We covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s talk about that for a while.But before we start, let's clear one thing up.
DevOps is not just for applications
When talking about DevOps in general, typically people immediately think of software development. And of course, this is largely true. But the principles of DevOps and security also apply to infrastructure. Keep reading, as we will give you some pointers for it here.
The key features of Azure DevOps
If you’re new to Azure DevOps, there’s a useful mind map that details the available functionalities.The main strength of Azure DevOps is definitely its end-to-end approach. You can use the software to manage a project from beginning to end, starting with Azure Boards, allowing your team to plan their work and see progress on every project as you go, either in a list or Kanban format.From the security perspective, what you need to look after is Azure Repos. Here is where you can collaborate on code, validate added dependencies, and make sure that code has a good quality.This is also where you want to protect your code to make sure no unauthorised or dubious changes are made. There are some good practical guides on this topic – check out the links below to learn how to secure your code in Azure DevOps with manual reviews, limiting merge types, etc.
- Cars Island - DevOps practices for the application built on Azure
- Cars Island - DevOps practices for the Azure infrastructure
Security essentials in Azure DevOps
As a reminder from the previous post, here is what our customers indicate as their top concerns right now:
- Secure dependencies
- Secure code
- Secure secrets
- Secure DevOps
What can you do about them in the Azure environment?
Secure dependencies
If you use external dependencies in your projects, it is best to secure them from the early stage – with the “shift left” approach. For example, in GitHub, you can use Dependabot to verify your source code and detect potential vulnerabilities.Azure DevOps enables installing additional extensions and security tools to allow you to check on your dependencies. Internally, you should regularly check your Dependency Risk Graph to make sure no one inadvertently compromised your code during development.In any case, you should also add trusted vulnerability scanners, such as Snyk or WhiteSource Bolt to scan your dependencies for issues.
Secure code
The key to protecting your dependencies in ADO is securing your code. There is quite in-depth documentation on it. But as usual, it all comes down to the basics: permissions and automation.Just because you have multiple stakeholders in a project doesn’t mean they all need read & write access. Use the least privilege principle to make sure only developers who really need to access your code can really edit it.As for automation - you can go so far as to set up automated deployment of a landing zone with Azure Pipelines, so starting a new project will just be a matter of a few clicks. The highlights?
- Standardisation of permission levels
- Automation of identity management in Azure AD
- Resource cost monitoring
It’s much easier to manage a project when you set it up right to begin with.
Secure secrets
There is a related video you may find interesting. It is not about Azure DevOps directly, but about the concept of “secretless coding”. Here Christos Matskas, Identity Expert from Microsoft, talks about how to develop code without including secrets using Azure AD.This approach can eliminate the problem of credentials to prod environments being valid years later (which happens more often than any of us like to think).And as a bonus – it’s not limited to Azure, you can use it on-premises as well. Check it out below:Secretless coding in Azure
Secure DevOps
This topic could warrant an entire series on its own, and we will keep coming back to it. But if you're brand new to it, a good place to start is to create a DevOps Centre of Excellence.In it, you can store set rules and policies that everyone working on projects will need to adhere to. Standardising your processes and sharing lessons from every engagement is the best way to teach everyone involved how DevOps should be practiced at your organisation.The Centre of Excellence can basically be a wiki that stores your project policies. It can be as general or as detailed as you like. For example, here is what we keep information about in ours:
- Process
- Extensions
- Backlog definition
- Dashboards and metrics
- Wiki
- Version control
- Branching strategy
- Branch policies
- Build pipelines
- Release pipelines.
And so, you'll find there a section on Branch policies, specifying:
- Direct merge to master – forbidden
- Linked work items for each branch
- At least one reviewer
- Reset code reviewer votes when there are new changes
- Description of what was changed.
Keeping all these notes in one place speeds up introducing new people to the project.
Further reading
Making your processes consistent and measurable by using a shared set of standards is the easiest way to start securing your projects. As for tools - we'll talk about them a bit more in the next article.As is the tradition, here are some technical guides for you:
- Security quick reference index
- Securing Azure Pipelines
- Secure your code with GitHub
- Implement Security and Compliance in an Azure DevOps pipeline
- Microsoft Security Code Analysis
- Azure Tenant Security Solution
Author
