book

DevSecOps for Azure

Name: DevSecOps for Azure
ISBN: 9781837631117

by David Okeyode, Joylynn Kirui

August 2024

Intermediate to advanced

342 pages

8h 43m

English

Packt Publishing

Read now

Unlock full access

DevSecOps for Azure
ForewordContributorsAbout the authorsAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Part 1: Understanding DevOps and DevSecOps
Chapter 1: Agile, DevOps, and Azure Overview
Technical requirementsDefining DevOps – Understanding its concepts and practicesThe why of DevOps – Innovation, velocity, and speedUnderstanding the process aspect of DevOpsUnderstanding the five core practices of DevOpsUnderstanding the stages in a DevOps workflowUnderstanding the people aspect of DevOpsThe importance of a collaborative cultureStaying clear of DevOps anti-typesUnderstanding the product aspect of DevOps – The toolchainThe platform approach to DevOps toolingAn overview of the Azure DevOps platformAn overview of the GitHub platformAn overview of the GitLab platformAzure services for the DevOps workflowAgile, DevOps, and the Cloud – A perfect trioHands-on Exercise 1 – Creating an Azure subscriptionHands-On Exercise 2 – Creating an Azure DevOps organization (linked to your Azure AD tenant)Hands-On Exercise 3 – Creating a GitHub Enterprise Cloud trial accountSummaryFurther reading
Chapter 2: Security Challenges of the DevOps Workflow
Technical requirementsSecurity challenges of DevOpsUnderstanding the limitations of traditional security in a fast-paced DevOps worldUnderstanding how DevOps increases the attack surfaceThe case for DevSecOpsUnderstanding the cultural aspect of DevSecOpsUnderstanding the process aspect of DevSecOpsConsiderations for selecting your DevSecOps toolchainDevSecOps and supply chain securitySummaryFurther reading
Part 2: Securing the Plan and Code Phases of DevOps
Chapter 3: Implementing Security in the Plan Phase of DevOps
Technical requirementsUnderstanding DevSecOps in the planning phaseUnderstanding threat modeling and its benefitsTraditional threat modeling frameworksThreat modeling in DevSecOpsUnderstanding the Mozilla RRA processHands-on exercise 1 – Provisioning the lab VMTask 1 – Initializing the template deployment to AzureTask 2 – Connecting to the lab VM using Azure BastionHands-on exercise 2 – Performing threat modeling of an e-commerce applicationTask 1 – Downloading and installing the Microsoft Threat Modeling ToolTask 2 – Creating a threat model diagram for the eShop applicationTask 3 – Running a threat analysis on the modelImplementing continuous code-to-cloud security trainingSummaryFurther reading
Chapter 4: Implementing Pre-commit Security Controls
Technical requirementsOverview of the pre-commit coding phase of DevOpsUnderstanding the developer environment optionsUnderstanding the security categories in the pre-commit phaseSecuring the development environmentRisk 1 – IDE vulnerability risksRisk 2 – Malicious and vulnerable IDE extensionsRisk 3 – Working with untrusted codeRisk 4 – Compromised IDE source codeAdditional thoughts on hardening of the development environmentAddressing common development security mistakesRisk 1 – Addressing in-house code vulnerability riskRisk 2 – Open source component riskRisk 3 – Exposed secret riskChoosing the right developer-first security toolingHands-on exercise 1 – Performing code review, dependency checks, and secret scanning on the IDETask 1 – Connecting to the lab VM using Azure BastionTask 2 – Configuring Snyk on Visual Studio CodeTask 3 – Importing eShopOnWeb to your Visual Studio Code workspaceHands-on exercise 2 – Installing and configuring Git pre-commit hooks on the IDETask 1 – Installing pre-commit framework on Visual Studio CodeTask 2 – Configuring detect-private key and detect-secrets pre-commit hooks on Visual Studio CodeSummary
Chapter 5: Implementing Source Control Security
Technical requirementsUnderstanding the post-commit phase of DevOpsUnderstanding the security measures in the source control management phaseSecuring the source code management environmentManaging code repositories securelyRecommendation 1 – Ensuring repository creation is limited to specific membersRecommendation 2 – Ensuring sensitive repository operations are limited to specific membersRecommendation 3 – Ensuring inactive repositories are reviewed and archived periodicallyRecommendation 4 – Repositories should be created with auditing enabledAddressing common coding security issues in source controlUnderstanding GitHub code securityRecommendation 1 – Implementing dependency tracking in source controlRecommendation 2 – Implementing dependency vulnerability assessment and management in source controlRecommendation 3 – Implementing an open source license compliance scanRecommendation 4 – Implementing secret protection in source controlHands-on exercise – Performing pre-receive checks and dependency reviewsTask 1 – Enabling push protection on Azure DevOpsTask 2 – Enabling push protection on GitHubTask 3 – Reviewing dependencies on GitHubSummary
Part 3: Securing the Build, Test, Release, and Operate Phases of DevOps

