Are you currently experiencing an attack?

Are you currently experiencing an attack?

DevSecOps and Azure: A Deep Dive

DevSecOps is a rapidly growing trend in software development lifecycles. Previously we’ve published several articles on the topic, from the basics of DevSecOps to using DevSecOps on Microsoft Azure. DevSecOps is asserting itself as a best practice for securely developing and deploying on Azure infrastructure.

Implementing DevSecOps in your organization is a journey, not a series of steps. Even though there are some concrete tasks that you can do today to begin this journey, it will look different in every organization. But a proper implementation will enhance your security posture while increasing your productivity.

In this article, we’ll explore some additional objectives of DevSecOps and how you can help your organization in its implementation. We’ll discuss defining your security requirements and what tooling and automation might help, as well as get an overview of security policy as code.

Metrics and Reporting

Before you can get started with DevSecOps, you first need to define what security means to your organization. Do you have mandatory compliance or reporting requirements? Which regulations do you need to observe, and how do you report on them? These are only a few examples of questions you need to address for an overall security strategy.

To ensure a comprehensive strategy, you must also determine which metrics you need to track. For example, compliance means something different to every organization. Do you need to track metrics for PCI? HIPAA? GLBA? All of these can be integrated into your CI/CD (continuous integration / continuous delivery) pipelines.

Utilizing Azure Monitor Metrics and Logs will assist you with this goal. Azure Monitor is a data aggregator across Azure which specializes in analysis, visualization, and alerting. Two sub-products are built into Azure Monitor that help you harness the data for real outcomes. These are Azure Monitor Metrics and Azure Logs.

Azure Monitor Metrics

Metrics is the half of the Azure Monitor solution that is lighter weight and more suited to alerting. With its Metrics feature, called Metrics Explorer, you can create interactive reports on the overall health of your infrastructure, which can be accessed through the Azure Portal or the REST API.

These reports will help visualize how data flows across your cloud landscape. With a proper implementation, you can get a very granular view of your resource health, and Azure can create maps of what resources are talking to each other and what that traffic looks like. The visualization resources available with Azure Monitor Metrics give a more tangible understanding of your environment even though it is all in the cloud.

Another key benefit of using Azure Monitor Metrics across your environment is the artificial intelligence driving the dynamic thresholds for alerting. Azure can find what’s normal across your infrastructure and increase the quality of your alerts by only warning you when resource utilization is abnormal.

Azure Monitor Logs

The other half of Azure Monitor is Azure Monitor Logs. “Logs” is the more robust of the two Azure Monitor services, giving you a deeper dive into how resources are being called and employed in your cloud infrastructure.

You can run Azure Monitor Logs data in several directions to learn about and analyze your cloud environment. By piping the data through Azure Log Analytics, you can write queries and explore your log data. This is especially useful for root cause analysis or resolving errors, since Azure can give you data down to the stack trace in order to perform your troubleshooting.

Another option is to throw the data through Azure Event Grid or even Event Hub if you have a large number of diverse resources. You can build workflows from the data in Azure Events to make your environment self-scaling, self-healing, or self-replicating based on your needs.

Tooling and Automation

The most important thing you can do when creating your DevSecOps pipeline is to communicate with your development teams and your operations teams. They will be the ones to answer the next question: “Where is your pipeline and what does it do?”

The goal of DevSecOps is not to plant security in between development and operations; it’s to help enable and empower those teams. Understanding how you can seamlessly insert yourself into already existing pipelines using the right tools will help your developers see the benefit of DevSecOps.

How can you empower them? Just follow these three simple steps.

Step One: Integrate Your Tools into Azure DevOps Pipelines

Azure DevOps Pipelines are great because they allow you to incorporate multiple tools, scripts, and artifacts into one flow. Various teams can create their own steps in the pipeline to ensure timely and accurate delivery of all services.

This is especially true for security teams. In a traditional sense, security is always seen as an inhibitor or a blocker. By utilizing the pipeline to run your scans, perform your assessments, and report on your metrics, you can avoid this perception. In fact, you can make security add real business value inside of the pipeline during delivery and deployment.

