiVersion: rbac.authorization.k8s.io/v
1
kind: ClusterRol
e
metadata
:
name: kube-dashboar
d
rules
:
- apiGroups: ["*"
]
resources: ["*"
]
verbs: ["*"
]
--
-
apiVersion: rbac.authorization.k8s.io/v
1
kind: ClusterRoleBindin
g
metadata
:
name: tille
r
roleRef
:
apiGroup: rbac.authorization.k8s.i
o
kind: ClusterRol
e
name: cluster-admi
n
subjects
:
- kind: ServiceAccoun
t
name: tille
r
namespace: kube-syste
m
--
-
apiVersion: rbac.authorization.k8s.io/v
1
kind: ClusterRoleBindin
g
metadata
:
name: rook-operato
r
namespace: rook-syste
m
roleRef
:
apiGroup: rbac.authorization.k8s.i
o
kind: ClusterRol
e
name: kube-dashboar
d
subjects
:
- kind: ServiceAccoun
t
name: kubernetes-dashboar
d
namespace: kube-system
• create a file name helm-rbac.yaml
• execute sudo vim helm-rbac.yaml
• add configuration same as given code block
• execute kubectl apply - f helm-brac.yaml command
61.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Install Anchore
cli commands
Add anchore helm repo : helm repo add anchore https://charts.anchore.io
Install anchore helm chart : helm install anchore-demo anchore/anchore-engine
cli commands
Get deployments : kubectl get deployments
Expose API port externally : kubectl expose deployment anchore-demo-anchore-engine-api —type=LoadBalancer --name=anchore-engine —port=8228
View service and external IP : kubectl get service anchore-engine
62.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Check Anchore Status
cli commands
Check status of Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret --
namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --
decode; echo) system status
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Add credentials to Azure Vault
For sensitive variables add anchorPassword , anchorUser , anchorServer , azure key vault wallet to use in vulnerability scan task. Don’t forget to
link variable group to pipeline. And also don’t forget to add non-sensitive variables to pipeline variables as imageRepository and acrRegistry.
cli command for get anchore-cli password
kubectl get secret --namespace default anchore-demo-anchore-engine -o
jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo
65.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Add new job agent to build pipeline
In the Dependencies select agent job, which is responsible for compiling and pushing WebGoat container to ACR. It is important to have that job
finished before scans gets triggered as we want to scan the lates image.
66.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : First Task - Install anchore cli
First Bash task is reponsible for installing anchore-cli tool on agent.
67.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Second Task - Vulnerability scanner
Second Bash task is reponsible for scan for vulnerabilities in the image.
Bash task command
anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) image vuln $(acrRegistry)/$
(imageRepository):Latest os > image-vuln.json
68.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Third Task - Policy scanner
Third Bash task is reponsible for scan for policies in the image.
Bash task command
anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) evaluate check $(acrRegistry)/$
(imageRepository):Latest --detail > image-policy.json
69.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Generate Anchore Report
Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks:
• Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory)
• Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
70.
DEMO: Implement Securityin Azure DevOps CI/CD
Anchore : Generate Anchore Report
Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks:
• Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory)
• Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
71.
We are ateam of experienced and happy high achievers,
Knowing that ‘Great vision without great people is irrelevant.’
So:
● Talents determine the positions, we do not miss the best,
● We hire the best and providing them the best, pecuniary and non-pecuniary,
● We set high standards, so you better have those as well,
● Stunning colleagues means a great workplace, and the motive to be online.
If you have the Stunning ‘Kloian’ essence or potential by being:
● No Bullshit
● Self-motivated and Reliable
● Optimistic and Focused
● Happy and Fun
● Flexible and Trustworthy
● Willing and Creative
● Open minded and Kind (Majority of above, if not all.)
You are more than welcome to apply: career@kloia.com
Come Join Us, The Kloians:
72.
Q & A
RESOURCESMENTIONED IN THIS SESSION
https://github.com/kloia/dotnetkonf21-Azure-DevSecOps
Thank you for listening.
blog.kloia.com @kloia_com
kloia.com