aOS Singapore 2019-Azure Secure DevOps Kit
•Télécharger en tant que PPTX, PDF•
0 j'aime•314 vues
This document discusses Azure Secure DevOps Kit, which is a tool that helps address security challenges in DevOps. It summarizes the key components of the kit, including subscription security tools, security verification tests, security intellisense, and Azure Automation runbooks. It also describes how the kit provides benefits like reduced development time and money, higher security awareness, and easier transition to DevOps through features like continuous assurance checks and problem resolution. A demo is provided on setting up the security verification tests through an Azure DevOps release pipeline.
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à aOS Singapore 2019-Azure Secure DevOps Kit
Similaire à aOS Singapore 2019-Azure Secure DevOps Kit (20)
Plus de Cheah Eng Soon
Plus de Cheah Eng Soon (20)
Dernier
Dernier (20)
aOS Singapore 2019-Azure Secure DevOps Kit
- 1. By Eng Soon Cheah Azure Secure DevOps Kit
- 2. Who am I ? Microsoft MVP Blog : www.techconnect.io Twitter : @CheahEngSoon YouTube Channel :http://bit.ly/engsoonyoutube
- 3. Understanding the security challenges of DevOps Engineering teams have increased autonomy More development technologies are available. Constant change is the norm. DevOps has wide-ranging operational responsibilities.
- 4. Addressing DevOps security challenges AUTOMATE SECURITY EMPOWER ENGINEERING TEAMS MAINTAIN CONTINUOUS ASSURANCE SET UP OPERATIONAL HYGIENE
- 8. Subscription security The primary tools in subscription security include: • Health check script • Provisioning script
- 10. The primary components include: • Security Verification Tests. • Security IntelliSense.
- 13. The tools in this section include: • Azure Automation runbooks that identify and correct security configuration drift. • A set of PowerShell scripts to create the Automation account, apply the templates, and install and configure the Runbooks.
- 15. The OMS views include: • Summary views of critical tasks that need immediate attention. • Outcomes of the most recent continuous assurance scans. • Summary of recent role-based access control activity (important role assignments, access revocation, and others). • Trends of various security metrics and activity over time. • Common useful queries for alerting, and other activities. • Pre-configured alerts in OMS. • Runbooks for auto-healing when certain alerts are triggered.
- 18. Cloud risk governance focuses on three primary views: • We can see adoption and usage of the DevOps Kit across the enterprise. These views give us a picture of the company’s secure DevOps maturity in the cloud. • We can view aggregate cloud-related risks across service lines. Aggregation of control failures for different cloud resource types helps us understand which areas of cloud use are leading to higher risk exposure for the company due to vulnerable configuration. This information can be used to target risk reduction. • We get visibility into common errors and challenges that developers face while using the kit. Information about errors and exceptions helps the Secure DevOps Kit team improve features and the user experience.
- 20. Benefits of using Azure Secure DevOps Kit • Reduced development time and money. • Higher awareness of security. • Easier transition to DevOps. • Simple processes for checking existing solutions. • Convenient assurance checks and problem resolution.
- 21. DEMO
- 22. Prerequisite • Microsoft Azure Account (https://aka.ms/azfr/463/free) • Deploy Project from Azure DevOps Demo Generator to Azure DevOps Account (https://azuredevopsdemogenerator.azurewebsites.net/)
- 23. 1. Go to Release. 2. Go to New and Select “+ New release pipeline”
- 25. Change the stage name to the role ,eg Dev,QA or Production. For this scenario, using “Dev1”
- 26. Select “+ Add an artifact”
- 27. 1. Select “Specify at the time of release creation” in Default version. 2. Select “Add”.
- 28. 1. Name your pipelines “AzDevOpsKit_SVT”. 2. Select Dev1 add your Azure Subscription and App service Name.
- 29. 1. Select “Run on agent”. 2. Select “Agent Pool” based on your environment.
- 30. Select Package or Folder of your project.
- 31. Select your project zip file.
- 32. Ensure your project zip file is correct path.
- 33. Select “+” Add a task to Run on agent.
