The document discusses secure application development in the cloud. It covers six main topics: 1) why cloud security is important, 2) secrets management, 3) access control using Azure RBAC, 4) use of open-source libraries and scanning for vulnerabilities, 5) scanning code for vulnerabilities, and 6) continuous vulnerability scanning of cloud infrastructure and applications. The key takeaways are that security breaches are inevitable in the cloud; secrets, access control, vulnerabilities scanning, and compliance with security best practices are critical.
6. INCREASES IN CLOUD WORKLOADS PER REGION
INCREASES IN CLOUD WORKLOADS BY INDUSTRY
H T T P S : / / W W W . P A L O A L T O N E T W O R K S . C O M / R E S O U R C E S / I N F O G R A P H I C S / U N I T 4 2 - C O V I D - 1 9 - A M P L I F I E S - C L O U D - S E C U R I T Y - C H A L L E N G E S
7. H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
47% of individuals fall for phishing
scams while working at home
Phishing attacks increased by 350%
8. 79% of organizations experienced a security
incident in their cloud in the last 1.5 years. Of these,
23% were caused by security misconfigurations in
cloud infrastructure. Other significant contributors
to cloud breaches included improper data sharing
(15%), compromised accounts (15%), and
vulnerability exploitation (14%).
H T T P S : / / W W W . C H E C K P O I N T . C O M / C Y B E R - H U B / C L O U D - S E C U R I T Y / W H A T - I S - C L O U D - S E C U R I T Y / T H E - B I G G E S T - C L O U D - S E C U R I T Y - C H A L L E N G E S - I N - 2 0 2 2 /
9. When 92% of organizations are currently hosting at
least some of their IT environment in the cloud, that
means most of all businesses today have
experienced a breach.
H T T P S : / / W W W . C H E C K P O I N T . C O M / C Y B E R - H U B / C L O U D - S E C U R I T Y / W H A T - I S - C L O U D - S E C U R I T Y / T H E - B I G G E S T - C L O U D - S E C U R I T Y - C H A L L E N G E S - I N - 2 0 2 2 /
13. Secret Scanning Tools for Dev(Sec)Ops
Protectingyoursecrets,dataandyourclouds
gitLeaks Open source | free of use | Cloning, Audit and Integration
capability
No UI | Limited integration options | Goof for niche
development projects
SpectralOps Intuitive UI | Easy to manage | Strong ML mechanism that
reduce the false positive rates
Complex | Not easy to use for small projects | Build to be used
to large codebase with a high no. of people
Git-Secrets Easy integration with CI/CD pipeline | Capable to force
secrets to not show in the commit (Secret Providers)
Simple algorithms | Based on regular expressions like formula |
Not maintained anymore | Not suitable for corporate
environment
Whispers Works out of the box | Wide range of secrets formats |
Easy to extend to support new formats
Focus on text file | Is not able to do deep scans without
integration with other solutions | Rules based on regs,Ascii and
Base64
GitHub Secret
scanning
Easy to integrate in GitHub | UI and nice visualization for
scanning, integration and configuration | Strong support
for a high number of popular services
Main target is string structures (keys, tokens) | Does not covers
password, emails, URLs
Gittyleaks Simple to use and configure | Easy to integrate in small
projects and add the secrets scanning concept
Fixed rules | Limited on the formats that can be detected | Not
suitable for non-education purposes
Scan Open source | Well integration with Azure, GitHub, GitLab,
Team City and so on | The most powerful free tool 4 DSO
Setup is complex | Limited user interface | Hard to process the
results
Git-all-secrets Integration Hub | Does not rely only on a single algorithm Default configuration is basic | Looks like a MVP and less as a
ready for production solution
Detect-secrets High no. of plugins (including Azure, AWS) Pre-commit hook is basic and does not covers all base secrets
| Output split across multiple lines
H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /
33. 37
Key Takeaways
With Cloud
Computing, a
security breach
is no longer a
question of If but
rather When and
How
AZURE ROLE-BASED ACCESS CONTROL
Helps you manage who has access to Azure
resources, what they can do with those resources,
and what areas they have access to
AZURE POLICIES
Helps to enforce organizational standards and to
assess compliance at scale. Evaluates resources in
Azure by comparing the properties of those
resources to business rules
SECRETS MANAGEMENT
Store, scan and secure your configuration and
secrets at all levels using Microsoft and 3rd parties
solutions.
