All DevOps practices work towards speeding up the cadence of software delivery within an organisation. This though should never come at cost - compromising security and compliance. We should actually work towards improving and embedding the security practices as part of the DevOps adoption.
Enter Rugged DevOps or DevSecOps. Continuous Assurance, shift-left and others are the new buzzwords of the moment, but their foundations are very solid.
So, beside Continuous Integration, Continuous Deployment, Continuous Delivery and Continuous Testing we should start looking at adding Continuous Assurance.
4. Mohamed Radwan www.mohamedradwan.com
Outline
• Traditional Security Vs. DevSecOps (Rugged DevOps)
• Security as a continuously varying state
• Evolving DevOps
• Continuous Practices & Shift Left
• Security and Compliance within DevOps
• Vulnerabilities overview
• Overview about OWASP
• High Overview Of Secure DevOps Kit for Azure
• How to run different types of security scan ?
• Azure Policy
5. Mohamed Radwan www.mohamedradwan.com
Outline (P2)
• Azure Policy and Release Management
• Azure Blueprints
• Microsoft Azure Security Centre
• Automate Governance and Compliance
• Continuous security validation within CI/CD pipeline
• Passive penetration test VS. Active penetration test
• Infrastructure validation
• Track vulnerabilities
• Demo
11. Mohamed Radwan www.mohamedradwan.com
Verizon 2016 Data Breach Investigations Report
In 2016, the distribution is
very similar to last
year, with the top 10
vulnerabilities accounting
for 85% while they are
very known due the lack of
awareness and practices.
The risk of OSS vulnerabilities
17. Mohamed Radwan www.mohamedradwan.com
Overview about OWASP
Top 10
• Injection
• Never trust any user input
• Broken authentication
• Sensitive data exposure
• Broken access control
• More…..
hub
18. 18
Subscription
Security
(Policy,RBAC
Config, etc.)
Continuous
Assurance
Runbooks
CICD
Build/Release
Extensions
Log Analytics
for Alerting
&
Monitoring
Security
IntelliSense.
Security
Verification
Tests
(SVTs)
Cloud Risk
Governance
Provision security in subscription❶
Develop securely, spot check
security via scripts
âť·
Deploy securely from Azure DevOps
Using Azure Pipelines build/release
❸
Periodically scan in production
to watch for drift
âťąSingle security dashboard
across DevOps stages
âťş
Manage data-driven
improvement to security
âť»
High Overview Of Secure DevOps Kit for Azure
Mohamed Radwan www.mohamedradwan.com
38. ReleaseManagerse
For Pre-Prod
Like Usage With
Real Data
QA
For Functionality
Test (End-To-
End)
QA
1:n QA For
Feature Test
Sing-in and Sing-off process and automation
Enviroments
Approvers
• Accept release to be deployed here
• Accepted that this release has all
prerequisites DoD
• Accept to start working on this release
• Approved this release is completed and
ready for next stage
• Next stage is ready and secure
Sign-in Sign-off
Mohamed Radwan www.mohamedradwan.com
42. Mohamed Radwan www.mohamedradwan.com
Azure Blueprints
Deploy and update cloud environments in a repeatable manner using composable artifacts
Role Based Access Controls
Policy Definitions
ARM Templates
Azure Blueprints
Subscription 1
Subscription 2
Subscription 3
Subscription N
compose manage scale