Building an End-To-End DevSecOps Pipeline: Microsoft Azure
Welcome back to the building an end-to-end DevSecOps Pipeline blog series. In part two of the series, we will discuss building a secure DevOps Pipeline using the Microsoft Azure DevOps family of products and services. As always, our goal with DevSecOps is going to be focused on shifting left, towards more agile and more secure development practices. Without further a due let’s jump right in.
When building a DevSecOps Pipeline you must decide what tools and products to use. There are many different options on the market from AWS, Jenkins, Travis CI, Microsoft Azure, Google, etc. But this blog is going to cover building a DevSecOps Pipeline using Microsoft products and tools exclusively. From threat modeling to continuous modeling with Microsoft, there is something that helps you do it all.
Defining Tools Used In The Azure DevSecOps Pipeline
let’s start with some terminology from the Azure DevOps family of products and tools. One must become familiar with these tools to understand the architecture of the DevSecOps pipeline.
- Azure Pipelines – automatically builds and tests code projects to make them available to others. It works with just about any language or project type. Azure Pipelines combines continuous integration (CI) and continuous delivery (CD) to test and build your code and ship it to any target.
- Azure AD – is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in: External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- GitHub – with GitHub Enterprise, your team can work together on projects from anywhere. Features like issues, branches, commits, and pull requests make it possible to discuss and review code—no matter where you are. Plus, you can manage projects and releases right inside GitHub, without using outside project management tools.
- Azure Boards – is a service for managing the work for your software projects. Teams need tools that flex and grow. Azure Boards does just that, brining you a rich set of capabilities including native support for Scrum and Kanban, customizable dashboards, and integrated reporting.
- Azure Key vault – is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
- Azure Cosmos DB – is a fully managed NoSQL database service for modern app development
- Azure Policy – helps you manage and prevent IT issues with policy definitions that enforce rules and effects for your resources.
- Azure Application gateway – is a web traffic load balancer that enables you to manage traffic to your web applications.
- Azure Security Center – is a solution that provides unified security management across hybrid cloud workloads.
- MFA – Authentication process requiring two types of verification to protect against unauthorized access.
- Azure Monitor – collect, analyze, and act on telemetry data from your Azure and on-premises environments
- Azure Kubernetes Services – simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure.
- Azure Container Registry – is a private registry service for building, storing, and managing container images and related artifacts
- Terraform – is a tool for building, changing and versioning infrastructure safely and efficiently.
Architecture Using Microsoft Azure
The architecture diagram below shows all products and tools used in a Microsoft Azure DevSecOps build pipeline represented by icons/names and are labeled 1 – 13 in terms of order of operations.
Advantages of Microsoft Azure Pipelines
- Complete and powerful
- Cost effective
- Supports Open Source
- Huge extension ecosystem
Disadvantages of Microsoft Azure pipelines
- Still dependent on C# for agents
Jack of all trades, master of none
Not a requirements management tool
- Requires resources to manage Security
- Requires experience with Microsoft tools and products
Creating A Secure Azure Pipeline – Architecture Explained
Let’s say you’re a developer and you start a new project. It does not matter what kind of project, it can be a .NET project, C code, JAVA, Python, Node JS, etc. your project will be based on key performance indicators (KPIs). Also, your organization uses Microsoft Azure AD for identity and access management including two factor authentication (2FA). Now you want to start building this software application. Therefore, you choose your build specs and build it using Azure boards to navigate because security is a priority. Here you begin planning your sprints for the project.
Then you can use GitHub Enterprise since it integrates with Microsoft Azure making things simple. Also, it allows you the ability to configure two factor authentication (2FA) for your organization. As part of GitHub’s Opensource security they offer a fully integrated Dependabot. It will allow you to automatically identify vulnerabilities and generate automated pull requests (PRs).
From here in the DevSecOps architecture we get to the Azure Pipelines. You can access cloud-hosted pipelines for Linux, macOS, and Windows and use it to automate the build and deployment process. During deployment we use Azure Kubernetes Clusters, Azure Container Registry, and Terraform (infrastructure as code). This is what allows up to have continuous integration and continuous delivery to Azure Kubernetes service, through secure service connection using Container Registry.