BEST PRACTICES
Follow Microsoft Azure Well-Architecture
Framework and Cloud Adoption Framework. Use
tools like Microsoft Defender for Cloud to ensure
compliance and best practices are followed.
Flow chart
Use to show how information breaks down, flows, connects, and relates to each other.
Chapter Intro Slide (version E)
This slide should be used at the beginning of each “chapter” of your presentation (as introduced in the Agenda slide) to keep the audience aware of their place in the story and to help break things up. Change the text and chapter number accordingly. If you do not need a sub-head (the smaller text), delete it. Use different backgrounds for different chapter titles, try not to repeat a background.
Very short presentations (< ~10 slides) may not need Chapter Intro Slides.
There are multiple versions of this template with various white and black background images starting on slide 10.
Education and upskilling, but we are human, we can do mistakes
Team
Tools
Procedures
Automation
http://striveteach.com/2019/11/05/devsecops/
Chapter Intro Slide (version E)
This slide should be used at the beginning of each “chapter” of your presentation (as introduced in the Agenda slide) to keep the audience aware of their place in the story and to help break things up. Change the text and chapter number accordingly. If you do not need a sub-head (the smaller text), delete it. Use different backgrounds for different chapter titles, try not to repeat a background.
Very short presentations (< ~10 slides) may not need Chapter Intro Slides.
There are multiple versions of this template with various white and black background images starting on slide 10.
Chapter Intro Slide (version E)
This slide should be used at the beginning of each “chapter” of your presentation (as introduced in the Agenda slide) to keep the audience aware of their place in the story and to help break things up. Change the text and chapter number accordingly. If you do not need a sub-head (the smaller text), delete it. Use different backgrounds for different chapter titles, try not to repeat a background.
Very short presentations (< ~10 slides) may not need Chapter Intro Slides.
There are multiple versions of this template with various white and black background images starting on slide 10.
Chapter Intro Slide (version E)
This slide should be used at the beginning of each “chapter” of your presentation (as introduced in the Agenda slide) to keep the audience aware of their place in the story and to help break things up. Change the text and chapter number accordingly. If you do not need a sub-head (the smaller text), delete it. Use different backgrounds for different chapter titles, try not to repeat a background.
Very short presentations (< ~10 slides) may not need Chapter Intro Slides.
There are multiple versions of this template with various white and black background images starting on slide 10.
Chapter Intro Slide (version E)
This slide should be used at the beginning of each “chapter” of your presentation (as introduced in the Agenda slide) to keep the audience aware of their place in the story and to help break things up. Change the text and chapter number accordingly. If you do not need a sub-head (the smaller text), delete it. Use different backgrounds for different chapter titles, try not to repeat a background.
Very short presentations (< ~10 slides) may not need Chapter Intro Slides.
There are multiple versions of this template with various white and black background images starting on slide 10.
Chapter Intro Slide (version E)
This slide should be used at the beginning of each “chapter” of your presentation (as introduced in the Agenda slide) to keep the audience aware of their place in the story and to help break things up. Change the text and chapter number accordingly. If you do not need a sub-head (the smaller text), delete it. Use different backgrounds for different chapter titles, try not to repeat a background.
Very short presentations (< ~10 slides) may not need Chapter Intro Slides.
There are multiple versions of this template with various white and black background images starting on slide 10.
Chapter Intro Slide (version B)
This slide should be used at the beginning of each “chapter” of your presentation (as introduced in the Agenda slide) to keep the audience aware of their place in the story and to help break things up. Change the text and chapter number accordingly. If you do not need a sub-head (the smaller text), delete it. Use different backgrounds for different chapter titles, try not to repeat a background.
Very short presentations (< ~10 slides) may not need Chapter Intro Slides.
There are multiple versions of this template with various white and black background images starting on slide 10.
Standard text slide (version 7)
Creating contrast throughout the presentation can help to call attention to key ideas.
They can also create visual “breaks” in the cadence of the presentation and allow the eye to rest on big ideas.
The quotes should be important information, quotes, or Endava marketing messages.
Presentation Principles
This slide provides a handful of key ideas to help you make great presentations.
It can also be used as a template slide. Change the header (and footer) to reflect the client, presentation name, and chapter title. To change the header and footer, click “edit master” and change the header and footer on all the master slides to have the same client and presentation name across all pages.