DevOps is all about delivering new features as fast as possible. But what if this means that you're also shipping security issues faster than ever? Security practices must speed up to keep pace with DevOps. This session shows you how you can increase your deployment frequency while still making sure that you ship secure applications. You'll learn best practices and principles for securing your application in a cloud world. You’ll also learn about tooling such as Whitesource and Azure Security Center. In the end, you’ll have a good idea of how to integrate security checks into DevOps and deliver more secure applications.

1. Wouter de Kort
Securing applications with DevOps

2. Speaker
Principal
Consultant
Microsoft
MVP
EliseAuthor
Blogger
Architect
ALM
Ranger
#Technology
Leaders
Trainer

3. How real is the threat?
Our team is good, right?
I don’t think that’s possible.
We’ve never been breached.
Endless debates about value
Let’s talk about how we change the conversation…
The Security Conversation

4. “FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN,
THEY'RE GETTING IN…ACCEPT THAT.
WHAT WE TELL CLIENTS IS:
NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU
THOUGHT YOU WERE OR NOT. NUMBER TWO,
YOU ALMOST CERTAINLY ARE PENETRATED. ”
Michael Hayden
Former Director of NSA & CIA

5. The Mindset Shift
Assume Breach
War game exercises
Central security monitors
Live site penetration test
Prevent Breach
Threat model
Code review
Security development
lifecycle (SDL)
Security testing

6. Cloud Mindset
Server Services
Domain Subscription
Domain Admin Subscription Admin
Private IPs Public IPs
RDP / SSH Management APIs

8. What is Red vs. Blue?
Blue
Team
Exercises ability to
detect & respond
Enhances situational
awareness
Measures readiness
& impact
Red
Team
Model
real-world attacks
Identify gaps
in security story
Demonstrable
impact

9. Show
Don’t tell
Prove it!

10. Every time someone viewed the dashboard…

11. Sample Guidelines
Code of Conduct
Both the Blue Team and the Red Team will do no harm.
The Red Team should not compromise more than needed to capture target assets.
Common sense rules apply to physical attacks (no printing badges, harassing people, etc.)
Do not disclose the name of the person who was compromised in a social engineering attack.
Rules of Engagement
Do not impact availability of any system.
Do not access external customer data.
Do not significantly weaken in-place security protections on any service.
Do not intentionally perform destructive actions against any resources.
Safeguard credentials, vulnerabilities and other critical information obtained.
Deliverables
Backlog of repair items (security item SLA)
Report “read out” with entire organization as a learning opportunity.

12. “Defenders think in lists. Attackers
think in graphs. As long as this is
true, attackers win”
John Lambert (MSTIC)

14. One pipeline to rule them all
https://azure.com/devops

15. Feature
Flags
Process
Monitor and improve
Code Repository TestingBuild + Deploy
End to End
User Feedback

16. Everything as Code
"resources": [
{
"apiVersion": "2016-01-01",
"type":
"Microsoft.Storage/storageAccounts",
"name": "mystorageaccount",
"location": "westus",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {
}
}
]

18. No secrets in code: Azure Key Vault
ServiceInstance
Run-time vaults
Deployment-specific
vault
Service-wide vault
Global vault
Deploy-time vaults
Deployment-specific
vault
Service-wide vault
Global vault

19. Managed Identies
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
// ...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await
azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");

20. Networking
Virtual Networks
Avoid Public IPs
Azure Front Door with Web Application Firewall

22. Azure Security Center

23. Azure Policy

24. Azure Sentinel

26. Don’t take your on-premises
security to the cloud

28. Get in touch!
@wouterdekort
wouter@wouterdekort.com
https://wouterdekort.com