Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Implementing Azure DevOps Solutions

You're reading from  Implementing Azure DevOps Solutions

Product type Book
Published in Jun 2020
Publisher Packt
ISBN-13 9781789619690
Pages 432 pages
Edition 1st Edition
Languages
Concepts
Authors (2):
Henry Been Henry Been
Profile icon Henry Been
LinkedIn
Henry Been has been working in IT for over ten years. He is an independent architect, developer, and trainer in a number of companies. With many of these companies, he has embarked on a journey implementing practices such as continuous integration and deployment, infrastructure as code, trunk-based development, and implementing feedback loops. Alongside his work, he creates online training courses for A Cloud Guru, and frequently speaks at meetups and conferences. He was awarded the Microsoft MVP award in 2019.
See other products by Henry Been
Maik van der Gaag Maik van der Gaag
Profile icon Maik van der Gaag
LinkedIn
Maik van der Gaag is an architect and trainer at 3fifty, an experienced consultancy company with a strong focus on the Microsoft cloud. He has over 15 years' experience of providing architecture, development, training, and design expertise. During his career, he has worked on a variety of projects, ranging from cloud transformations to DevOps implementations. He loves to share his knowledge, which was also one of the reasons why he founded the Dutch Cloud meetup. Maik is a public speaker, writes blogs, and organizes events.
See other products by Maik van der Gaag
View More author details

Table of Contents (21) Chapters

Preface 1. Section 1: Getting to Continuous Delivery
2. Introduction to DevOps 3. Everything Starts with Source Control 4. Moving to Continuous Integration 5. Continuous Deployment 6. Section 2: Expanding your DevOps Pipeline
7. Dependency Management 8. Infrastructure and Configuration as Code 9. Dealing with Databases in DevOps Scenarios 10. Continuous Testing 11. Security and Compliance 12. Section 3: Closing the Loop
13. Application Monitoring 14. Gathering User Feedback 15. Section 4: Advanced Topics
16. Containers 17. Planning Your Azure DevOps Organization 18. AZ-400 Mock Exam 19. Assessments 20. Other Books You May Enjoy

Security and Compliance

As important as it is to ensure that your application performs the functions it needs to, you also need to ensure it doesn't do things that it shouldn't. In the previous chapter, you learned about quality and testing in order to continuously measure whether your application is doing what it is supposed to do. In this chapter, you will learn how to prevent any unwanted behavior. This is the subject of security and compliance. While increasing the flow of value to your end usersby deploying faster and shortening delivery cyclesyou will still want to make sure that you are delivering secure and compliant software. In this chapter, you will learn how to address these concerns in your DevOps processes.

To do this, this chapter will start by discussing the perceived trade-off between speed and security, and it will explain how security...

Technical requirements

To experiment with the techniques described in this chapter, you will need one or more of the following:

  • An Azure DevOps project with access to build and release pipelines and the right to install extensions
  • An Azure subscription. (To sign up for Azure, you can go to https://portal.azure.com and follow the guide there if you do not have an account yet)
  • PowerShell with the PowerShell Azure module installed. (Instructions on how to install the PowerShell Azure module can be found at https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-4.1.0)
  • Optionally, subscriptions for WhiteSource Bolt, SonarCloud, or similar products

The preceding are all available, for free or as a trial, for learning or evaluation purposes.

Applying DevOps principles to security and compliance

Concerns about security and compliance can be a reason for companies to be reluctant to accept a full DevOps mindset, in order to ship software often and quickly. In the past, they used to have fewer releases that were all handed off for a security or pen test before being deployed to production. This gave them the confidence that they were not shipping software that contained security vulnerabilities.

This practice of fewer releases and having a big final security test before the final release conflicts with a DevOps mindset, and this is where some companies struggle. They are looking for ways to ensure that they are shipping business value to their users but are not willing to compromise on security to do so. The question is whether this is a fair trade-off. Wouldn't it be possible to have both speed and security? Might...