Two tools that you can use to add value to your pipelines are Azure Security Center and Azure Policies. When deploying to the cloud, even in your development or test environments, you can ensure that you’re maintaining a mature security posture. Utilizing the APIs of these two services will allow you to scan your environment in minutes during the deployment and prevent vulnerabilities from migrating further downstream.

Step Two: Make Sure Tools Don’t Require Security Expertise

Your developers and DevOps teams will know how to use a pipeline, but they may not know exactly what they’re doing when it comes to your security tooling. This is where you can assist them.

By integrating your security tools into Azure DevOps Pipelines, you’ve already taken the first step to getting your developers on your team. Now, you need to ensure that you don’t need security-specific training in order to operate the tools.

Using an API, script, or event broker, you can kick off your scans and run your reports without any user interaction. Developers are familiar with these technologies, and by encouraging their use, you can multiply your productivity while still getting security done right.

Step Three: Tweak Your Tools to Avoid False Positives

When security is integrated into the pipeline, you can delay or stop deployments if certain conditions aren’t met, or if the deployment wouldn’t be secure. But the last thing that absolutely must be avoided is a high rate of false positives when it comes to reporting issues.

You can control deployments in Azure DevOps by using gates in Pipelines. These gates will allow you to pause a deployment until errors are resolved. Be careful with the organizational policies you put around your gates, because there’s nothing that will get your step removed from a pipeline like causing unnecessary work.

For example, if you incorporate encryption into your application running in Azure, a security scanning service that’s set too aggressively might consider that to be Ransomware and attempt to block that portion of the application from working. Scanning your code and your applications is highly important, but you need to be fully aware of what the application is trying to accomplish so that security doesn’t interfere with development.

That being said, you will want to integrate security at the forefront. When creating your pipeline, have your security tooling be the gate between a successful deployment to your “Development” environment and your “Staging/QA” environment. When you resolve security errors early, you avoid rework later on down the pipeline.

By tweaking your security scans to be the most accurate they can be, you can avoid false positives. False positives in security equate to hours lost, releases delayed, and objectives stalled. DevSecOps should enhance the security of a system and only delay a deployment when that deployment would compromise the integrity of the system.

Security Policy as Code

When integrating DevSecOps into your Azure DevOps Pipeline, there’s a difference between an audit and remediation. An audit warns you when something is non-compliant, whereas a remediation forces something into compliance within the pipeline. All of this can be done as code and applied similarly to a desired state configuration script.

It’s up to you to determine whether to audit or enforce the policies you’ve created. Would you prefer that a policy sends your operations teams an email so that security can be remediated, or would you like the remediation to be automated?

There are certain policies that should always be enforced on your resources. Your developers should know the approved images and containers that you want your software to be built on, but they may not always use those. Containers from an untrusted repository could be brought into your network. Your developers should also know the network policies and configurations that need to be applied, but they may attempt to circumvent these to make the development tasks simpler. For example, they might try to allow certain protocols for ingress and egress that haven’t been approved by security.

There’s no reason that these policies should not be enforced in your development, staging, and production environments. In fact, incorporating infrastructure validation into your pipeline should be quite easy. You can use Pester with PowerShell to validate your infrastructure and set up gating between your deployment steps in Azure DevOps specifically for this purpose. Just ask your developers, and they can help write the validation.

Summary

DevSecOps is an exciting new evolution of DevOps. It’s especially beneficial for groups that have properly implemented DevOps and are now looking to go one step further.

By integrating your Azure DevOps pipelines with native security tools, you’ll enhance the value of security in your organization. At the same time, you’ll be providing developers a way to secure their code and work hand in hand with security.

Of course, securely using Microsoft Azure requires more than DevSecOps. Reblaze provides robust cloud-based web security and runs natively on Azure, including a next-generation WAF, DDoS protection, advanced bot management, and more. For a demo, feel free to contact us.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.