Microsoft Azure DevSecOps: Application Security Principles and Practices Resources

Azure DevOps provides developer services for allowing teams to plan work, collaborate on code development, and build and deploy applications. Azure DevOps supports a collaborative culture and set of processes that bring together developers, project managers, and contributors to develop software. It allows organizations to create and improve products at a faster pace than they can with traditional software development approaches.

You can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. For information on the differences between the cloud versus on-premises platforms, see Azure DevOps Services and Azure DevOps Server.

Azure DevOps Portal: https://azure.microsoft.com/en-us/products/devops/

Azure DevOps Tutorial: https://azure.microsoft.com/en-ca/solutions/devops/tutorial/

Introduction

Azure DevOps provides integrated features that you can access through your web browser or IDE client. You can use one or more of the following standalone services based on your business needs:

• Azure Repos provides Git repositories or Team Foundation Version Control (TFVC) for source control of your code. For more information about Azure Repos, see What is Azure Repos?.
• Azure Pipelines provides build and release services to support continuous integration and delivery of your applications. For more information about Azure Pipelines, see What is Azure Pipelines?.
• Azure Boards delivers a suite of Agile tools to support planning and tracking work, code defects, and issues using Kanban and Scrum methods. For more information about Azure Boards, see What is Azure Boards?.
• Azure Test Plans provides several tools to test your apps, including manual/exploratory testing and continuous testing. For more information about Azure Test Plans, see Overview of Azure Test Plans
• Azure Artifacts allows teams to share packages such as Maven, npm, NuGet, and more from public and private sources and integrate package sharing into your pipelines. For more information about Azure Artifacts, see Overview of Azure Artifacts.

Sign Up

Azure DevOps Services

When you sign up for Azure DevOps, you get the following tier of free services:

• First five users free (Basic license)
• Azure Pipelines:
  • One Microsoft-hosted CI/CD (one concurrent job, up to 30 hours per month)
  • One self-hosted CI/CD concurrent job
• Azure Boards: Work item tracking and Kanban boards
• Azure Repos: Unlimited private Git repos
• Azure Artifacts: Two GiB free per organization

You can sign up for Azure DevOps with either a Microsoft or GitHub account. 

Tips: https://learn.microsoft.com/en-us/azure/devops/user-guide/sign-up-invite-teammates?view=azure-devops

Practices

Secure development lifecycle practices

Note: https://www.microsoft.com/en-us/securityengineering/devsecops

Practice #1—Provide Training

Practice #2—Define Requirements (Minimum-security baseline)

Practice #3—Define Metrics and Compliance Reporting

Practice #4—Use Software Composition Analysis (SCA) and Governance

Useful links:

WhiteSource

Practice #5—Perform Threat Modeling
Practice #6—Use Tools and Automation

Useful links:

CodeQL

Microsoft DevSkim

VSTS security marketplace

Security Code Scan

Roslyn Diagnostics Security Analyzers

Microsoft BinSkim

Automated Penetration Testing with White-Box Fuzzing

Microsoft Security Code Analysis

 

If you are using Azure, the Secure DevOps Kit can be downloaded from the Visual Studio Marketplace.

Practice #7—Keep Credentials Safe

Useful links:

Credential Scanner

Use the Key Vault Connected Service

Practice #8—Use Continuous Learning and Monitoring

Useful links:

Azure Monitor

Advanced Threat Detection

Examples

Azure DevOps:  https://dev.azure.com/

• Create your first Azure Pipeline
• Deploy to a Linux Virtual Machine
• Start monitoring your Java Web Application
• Deploy a Docker container app to Azure Kubernetes Service
• Build, test, and deploy Javascript and Node.js apps in Azure Pipelines
• Build Java apps in Azure Pipelines
• Create a complete Linux virtual machine infrastructure in Azure with Terraform

Secure DevOps: Application Security Principles and Practices, All Modules

https://mslearningcampus.com/

Once logged in using your personal account, you can view your current enrolled training:

Links

• https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• https://www.microsoft.com/en-us/securityengineering/sdl/practices
• https://dev.azure.com/secureDevOpsDelivery/_git/MyHealthClinicSecDevOps-Public?path=%2FLabs
• https://www.microsoft.com/en-us/securityengineering/osa/practices
• https://learn.microsoft.com/en-us/compliance/regulatory/offering-home
• https://learn.microsoft.com/en-us/security/benchmark/azure/
• https://dev.azure.com/secureDevOpsDelivery/_git/MyHealthClinicSecDevOps-Public?path=/Labs/Module-3-Application-Security-Principles.md&_a=preview
• https://owasp.org/www-project-zap/
• https://www.cloudflare.com/learning/ssl/lava-lamp-encryption/
• https://github.com/azsk/AzTS-docs
• https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
• https://www.microsoft.com/en-us/trust-center/compliance/compliance-overview
• https://mitre-attack.github.io/attack-navigator/
• https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
• https://www.first.org/cvss/calculator/3.0
• https://learn.microsoft.com/en-us/security/sdl/security-bug-bar-sample

References

• https://mslearningcampus.com/