DevSecOps for Azure: End-to-end supply chain security for GitHub, Azure DevOps, and the Azure cloud

DevSecOps for Azure
Foreword
Contributors
About the authors
About the reviewers
Preface
   Who this book is for
   What this book covers
   To get the most out of this book
   Download the example code files
   Conventions used
   Get in touch
   Share Your Thoughts
   Download a free PDF copy of this book
Part 1: Understanding DevOps and DevSecOps
1
Agile, DevOps, and Azure Overview
   Technical requirements
   Defining DevOps – Understanding its concepts and practices
      The why of DevOps – Innovation, velocity, and speed
   Understanding the process aspect of DevOps
      Understanding the five core practices of DevOps
      Understanding the stages in a DevOps workflow
   Understanding the people aspect of DevOps
      The importance of a collaborative culture
      Staying clear of DevOps anti-types
   Understanding the product aspect of DevOps – The toolchain
      The platform approach to DevOps tooling
      An overview of the Azure DevOps platform
      An overview of the GitHub platform
      An overview of the GitLab platform
      Azure services for the DevOps workflow
   Agile, DevOps, and the Cloud – A perfect trio
   Hands-on Exercise 1 – Creating an Azure subscription
   Hands-On Exercise 2 – Creating an Azure DevOps organization (linked to your Azure AD tenant)
   Hands-On Exercise 3 – Creating a GitHub Enterprise Cloud trial account
   Summary
   Further reading
2
Security Challenges of the DevOps Workflow
   Technical requirements
   Security challenges of DevOps
      Understanding the limitations of traditional security in a fast-paced DevOps world
      Understanding how DevOps increases the attack surface
   The case for DevSecOps
      Understanding the cultural aspect of DevSecOps
      Understanding the process aspect of DevSecOps
      Considerations for selecting your DevSecOps toolchain
   DevSecOps and supply chain security
   Summary
   Further reading
Part 2: Securing the Plan and Code Phases of DevOps
3
Implementing Security in the Plan Phase of DevOps
   Technical requirements
   Understanding DevSecOps in the planning phase
   Understanding threat modeling and its benefits
      Traditional threat modeling frameworks
      Threat modeling in DevSecOps
      Understanding the Mozilla RRA process
   Hands-on exercise 1 – Provisioning the lab VM
      Task 1 – Initializing the template deployment to Azure
      Task 2 – Connecting to the lab VM using Azure Bastion
   Hands-on exercise 2 – Performing threat modeling of an e-commerce application
      Task 1 – Downloading and installing the Microsoft Threat Modeling Tool
      Task 2 – Creating a threat model diagram for the eShop application
      Task 3 – Running a threat analysis on the model
   Implementing continuous code-to-cloud security training
   Summary
   Further reading
4
Implementing Pre-commit Security Controls
   Technical requirements
   Overview of the pre-commit coding phase of DevOps
      Understanding the developer environment options
      Understanding the security categories in the pre-commit phase
   Securing the development environment
      Risk 1 – IDE vulnerability risks
      Risk 2 – Malicious and vulnerable IDE extensions
      Risk 3 – Working with untrusted code
      Risk 4 – Compromised IDE source code
      Additional thoughts on hardening of the development environment
   Addressing common development security mistakes
      Risk 1 – Addressing in-house code vulnerability risk
      Risk 2 – Open source component risk
      Risk 3 – Exposed secret risk
   Choosing the right developer-first security tooling
   Hands-on exercise 1 – Performing code review, dependency checks, and secret scanning on the IDE
      Task 1 – Connecting to the lab VM using Azure Bastion
      Task 2 – Configuring Snyk on Visual Studio Code
      Task 3 – Importing eShopOnWeb to your Visual Studio Code workspace
   Hands-on exercise 2 – Installing and configuring Git pre-commit hooks on the IDE
      Task 1 – Installing pre-commit framework on Visual Studio Code
      Task 2 – Configuring detect-private key and detect-secrets pre-commit hooks on Visual Studio Code
   Summary
5
Implementing Source Control Security
   Technical requirements
   Understanding the post-commit phase of DevOps
      Understanding the security measures in the source control management phase