Working with secrets

An important security element is the handling of secrets. When deploying an application, there are always secrets involved. Especially when deploying to the cloud, that is, over the internet, handling these access keys in a secure way is very important. Besides the secrets that are necessary for deployment, there are also secrets that need to be inserted into the runtime configuration of an application. A common example is for accessing the database.

In Chapter 6, Infrastructure and Configuration as Code, multiple mechanisms for delivering application configurations were discussed, including Azure Resource Manager (ARM) templates. However, templates require the input of external secrets, since they cannot be stored in parameter files in source control.

Secrets should not be stored in source control.

If secrets cannot be stored in source control, then where...

Detecting application code vulnerabilities

The security assessments that are often conducted at regular intervals in the pre-DevOps era cannot be just left out when moving to a DevOps culture. This means that, instead of leaving them out, they must be conducted in some other way. There are two approaches for doing this.

The first approach is to keep doing pen tests, security reviews, and other security inspections at regular intervals just as before. However, instead of waiting for an OK from the tests before moving to production, the code is deployed to production separate from the security assessment(s). This implies that there is an accepted risk that there might be vulnerabilities shipped to production that are found only during the next security scan and will be addressed in the next release. Using this approach, it is possible to achieve speed, but then it also needs to...

Working with dependencies

Next to the security risks that the application code developed in-house pose, there is also a risk associated with components that are reused. Between 50% and 80% of modern application code is not developed in-house, but is taken from other parties in the form of packages or dependencies. Some of these might be open source, but this is not necessarily the case. There can also be components that are bought from other development companies or binaries taken from galleries such as NuGet.

Dependencies not only pose security risks, but also licensing risks. What happens if a team starts using a component that is published under the GPL license for a closed source component? If anyone ever finds out, they can be forced to open source their product, or at least suffer public shame for not using the work of others according to the license.

To mitigate these risks...

Ensuring infrastructure compliance

Another important topic is that of compliance. In many countries or markets, there are sets of rules and policies that must be implemented or adhered to when creating software. A fair share of these policies relates to the infrastructure that the applications are running on. If this infrastructure is deployed and managed on the Azure platform, Azure Policy can be a powerful tool for ensuring that the infrastructure complies with regulations.

In Chapter 6, Infrastructure and Configuration as Code, the topic of ARM templates was discussed. ARM templates can be viewed as a technique for describing a complete Azure environment as a JSON array with many objects, each describing one resource in an application's infrastructure.

Azure Policy allows you to write policies that query this document and the changes that are being made through any of...

Monitoring and detecting runtime security risks and threats

All of the security tools that have been discussed up to this point have focused on preventing shipping vulnerable code to production environments. However, the complete, deployed software solution, including all its support infrastructure is made out of so much more than just the code. On top of that, there are many interactions with a solution that may be unexpected or unplanned. Monitoring all of this continuously in production is necessary, not just to prevent security concerns but to also detect any security concerns coming up. In Azure, one of the tools available for doing just that is Azure Security Center. Azure Security Center is offered via the Azure portal and can be selected as any other service using the menu on the left or by searching for it in the top bar.

After opening Security Center, something similar...

Other tools you can use

There are many tools available on the market for performing security scans of application code and dependencies. Some examples include WhiteSource, Black Duck, Veracode, and Checkmarx.

WhiteSource is the paid version of WhiteSource Bolt. It offers the same services and more. For example, it doesn't only report risks at the time of the dependency scan; it also gives you alerts when new risks become available for dependencies that were present in the last scan of an application.

Black Duck is a product that helps teams to manage the risks associated with using open source software. The services it offers are comparable to WhiteSource.

Veracode and Checkmarx are code scanning tools that are used to identify vulnerable code. Whereas SonarQube checks both the code quality and security risks, these two products focus solely on security risks. In general...