As you can see in the architecture diagram, on the right side, we have Azure Policy and Azure Key Vault, Azure Monitor, and Azure AD. These are all security focused and help improve your DevSecOps program. Azure Policy can help ensure systems are compliant with governance controls which is important from a DevSecOps perspective. Assisting with AKS engine policy enforcement. A brilliant feature is that you can apply a policy for Azure Policy as a release gate which says, “before this trigger meet x condition.” This gate checks your Azure Policy for compliance against your pipeline.
Azure Key Vault is used to protect credentials. Just ensure your Key Vault access policy is configured correctly from a security perspective. Key vault is a critical security component in the DevSecOps pipeline. Your application requires service passwords and other secret configuration values to perform correctly. Key Vault can configure, store, and handle requests for secret keys. Using secret management for an entire code base is a good practice for developers. Hence, using Azure Key Vault is beneficial and easy to set up.
Azure monitor helps us from a SecOps standpoint. You can use Azure security center to produce a Qualys Scan of container instances, then you can secure these and deploy them and know they are safe. Azure Ad allows us to manage our identity and access controls using the Azure Active Directory (AD). Also, this allows you to create Role-Based Access Controls (RBAC) for your Azure resources. RBACs are used to control access to applications within an organization.
This covers the DevSecOps data flow or process for an Azure pipeline. If software development team looking to produce secure code the native Azure products and tools might be the right solution for your organization. At Praetorian Secure we always recommend using a vulnerability scanning tool and bug tracking system for agile development. Embedding security features into your development life cycle will make the build process more efficient and will promote DevSecOps receptiveness.
DevSecOps pipelines that are driven by Azure are complete and powerful. They can be used in a variety of ways to achieve flexible and agile DevSecOps practices. Azure offers an endless variety of integrations with some of the most common IDEs. Some of Azure DevOps key features are agile tools, powerful reporting, and Git: free private repositories, pull requests. Azure pipelines are a CI/CD powerhouse and one that is hard to be reckoned with. The Azure DevOps family of tools and products is truly a one-stop-shop for any organizations DevSecOps needs. Integrate security into the CI/CD pipeline ensures your applications are safe and ready for production. Security in the DevOps pipeline should be at the forefront, not an afterthought. Stay tuned for the next issue in the series where we will discuss Amazon Web Services (AWS) family of product that assist with creating a secure, well maintained DevOps Pipeline.
About Praetorian Secure
At Praetorian Secure we take a sense of pride in the cybersecurity consulting and compliance services we deliver. The goal is to improve an organizations security posture while building confidence and understanding at the same time. Keeping important assets secure from threats since 2009. Praetorian Secure is a Service-Disabled Veteran-Owned Small Business (SDVOSB). Founded by two former U.S. Army Agents of the Certification Authority. Gaining momentum quickly they expanded their locations, adding a branch in South Florida. That is when we decided we wanted to be involved in helping companies achieve compliance or improve their cyber security in a more simplistic, hassle-free manner. Our service expertise includes Compliance Services, Secure Software Development Services, Vulnerability Management, Cloud Security, vCISO, and more.
We have worked with companies across the globe, within varying industries to create a better/stronger/healthier security landscape. Including clients such as MetLife, Xerox, United Health, U.S. Army, Airforce, Navy, and more. We live in a world where threats never stop evolving and hackers do not take any days off – as responsible business owners/employees we must not ignore this reality. If you are interested in learning more please contact us via phone at +1 (855) 519-7328 or at firstname.lastname@example.org. Securing today, for a safer tomorrow!
“Deep Dive into Azure Boards.” Azure Blog and Updates | Microsoft Azure, 13 Sept. 2018, https://azure.microsoft.com/en-us/blog/deep-dive-into-azure-boards/.
“DevSecOps in Azure – Azure Solution Ideas.” Azure Solution Ideas | Microsoft Docs, 2021, https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-azure.
“Use Azure Devops Demo Generator.” Use Azure DevOps Demo Generator | Microsoft Docs, 2021, https://docs.microsoft.com/en-us/azure/devops/demo-gen/use-demo-generator-v2?view=azure-devops.
“DevOps Checklist – Azure Design Review Framework.” DevOps Checklist – Azure Design Review Framework | Microsoft Docs, 2021, https://docs.microsoft.com/en-us/azure/architecture/checklist/dev-ops.