- 34. 1. Add “Secure DevOps Kit(AzSK) CICD Extensions for Azure. 2. Add “AzSK Security Verification Tests”.
- 35. 1. Select your AzureRM Subscription. 2. Select “ResourceGroupName” as Parameter Set. 3. Enter your ResourceGroup Names that you had created in Azure Portal. 4. Enter your Azure Subscription ID.
- 36. 1. In Control Options, Check [ / ] Continue on error. 2. Select “Even if a previous task has failed,unles the deployment was canceled”. 3. Select “Save”.
- 37. Select “OK”
- 39. 1. Select “Dev1” stage . 2. Select your Build Version. 3. Select “Create”.
- 42. Select “Deploy”
- 43. Now the Stages start Queue the task
- 44. Task In Progress
- 45. After completed, Select “Partially succeeded”
- 46. Select the screen and see the results in next slide
- 47. For more information, please refer to https://azsk.azurewebsites.net/03- Security-In-CICD/Readme.html
Notes de l'éditeur
- Engineering teams have increased autonomy. In the past, engineering teams waited weeks or months for development resources. Now that IT no longer provisions development environments, we don’t have a significant impact on scheduling or capital expense. With DevOps in the cloud, autonomy and decentralization allows engineering teams to work end to end with almost complete independence from IT. Engineering teams can instantly provision test environments, and solutions can be deployed and published with an Azure subscription at whatever pace suits the team and business stakeholders. Traditional security methods hinder this agility. • More development technologies are available. Developing in the cloud opens up a huge opportunity for connecting different platforms and frameworks, but as flexibility has increased, so has the number of APIs and services used to make those connections. The cloud app development environment is more complex, and maintaining security in that environment using traditional methods is also more complex—and sometimes isn’t possible. • Constant change is the norm. With the shift to agile sprints and DevOps, constant change is the norm. The platform components on which applications run keeps changing, improving, and growing—often at a cadence dictated by individual Azure service teams. On top of that, dedicated business unit application teams regularly add new functionality and improve existing functionality following the agile philosophy of incremental but continuous improvement. Traditional security and the associated tollgate procedures aren’t designed for such continuous change. • DevOps has wide-ranging operational responsibilities. In the DevOps era, there isn’t a hard boundary between development and operations. The engineer who developed a feature is also responsible for the operational aspects of the feature. Operational considerations, including security, are a high priority for the development team in a DevOps culture.
- Faced with these DevOps security challenges, we set out to determine how security could be managed in a DevOps ecosystem. We wanted to change our thinking, methods, and tools to adapt to a development environment and culture that was in harmony with the nuances inherent in cloud DevOps. To do this, we adopted a number of imperatives. Automate security Automation gives us a chance to keep pace with the constantly changing cloud environment. DevOps is heavily centered on end-to-end automation, and we need to complement it with automated security. Automated security saves significant time and cost for apps that update much more often than their traditional counterparts, and it allows us to ensure that security configuration and deployment in DevOps can be achieved quickly and consistently. Empower engineering teams In an environment where change is constant, we want to empower our engineering teams to make meaningful, consistent changes without a tedious approval process. Our engineers need to be able to build security into their applications from the start. We need security integrated into the DevOps workflow. Developers don’t have to take extra measures to be secure, nor do they need to wait for a central security team to approve an app. Maintain continuous assurance When development and deployment are continuous, everything that goes with them needs to follow suit, including security assurance. The age-old requirements for sign-offs or compliance checks create tension in the modern engineering environment. We want to define a security state and track drift from that state to maintain a consistent level of security assurance across the entire environment. This helps ensure that builds and deployments that are secure at the time they are delivered, stay secure from one release iteration to the next and beyond. Set up operational hygiene We need to have a clear view of our DevOps environment to ensure that operational hygiene is in place. In addition to understanding operational risks in the cloud, DevOps operational hygiene in the cloud requires a different perspective than the traditional development environment. We need to create the ability to see the security state across DevOps stages and establish capabilities to receive security alerts and reminders for important periodic activities.