Summary

In this chapter, you have learned that DevOps and security are not two conflicting goals, but that DevOps practices can help you to reinforce security. First, you learned how to handle passwords and other secrets when working with continuous deployment pipelines. Next, you learned how to enhance your pipelines with code and dependency scanning tools, applying the shift-left principle to security as well. Finally, you learned how to use Azure Policy to define constraints and rules for your infrastructure and how you can have these automatically applied or have non-compliant deployments audited or automatically denied.

With the knowledge you have gained, you are now able to have a conversation within your company about how to address security concerns within your DevOps teams. You can cooperate with security engineers to configure the tools you work with and receive automated...

Questions

Here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

  1. True or False: Securing the delivery of software is just a single step in a deployment pipeline.
  2. Which tool can be used for security testing, where a proxy is used to identify valid application URLs and then perform different attacks, such as injections on an application?
  3. True or False: In most modern applications, over 50% of the code base comes from open source libraries.
  4. What are the secure locations for storing the secrets needed during deployment or for running an application? (You can choose more than one answer.)
    1. Azure Pipelines variables that are marked as secret
    2. Azure Key Vault
    3. Azure DevOps Key Vault
    4. Azure Variable Groups
    5. Azure DevOps Secure Variables
    6. Azure DevOps Service Connection
  5. Which...

Further reading

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 21
Next Chapter arrow right
You have been reading a chapter from
Implementing Azure DevOps Solutions
Published in: Jun 2020 Publisher: Packt ISBN-13: 9781789619690
© 2020 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at ₹800/month. Cancel anytime}

Authors (2)

Left arrow icon
Profile icon Henry Been
LinkedIn
Henry Been has been working in IT for over ten years. He is an independent architect, developer, and trainer in a number of companies. With many of these companies, he has embarked on a journey implementing practices such as continuous integration and deployment, infrastructure as code, trunk-based development, and implementing feedback loops. Alongside his work, he creates online training courses for A Cloud Guru, and frequently speaks at meetups and conferences. He was awarded the Microsoft MVP award in 2019.
See other products by Henry Been
Profile icon Maik van der Gaag
LinkedIn
Maik van der Gaag is an architect and trainer at 3fifty, an experienced consultancy company with a strong focus on the Microsoft cloud. He has over 15 years' experience of providing architecture, development, training, and design expertise. During his career, he has worked on a variety of projects, ranging from cloud transformations to DevOps implementations. He loves to share his knowledge, which was also one of the reasons why he founded the Dutch Cloud meetup. Maik is a public speaker, writes blogs, and organizes events.
See other products by Maik van der Gaag
Right arrow icon