Chapter 6: Implementing Security in the Build Phase of DevOps
Technical requirementsUnderstanding the continuous build and test phases of DevOpsUnderstanding build system optionsUnderstanding the security measures in the build phaseSecuring CI environments and processesSecuring the build services and workersSecuring the build workersImplementing secure access to build environments and workersProtecting the build environment from malicious code executionsAddressing common coding security issuesImplementing the Microsoft Security DevOps extensionIntegrating GitHub Advanced Security code-scanning capabilities into pipelinesIntegrating GHAS dependency-scanning capabilities into pipelinesHands-on exercises – Integrating security within the build phasePrerequisitesExercise 1 – Integrating SAST, SCA, and secret scanning into the build processExercise 2 – Onboarding your DevOps platforms to DevOps Security in Microsoft Defender for CloudSummary
Chapter 7: Implementing Security in the Test and Release Phases of DevOps
Technical requirementsUnderstanding the continuous deployment phase of DevOpsProtecting release artifacts in the release phaseEnsuring that release artifacts are built from protected branchesImplementing a code review processSelecting secure artifact sourcesImplementing artifact signing for integrity checksManaging secrets securely in the release phaseImplementing auditing for the CI/CD environmentImplementing security gates in release pipelinesImplementing DAST as security gatesChallenges of implementing DAST in a DevOps processImplementing security gates in Azure Pipelines and GitHub ActionsHands-on exercise – Integrating security within the build and test phasesPrerequisitesTask 1 – Implementing artifact signing for integrity checksTask 2 – Integrating DAST tools to find and fix security vulnerabilities in the test phaseSummary
Chapter 8: Continuous Security Monitoring on Azure
Technical requirementsUnderstanding continuous monitoring in DevOpsUnderstanding the interconnected risks of Azure and cloud-native applicationsSecuring an application runtime environmentImplementing runtime security gates to stop critical risksImplementing runtime security gates using Azure PolicyImplementing runtime security gates using the Kubernetes admission controllerImplementing continuous security monitoring for runtime environmentsProtecting applications at runtime in AzureThe challenges of runtime protection in modern cloud environmentsProtecting applications running in Azure App ServiceProtecting serverless workloads at runtime in AzureProtecting container workloads in AzureHands-on exercise – Continuous security monitoring on AzureTask 1 – Implementing and operationalizing CSPMTask 2 – Implementing and operationalizing continuous container workload protectionSummaryFurther reading
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Overview

DevSecOps for Azure is your ultimate guide to integrating robust security measures into the entire Azure DevOps pipeline. Through this book, you'll discover how to secure every aspect of the development lifecycle, from initial planning to ongoing runtime security, tailored specifically for Azure cloud environments.

What this Book will help me do

Implement security within DevOps workflows effectively, focusing on Azure-specific practices.
Learn to secure development toolchains including GitHub Codespaces and Microsoft's Dev Box.
Master techniques for integrating security testing such as SCA, SAST, and secret scanning into the build process.
Understand how to deploy secure CI/CD pipelines with a focus on artifact integrity and container security.
Develop a strong code-to-cloud security framework that ensures continuous compliance and protection.

Author(s)

David Okeyode and Joylynn Kirui, experts in cloud security, bring years of hands-on experience to this book. David specializes in Azure security, with numerous projects under his belt, while Joylynn is a trusted advisor in secure DevOps practices. Their combined expertise ensures practical, real-world solutions are at the forefront of this guide.

Who is it for?

This book is perfect for security professionals and developers venturing into public cloud operations or adopting DevSecOps practices. If you're a DevOps engineer seeking to enhance your Azure-specific skills or a professional aiming to integrate comprehensive security into CI/CD pipelines, the concepts here will be invaluable. Basic knowledge of DevOps and security principles will help you maximize the benefits of this guide.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781837631117

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills