Kazushi Kamegawa, profile picture
Uploaded byKazushi Kamegawa
PDF, PPTX289 views

DevOps and compliance and security

This document discusses using DevOps and security/compliance features in Azure to ensure automated deployments follow rules and policies. It recommends using Azure Pipelines and Azure Policy to check for policy compliance during deployment and deny deployment if policies are not met. It also suggests using extensions to scan for vulnerabilities and license issues, and tracking deployments in the audit log or exporting it to other services like Logic Apps for record keeping.

Embed presentation

Download as PDF, PPTX
DevOps and Compliance and Security KAMEGAWA Kazushi(kkamegawa)
Who am I? personal: name: KAMEGAWA Kazushi(Last-First) alias: kkamegawa community: MVP: Microsoft MVP for Developer Technologies(2009-) Users Group: Team Foundation Server Users Group URL: https://dev.azure.com/tfsug/tfsuginfo Blog: URL: https://kkamegawa.hatenablog.jp devblog radio: https://devblog.connpass.com/
This contents based on 2021/4/21
Plan Build Deploy Measure Feedback
Deploy 5W1H When Who Where How What Why
Deploy by human
Azure Web Apps’s CI/CD | Microsoft Docs Basic CI/CD for Azure Web Apps
Automated deploy is cool, but? We MUST use Japan Region. I didn’t know when deployed.
Security and Compliance feature in Azure
Compliance and Security for CI/CD DO NOT deploy illegal environment. Tracking when it is deployed. Make them follow the rules of the deployment procedure. Perform a vulnerability check.
Collaborate Azure Pipelines and Azure Policy 1. Policy checking when deploying artifacts. 2. Deploy if the policy is satisfied. 3. Deny if the policy is not satisfied.
Define Azure Policy(sample) Azure Policy | Microsoft Docs Define Azure Policy with Resource group or Subscription Evaluate the policy over a period. It seems like not evaluate immediately the policy at Pipelines.
Evaluation deploy with Azure Policy. Policy is satisfied (Deploy go) Policy is not satisfied (can’t deploy)
Azure Pipelines and Azure Policy Azure Policy Task only supports Classic Release. But Pipeline supports, Build definition is YAML, Release is Classic.
It looks like useful for that Image
Azure Pipelines and Container registry mcr.microsoft.com malware.example.com ghcr.io/xxxxx Artifact policy checks | Microsoft Docs Don't use Environments to deploy anything other than images from specific allowed container registries. Queries are written in a language called Rego. There is a template that you can use at first.
Arrow list in Environments.
Define in Azure Pipelines Unknown Container Image Environment Deploy failed when use container image other side mcr.microsoft.com
Creating a pipeline by yourself will cause problems. Service connection Limit the pipelines that can be referenced. Prepare a YAML template that defines the environment for deployment, manage it separately from the build, and separate it from those who can deploy it. Pull Request driven
Let’s copy this OSS‘s a part of source code!
OSS source code scan in Azure Pipelines If you specify an extension in a YAML template and build it, you will see a report in the result. It is up to the service to send the source to another service or not. Also check for software license
Extension for security scan Let’s install extension for WhiteSource Bolt https://marketplace.visualstudio.com/items?itemName=whitesource .ws-bolt There are a variety of other paid and free extensions available as well. https://marketplace.visualstudio.com/search?term=security&target =AzureDevOps&category=All%20categories&sortBy=Relevance If you want to use it all the time, specify Template as environment.
Specify a template in Environments
I'm having trouble keeping track of deployment s.
Track release events in the audit log 90 days for storage in Azure DevOps It must be exported periodically.  Event Grid  Splunk  Azure Monitor  REST API Create audit streaming | Microsoft Docs
Stream Audit log or Export with Logic Apps. Logic AppsでAzure DevOpsの監査ログをCosmos DBへ保存する
Summary Automation is great, but keep records so you don't end up wondering when you did it! It's silly for a human to do it, so let's have a machine do it (also tamper- proof). To be able to think, "If I make a mistake,
Appendix and Reference Security through templates https://docs.microsoft.com/en- us/azure/devops/pipelines/security/templates?WT.mc_id=DOP-MVP- 4039781?view=azure-devops Other security considerations https://docs.microsoft.com/en- us/azure/devops/pipelines/security/misc?WT.mc_id=DOP-MVP- 4039781?view=azure-devops Create and target an environment https://docs.microsoft.com/en- us/azure/devops/pipelines/process/environments?WT.mc_id=DOP-MVP- 4039781?view=azure-devops

More Related Content

PPTX
Implementation of SAST for Android Application
bysanjeevakumar methre
 
PDF
アプリケーションエンジニアへのいちおし Azure Update at Microsoft Ignite 2020
byIssei Hiraoka
 
PPTX
DevSecOps
byCheah Eng Soon
 
PPTX
DevOps - Isso existe mesmo?
byAndré Dias
 
PPTX
DevOps : Criando uma prática eficiente de desenvolvimento, implementaçao e op...
byDanilo Bordini
 
PPTX
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
byBryan Len
 
PDF
Automating Security Compliance on AWS with DevSecOps
byTushar Gupta
 
PDF
Dev secops. Real experience.
byVitaly Balashov
 
Implementation of SAST for Android Application
bysanjeevakumar methre
 
アプリケーションエンジニアへのいちおし Azure Update at Microsoft Ignite 2020
byIssei Hiraoka
 
DevSecOps
byCheah Eng Soon
 
DevOps - Isso existe mesmo?
byAndré Dias
 
DevOps : Criando uma prática eficiente de desenvolvimento, implementaçao e op...
byDanilo Bordini
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
byBryan Len
 