Other recommended products

Related to this chapter
Left arrow icon
Azure DevOps Explained
Azure DevOps Explained
Azure DevOps is a cloud service–providing development and collaboration tool with version control, reporting, requirements management, project management, automated builds, lab management, testing, and release management capabilities. If you are new to the Azure DevOps platform, this comprehensive guide will have you up to speed in no time.
Dec 2020 14 hours 36 minutes
Azure DevOps Server 2019 Cookbook
Azure DevOps Server 2019 Cookbook
Azure DevOps Server (previously known as TFS) allows you to work in the cloud or on-premises using Azure DevOps Services. This book will help you iteratively develop high quality secure software using Agile techniques. You will also learn to develop your own extensions and release them to millions of developers in the Visual Studio Marketplace.
May 2019 15 hours 12 minutes
DevOps: Continuous Delivery, Integration, and Deployment with DevOps
DevOps: Continuous Delivery, Integration, and Deployment with DevOps
DevOps is the most widely used software engineering culture and practice that aim sat software development and operation. Continuous integration is a cornerstone technique of DevOps that merges software code updates from developers into a shared central mainline.
Mar 2018 4 hours 28 minutes
DevOps with Windows Server 2016
DevOps with Windows Server 2016
Mar 2017 18 hours 36 minutes
Learning DevOps
Learning DevOps
DevOps enhances the collaboration between the development and the operations teams within an organization. This book will give you a solid foundation of the best practices in DevOps - from implementing Infrastructure as Code, to building efficient CI/CD pipelines with Azure DevOps, to containerizing your apps with Docker and Kubernetes.
Oct 2019 16 hours 48 minutes
DevOps Adoption Strategies: Principles, Processes, Tools, and Trends
DevOps Adoption Strategies: Principles, Processes, Tools, and Trends
Every organization wants to adopt DevOps, making it crucial for IT professionals to understand the fundamentals of DevOps and discover how it can contribute to the success of your organization. This book provides complete coverage of the steps needed to implement the culture, people, and process aspects of DevOps.
Jul 2021 8 hours 48 minutes
Repeatability, Reliability, and Scalability through GitOps
Repeatability, Reliability, and Scalability through GitOps
GitOps is a set of very powerful deployment automation practices that leverages declarative languages to promote a repeatable process. Repeatability, Reliability, and Scalability through GitOps will help you get up to speed with the foundations of delivery, deployment, continuous processes, and GitOps.
May 2021 9 hours 44 minutes
Mobile Development with .NET
Mobile Development with .NET
.NET 5 is a unified framework from Microsoft's cross-platform toolset that includes ASP.NET Core and Xamarin for mobile development. With this book, you'll understand .NET 5 and how to develop mobile apps with Xamarin. You'll explore Microsoft Azure cloud services, advanced app features, and how to manage and maintain your mobile apps effectively.
Apr 2021 19 hours 4 minutes
Hands-On Mobile Development with .NET Core
Hands-On Mobile Development with .NET Core
In this book, you will learn how to design and develop highly attractive, maintainable, and robust mobile applications for multiple platforms including iOS, Android, and UWP with the toolset provided by Microsoft using Xamarin, .NET Core, and Azure Cloud Services.
May 2019 16 hours 48 minutes
Azure for Architects
Azure for Architects
Azure is evolving at a rapid speed and introducing newer services almost every week. What was relevant a year back is not more relevant today as better services are available to solve the same challenges. This book will provide architects with solid information about the important services for hosting, deploying and architecting solutions.
Jan 2019 17 hours 52 minutes
Azure for Architects
Azure for Architects
Azure cloud services have risen rapidly and there is also a gradual increase in the number of organizations that adopt Azure for their cloud services. This 3rd edition will assist readers to create a comprehensive Azure cloud solution that is Enterprise-class and ready for the future.
Jul 2020 23 hours 16 minutes
DevOps Culture and Practice with OpenShift
DevOps Culture and Practice with OpenShift
Learn, understand, and apply people-, process-, and technology-related practices to make OpenShift and DevOps adoption a success within your organization.
Aug 2021 27 hours 4 minutes
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.
Aug 2023 17 hours 28 minutes
Microsoft 365 Security, Compliance, and Identity Administration
Microsoft 365 Security, Compliance, and Identity Administration
The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.
Aug 2023 21 hours 0 minutes
Zero Trust Overview and Playbook Introduction
Zero Trust Overview and Playbook Introduction
Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.
Oct 2023 8 hours 0 minutes
The Self-Taught Cloud Computing Engineer
The Self-Taught Cloud Computing Engineer
This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.
Sep 2023 15 hours 44 minutes
Technology Operating Models for Cloud and Edge
Technology Operating Models for Cloud and Edge
This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.
Aug 2023 7 hours 36 minutes
Azure Architecture Explained
Azure Architecture Explained
Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.
Sep 2023 14 hours 52 minutes
Pentesting Active Directory and Windows-based Infrastructure
Pentesting Active Directory and Windows-based Infrastructure
This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.
Nov 2023 12 hours 0 minutes
Practical Ansible
Practical Ansible
In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.
Sep 2023 14 hours 0 minutes
Windows 11 for Enterprise Administrators
Windows 11 for Enterprise Administrators
Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.
Oct 2023 9 hours 32 minutes
The Linux DevOps Handbook
The Linux DevOps Handbook
This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.
Nov 2023 14 hours 16 minutes
Right arrow icon