DevSecOps
Using Azure Pipelines for Continuous CI CD and Security
Mohammed Abdul Mujeeb

Agenda
• What is DevOps
• DevOps using Azure Pipelines
• What is DevSecOps
• Why do we need DevSecOps
• Demo - DevSecOps using Azure Pipelines

Build Cycle

DevOps
• A compound of development (Dev) and operations (Ops),
DevOps is the union of people, process, and technology
to continually provide value to customers - Microsoft
Definition
• Any thing that speeds application delivery - Simplified
• Automation plays an important role in speeding
application delivery

Azure DevOps
• Set of tools to achieve DevOps
• 5 Modules - Boards, Repos, Pipelines, Test Plan, Artifacts
• Azure Pipelines - CI and CD tool

Terminologies
• Continuous Integration (CI) - Automated building of code
• Continuous Delivery (CD) - Deployment ready, but not all
changes will be deployed to production
• Continuous Deployment (CD) - Automated deployment to
production

Demo Architecture

Demo - Basic DevOps
Process
1. Developer makes changes in IDE (VSCode)
2. Developer pushes the code to GIT
3. The push triggers automated build (CI) using Azure pipelines
4. The CI pulls latest source code, builds docker image and
pushes docker image to Azure Container Registry (ACR)
5. Successful deployment to ACR triggers CD via Releases
6. The Release Pipeline deploys code to the App Service

Basic DevSecOps Process
• Design - Threat Modeling and Risk Assessment
• Development - SAST Scan on IDE, Code Reviews
• Continuous Integration (CI) - Security Unit Tests, Static Application
Security testing, Open Source Analysis, Container Scanning
• Continuous Delivery (CD) - Compliance Check, Dynamic Application
Security Scanning, Infrastructure Security, Penetration testing
• Continuous Deployment (CD) - Compliance Check, Runtime Defense
• Security in Production - Monitoring, SSL Configuration,

Challenges
• Security as an after thought
• Quick software release cycles
• Moving workloads to cloud
• Organizational Culture

DevSecOps
• Shift Security Left
• Integrates security with DevOps without slowing down
SDLC
• Automates Security within the DevOps Workflow
• Secure Continuous Development
• Is not just about using bunch of security tools. It’s about
people, process and tools

DevSecOps for Business
• An organization developing software in-house
• An organization outsourcing software development
• An organization procuring software from a vendor

Tools of the trade
• Threat Modeling - Microsoft Threat Modeling ..
• SAST Scan - Checkmarx, SonarCloud, Open Source ..
• OSA - Whitesource, BlackDuck, OWASP Dependency Check ..
• Container Scan - Aqua, Twistlock, Anchore, Clair ..
• DAST Scan - OWASP ZAP, TinFoil ..
• Many other tools based on the requirement
• Prefer open source tools to start

Demo
Secure CI and CD using Azure Pipelines
Steps -
1. SAST scan using SonarCloud
2. Open Source Scan scan using Whitesource Bolt
3. Container Scan using Anchore
4. DAST Scan using OWASP Zap
5. Compliance Scan on the cloud infrastructure