5. 5@SP_twit@SP_twit
DevOps on Azure
• Azure ARM
• Azure Automation DSC
• Azure Application Insights
• Visual Studio Team Services
• Azure Container Services
• Azure Container Registry
6. 6@SP_twit@SP_twit
Security
• “It’s important” -> “what’s the risk?”
• More complexity
• Security leaks
-> bad buzz (Facebook, Sony, etc.)
-> slow down adoption
• New regulations
• India : Information Technology Act (2000) (“IT Act”) to include Section 43A and Section
72A
• GDPR (Europe) : mandatory to declare all security intrusion/leaks -> Up to 4%
worldwide revenue fine
• Specific regulation rules (banking, military, etc.)
7. 7@SP_twit@SP_twit
DevSecOps Manifesto (Larry Maccherone)
• Build security in more than bolt it on
• Rely on empowered development teams more than security
specialists
• Implement features securely more than security features
• Use tools as feedback for learning more than end-of-phase stage
gates
• Build on culture change more than policy enforcement
11. 11@SP_twit@SP_twit
DevSecOps on Azure
• BinSkim - A binary static analysis tool that provides security and
correctness results for Windows portable executables
• Checkmarx - A Static Application Security Testing (SAST) tool
• Manage your open source usage and security as reported by your
CI/CD pipeline
• OWASP
• OSWAP zap vsts extension
• WhiteSource Software
• Visual Studio Code Analysis and the Roslyn Security Analyzers
• See https://docs.microsoft.com/en-us/vsts/articles/security-validation-cicd-pipeline?view=vsts