- What do you want to use the secure devops kit for? As you can see from the summary description above, the "Secure DevOps Kit for Azure" (we will call it AzSK to be brief hereafter), can be used by many different stakeholders. So depending on your role in the DevOps ecosystem, one or more of the below scenarios may apply to you. The skillset needed to use the capabilities of the kit and the prerequisites you need to have on your machine will vary based on your scenario. Here are a few sample stakeholders and some points about how they may try to use the AzSK:
- A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline.
- Health check script. The subscription health check script runs automated steps to examine a subscription and flag conditions that indicate your subscription may be at risk due to security issues, misconfigurations, or obsolete settings. Provisioning script. The provisioning script is a master script, which coordinates several smaller components that work together to provision a DevOps Kit environment. These components include: • Mandatory role-based access control accounts for important functions. • High-level alerts for critical or severe security events. • Azure Resource Manager policies that help secure otherwise insecure actions . • Default enterprise policy settings for Azure Security Center. • Security contact information
- During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure.
- Security Verification Tests. These tests automatically verify most built-in security controls for common Azure services such as App Services, Azure Storage, Azure SQL Database, Azure Key Vault, or Azure Virtual Machines. Security IntelliSense. This feature augments traditional IntelliSense with secure coding best practices and offers corrections, tips, and guidelines while a developer writes code. The secure coding rules covered vary from Azure platform as a service (PaaS) APIs to traditional web application security and cryptography best practices.
- Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner. Build/Release Tasks for CI/CD workflows allow us to check subscription and resource security during automated build/deployment flows. These workflows integrate security coverage within the Visual Studio Team Services (VSTS) CI/CD pipeline via VSTS build/release extensions for security verification tests and other security tools.
- In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc. Continuous assurance prevents security state drift, helps to stay current with Azure security feature improvements. It also encourages adherence to security best practices such as key rotation and separation of duties. The tools in this section include: • Azure Automation runbooks that identify and correct security configuration drift. • A set of PowerShell scripts to create the Automation account, apply the templates, and install and configure the Runbooks.
- Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates. The alerting and monitoring solution for the DevOps Kit uses Operations Management Suite (OMS) to offer a central dashboard where teams can view the security state and trends for their Azure subscriptions and applications, as reported by the different components of the kit. The OMS solution is created from an Azure Resource Manager template that builds all the necessary components needed for security state monitoring.
- Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others. The Secure DevOps Kit generates telemetry events from all stages that use automation, scripts, or extensions. The telemetry is routed to an Application Insights account where it’s processed through web jobs that integrate organization mapping information and then viewed on a Power BI dashboard. The telemetry supports a data-driven approach to agile development and DevOps by allowing us to make measured and accurate security improvement decisions in a continuous fashion.
- Fetch information about various AzSDK components Overview Subscription information Control information Attestation information Host information This command provides overall information about the AzSDK which includes subscription information (alert/policies/ASC/CA version etc.), security controls information (severity, description, rationale etc.), attestation information (statistics, attestation justification, expiry etc.), host information (AzSDK settings/configuration, AzureRM Context etc.). ‘Get-AzSDKInfo’ command can be used with ‘InfoType’ parameter to fetch information.
- Reduced development time and money. The Secure DevOps Kit puts security best practices and tools at our fingertips. It saves our developers the time and effort of researching, cataloging, and implementing Azure security practices manually, and it provides a set of consistent security practices for them to follow. • Higher awareness of security. Because the Secure DevOps Kit builds security automation and best practices into the development process, our engineers are aware of security requirements and capabilities from the beginning of a project. Security has become an integral piece of the development process, rather than something that’s scrutinized near the end of the development cycle and might require significant re-work of solution components. • Easier transition to DevOps. FMCS is in the midst of transitioning to DevOps, and the Secure DevOps Kit has simplified that transition. By incorporating security automation in our toolset, we know that security is built in to the entire life cycle. • Simple processes for checking existing solutions. We’ve used the manual Service Validation and Testing (SVT) processes several times with existing projects to confirm that Azure security configuration is correct. • Convenient assurance checks and problem resolution. The OMS dashboards in the Secure DevOps Kit enable us to view security assurance across our app portfolio and see where attention is needed. The alert package helps us ensure that Azure resources security configuration drift is kept in check.