While Agile development and DevOps practices have reduced the amount of Lead Time to deliver new applications to the market and increase business value, these practices have also increased the level of exposure for businesses as they often neglect the security considerations that were associated with traditional development practices. The SecDevOps philosophy aims to address the risks and vulnerabilities introduced by DevOps by baking security principles and practices into your DevOps pipeline early, pushing security responsibilities closer to the development team to deliver secure software.
At SMEx Digital we apply the DevSecOp philosophy to our agile development practices to ensure that we delivery secure software as fast as practically possible and have helped many of our Clients to deliver secure applications on Azure. One tool that we have found particularly useful is the Secure DevOps Kit for Azure (AzSK – https://github.com/azsk/DevOpsKit-docs), used and maintained by the Core Services Engineering (CSE) Team at Microsoft.
AzSK is a PowerShell based collection of scripts, tools, extensions, automations, etc for end-to-end Azure subscription and resource security management. AzSK has several components that can be used individually or collectively, run as standalone or integrated into your development pipeline for continuous compliance. There are many ways the AzSK can be implemented depending on your use case, but to give you an idea of how you can use AzSK in your DevSecOp toolchain I’ll share the most common way that we have implemented for our Clients to provide increased visibility of their Cloud Security Compliance for Azure Subscriptions.
Components for Cloud Security Compliance – Azure
- AzSK – Continuous Assurance: continuously monitoring the state of system security against a baseline to detect drift. AzSK Continuous Assurance uses Azure Automation to run scheduled scans
- AzSK – Alerting & Monitoring: single view of cloud security across subscriptions and resources with pre-defined queries. AzSK Alerting & Monitoring leverages Azure Log Analytics and Kusto for custom queries
- Power BI Desktop: Power BI based dashboard that provides visibility to security compliance for all the subscriptions across your org, to help you drive compliance/risk governance initiatives for your organisation
Two components of AzSK worth mentioning are the Security Verification Tests (SVTs) VSTS extension that allows you to add SVTs to your release pipeline and the Security IntelliSense (Dev-SecIntel) Visual Studio extension that allows you to get ‘inline’ assistance for fixing potential security issues while writing code. The Security IntelliSense extension has about 80 rules (that are auto-updated) covering secure coding rules for Azure APIs, common crypto errors and classic App and Web App security issues.
AzSK also supports custom Org Policies so that you can customize the behaviour of security scans based on the security principles and practices within your Organisation such as;
- Which set of controls to evaluate?
- What control set to use as a baseline?
- What settings/values to use for individual controls?
- What messages to display for recommendations?
If you’re looking to enhance your SecDevOps toolchain then I would definitely recommend looking at AzSK, it offers a number of components and features that would compliment any existing tools or help kick start your SecDevOps journey if you’re still at the starting blocks.
Keith Jenneke | SMEx Digital CEO