This session aims to identify the tools that help us build secure applications and environments for Azure during the development journey. The focus is on the developers and the tools we can use to ensure that our code is secure and aligned with all the available best practices and recommendations. It’s a hands-on session, limited to 10 slides and a lot of demos.
3. COVID-19 SECURITY
IMPACT
H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
4. COVID-19 SECURITY
IMPACT
H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
250% increase of
cyber-attacks in EU
5. H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
273% increase of large-scale
breaches in 2020
6. COVID-19 SECURITY
IMPACT
H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
47% of individuals fall for phishing
scams while working at home
7. COVID-19 SECURITY
IMPACT
H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
Phishing attacks increased by
350%
8. INCREASES IN CLOUD WORKLOADS PER REGION
INCREASES IN CLOUD WORKLOADS BY INDUSTRY
H T T P S : / / W W W . P A L O A L T O N E T W O R K S . C O M / R E S O U R C E S / I N F O G R A P H I C S / U N I T 4 2 - C O V I D - 1 9 - A M P L I F I E S - C L O U D - S E C U R I T Y - C H A L L E N G E S
9. COVID-19 SECURITY
IMPACT
H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
February to May 2020 more than 500.000
people globally were affected by breaches
where personal data of video conferencing
users was stolen and sold on the dark web.
19. The total no. of secrets used by a single-owner
H T T P S : / / S P E C T R A L O P S . I O /
20. Secret Scanning Tools for Dev(Sec)Ops
Protectingyoursecrets,dataandyourclouds
gitLeaks gitLeaks is an open-source static analysis command-line tool released under the MIT license. The gitLeaks tool is
used to detect hard-coded secrets like passwords, API keys, and tokens in local and GitHub repositories (private and
public).
SpectralOps Spectral offers one of the most comprehensive secret scanning solutions, integrating into every facet of the build
process
Git-Secrets Git-Secrets is an open-source command-line tool used to scan developer commits and “–no-ff” merges to prevent
secrets from accidentally entering Git repositories.
Whispers Whispers is an open-source static code analysis tool designed to search for hardcoded credentials and dangerous
functions.
GitHub Secret
scanning
GitHub makes available its own integrated secret scanning solution, capable of detecting popular API Key and Token
structures
Gittyleaks Gittyleaks is a straightforward Git secrets scanner command line tool capable of scanning and cloning repositories.
Scan Scan is a comprehensive open-source security audit tool.
Git-all-secrets Git-all-secrets is an open-source secret scanner aggregation project. This tool currently relies on two open-source
secret scanning projects: truffleHog and repo-supervisor
Detect-secrets Detect-secrets is an actively maintained open-source project designed with the enterprise client in mind.
H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /
21. Secret Scanning Tools for Dev(Sec)Ops
Protectingyoursecrets,dataandyourclouds
gitLeaks Open source | free of use | Cloning, Audit and Integration
capability
No UI | Limited integration options | Goof for niche
development projects
SpectralOps Intuitive UI | Easy to manage | Strong ML mechanism that
reduce the false positive rates
Complex | Not easy to use for small projects | Build to be used
to large codebase with a high no. of people
Git-Secrets Easy integration with CI/CD pipeline | Capable to force
secrets to not show in the commit (Secret Providers)
Simple algorithms | Based on regular expressions like formula |
Not maintained anymore | Not suitable for corporate
environment
Whispers Works out of the box | Wide range of secrets formats |
Easy to extend to support new formats
Focus on text file | Is not able to do deep scans without
integration with other solutions | Rules based on regs,Ascii and
Base64
GitHub Secret
scanning
Easy to integrate in GitHub | UI and nice visualization for
scanning, integration and configuration | Strong support
for a high number of popular services
Main target is string structures (keys, tokens) | Does not covers
password, emails, URLs
Gittyleaks Simple to use and configure | Easy to integrate in small
projects and add the secrets scanning concept
Fixed rules | Limited on the formats that can be detected | Not
suitable for non-education purposes
Scan Open source | Well integration with Azure, GitHub, GitLab,
Team City and so on | The most powerful free tool 4 DSO
Setup is complex | Limited user interface | Hard to process the
results
Git-all-secrets Integration Hub | Does not rely only on a single algorithm Default configuration is basic | Looks like a MVP and less as a
ready for production solution
Detect-secrets High no. of plugins (including Azure, AWS) Pre-commit hook is basic and does not covers all base secrets
| Output split across multiple lines
H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /
Editor's Notes
<Key point>: Cloud Adoption Framework—modular phases of adoption.
As your organization evolves, the Cloud Adoption Framework adapts to your business needs.
Each module in the diagram is an iterative phase that advances your business through the complete lifecycle of cloud adoption.
Customers can choose the phase best-suited to their degree of cloud adoption maturity. The Cloud Adoption Framework offers a guiding methodology to cloud adoption, with specific approaches to overcoming common blockers to cloud adoption in each module, such as “Define Strategy,” “Plan,”, etc.
The Cloud Adoption Framework offers the enterprise a modular framework of how to incrementally onboard to the cloud.
Cloud adoption shifts how companies obtain, make use of, and lock down their technology resources.
And—this kind of modular framework flips the model of how enterprises operate:
Transitions organizations to need-based consumption of technology resources
Change from cap-ex (capital expenditure) to op-ex (operating expenditure) model
Cloud model assumes security, governance, cost-optimization, and hybrid cloud by default
Develop a future-ready workforce—developing and deploying cloud skill readiness organization-wide
As an organization progress through the Cloud Adoption Framework, what are the main goals of each methodology of “Define Strategy,” “Plan,” you can focus efforts on?
<Transition>: Now that we have taken look at the phases and modular approach, lets look at about some common business blockers that the Cloud Adoption Framework can help you resolve.