   Securing the source code management environment
      Managing code repositories securely
      Recommendation 1 – Ensuring repository creation is limited to specific members
      Recommendation 2 – Ensuring sensitive repository operations are limited to specific members
      Recommendation 3 – Ensuring inactive repositories are reviewed and archived periodically
      Recommendation 4 – Repositories should be created with auditing enabled
   Addressing common coding security issues in source control
      Understanding GitHub code security
      Recommendation 1 – Implementing dependency tracking in source control
      Recommendation 2 – Implementing dependency vulnerability assessment and management in source control
      Recommendation 3 – Implementing an open source license compliance scan
      Recommendation 4 – Implementing secret protection in source control
   Hands-on exercise – Performing pre-receive checks and dependency reviews
      Task 1 – Enabling push protection on Azure DevOps
      Task 2 – Enabling push protection on GitHub
      Task 3 – Reviewing dependencies on GitHub
   Summary
Part 3: Securing the Build, Test, Release, and Operate Phases of DevOps
6
Implementing Security in the Build Phase of DevOps
   Technical requirements
   Understanding the continuous build and test phases of DevOps
      Understanding build system options
      Understanding the security measures in the build phase
   Securing CI environments and processes
   Securing the build services and workers
      Securing the build workers
      Implementing secure access to build environments and workers
      Protecting the build environment from malicious code executions
   Addressing common coding security issues
      Implementing the Microsoft Security DevOps extension
      Integrating GitHub Advanced Security code-scanning capabilities into pipelines
      Integrating GHAS dependency-scanning capabilities into pipelines
   Hands-on exercises – Integrating security within the build phase
      Prerequisites
      Exercise 1 – Integrating SAST, SCA, and secret scanning into the build process
      Exercise 2 – Onboarding your DevOps platforms to DevOps Security in Microsoft Defender for Cloud
   Summary
7
Implementing Security in the Test and Release Phases of DevOps
   Technical requirements
   Understanding the continuous deployment phase of DevOps
   Protecting release artifacts in the release phase
      Ensuring that release artifacts are built from protected branches
      Implementing a code review process
      Selecting secure artifact sources
      Implementing artifact signing for integrity checks
      Managing secrets securely in the release phase
      Implementing auditing for the CI/CD environment
   Implementing security gates in release pipelines
      Implementing DAST as security gates
      Challenges of implementing DAST in a DevOps process
      Implementing security gates in Azure Pipelines and GitHub Actions
   Hands-on exercise – Integrating security within the build and test phases
      Prerequisites
      Task 1 – Implementing artifact signing for integrity checks
      Task 2 – Integrating DAST tools to find and fix security vulnerabilities in the test phase
   Summary
8
Continuous Security Monitoring on Azure
   Technical requirements
   Understanding continuous monitoring in DevOps
      Understanding the interconnected risks of Azure and cloud-native applications
   Securing an application runtime environment
      Implementing runtime security gates to stop critical risks
      Implementing runtime security gates using Azure Policy
      Implementing runtime security gates using the Kubernetes admission controller
      Implementing continuous security monitoring for runtime environments
   Protecting applications at runtime in Azure
      The challenges of runtime protection in modern cloud environments
      Protecting applications running in Azure App Service
      Protecting serverless workloads at runtime in Azure
      Protecting container workloads in Azure
   Hands-on exercise – Continuous security monitoring on Azure
      Task 1 – Implementing and operationalizing CSPM
      Task 2 – Implementing and operationalizing continuous container workload protection
   Summary
   Further reading
Index
   Why subscribe?
Other Books You May Enjoy
   Packt is searching for authors like you
   Share Your Thoughts
   Download a free PDF copy of this book