Automating Security Compliance on AWS with DevSecOps
byTushar Gupta
 
Dev secops. Real experience.
byVitaly Balashov
 

What's hot

PDF
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
byAgile Testing Alliance
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Supercharge Your Spring Boot Apps!
byVMware Tanzu
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
PPTX
Microsoft Graph Toolkitを使ってGraph開発を体験しよう
byDevTakas
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
PDF
SPS
byNaveen Kumar Singh
 
PDF
A sustainable DevOps Transformation
byDevOps Indonesia
 
PDF
PSE
byNaveen Kumar Singh
 
PPTX
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
byMoshiul Islam, CISSP, CISA, CFE
 
PPTX
Agile Tour Pune 2015: Dev-ops- niche or mainstream: Bhaskar Venugopalan
byIndia Scrum Enthusiasts Community
 
PDF
Painless DevSecOps: Building Security Into Your DevOps Pipeline
byTasktop
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
PPTX
Demystifying versioning in spfx solutions
byJasjit Chopra
 
PPTX
Testing in production with feature flags
byVSTS Community MSFT
 
PPTX
Global Azure Bootcamp (Singapore) - Effectively using Azure DevOps in Microso...
byRene Modery
 
PPTX
All Around Azure: DevOps with GitHub - Managing the Flow of Work
byDavide Benvegnù
 
PDF
PSD I
byKaushik Saha, Sr. Business Analyst, CSM, CSP, APO, ICP
 
PPTX
Agile Tour Chennai 2015: Nexus - SRV Subrahmaniam
byIndia Scrum Enthusiasts Community
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
byAgile Testing Alliance
 
DevSecOps reference architectures 2018
bySonatype
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Supercharge Your Spring Boot Apps!
byVMware Tanzu
 
DevOps Friendly Doc Publishing for APIs & Microservices
bySonatype
 
Microsoft Graph Toolkitを使ってGraph開発を体験しよう
byDevTakas
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
SPS
byNaveen Kumar Singh
 
A sustainable DevOps Transformation
byDevOps Indonesia
 
PSE
byNaveen Kumar Singh
 
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
byMoshiul Islam, CISSP, CISA, CFE
 
Agile Tour Pune 2015: Dev-ops- niche or mainstream: Bhaskar Venugopalan
byIndia Scrum Enthusiasts Community
 
Painless DevSecOps: Building Security Into Your DevOps Pipeline
byTasktop
 
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
Demystifying versioning in spfx solutions
byJasjit Chopra
 
Testing in production with feature flags
byVSTS Community MSFT
 
Global Azure Bootcamp (Singapore) - Effectively using Azure DevOps in Microso...
byRene Modery
 
All Around Azure: DevOps with GitHub - Managing the Flow of Work
byDavide Benvegnù
 
PSD I
byKaushik Saha, Sr. Business Analyst, CSM, CSP, APO, ICP
 
Agile Tour Chennai 2015: Nexus - SRV Subrahmaniam
byIndia Scrum Enthusiasts Community
 

Similar to DevOps and compliance and security

PDF
Zure Azure PaaS Zero to Hero - DevOps training day
byOkko Oulasvirta
 
PPTX
Azure DevOps Deployment Group
byRiwut Libinuko
 
PPTX
Azure DevOps in Action
byCallon Campbell
 
PPTX
565847651-Az-400t00a-Enu-Powerpoint-05.pptx
byCharlstonMVita
 
PPTX
Tour of Azure DevOps
byCallon Campbell
 
PDF
Continuous Integration and Continuous Delivery on Azure
byCitiusTech
 
PDF
Azure DevOps Interview Questions PDF By ScholarHat
byScholarhat
 
PDF
Secure Your Code Implement DevSecOps in Azure
bykloia
 
PPTX
Leveraging Azure DevOps across the Enterprise
byAndrew Kelleher
 
PPTX
1 - Introduction of Azure DevOps
byBhaumik Patel
 
PDF
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
byPredica Group
 
PPTX
Azure-DevOps-Training presentation downloadable
byNamanGoyal428595
 
PPTX
AzureDevOps
byUdaiappa Ramachandran
 
PPTX
Azure DevOps Training Online | Microsoft Azure DevOps Training
byranjithvisualpath44
 
PPTX
Azure DevOps Online Training | Azure DevSecOps Online Training
byranjithvisualpath44
 
PPTX
Wellington MuleSoft Meetup 2021-02-18
byMary Joy Sabal
 
PPTX
Azure DevOps työkalut - Roundtable 14.3.2019
byJanne Mattila
 
PDF
All Day DevOps - Azure DevOps from Start to Star
byÁngel Rayo
 
DOCX
What are the key features of Azure DevOps and how are they beneficial to the ...
bykzayra69
 
PPTX
End_to_End_DevOps.pptx
byCristianoSouza80853
 
Zure Azure PaaS Zero to Hero - DevOps training day
byOkko Oulasvirta
 
Azure DevOps Deployment Group
byRiwut Libinuko
 
Azure DevOps in Action
byCallon Campbell
 
565847651-Az-400t00a-Enu-Powerpoint-05.pptx
byCharlstonMVita
 
Tour of Azure DevOps
byCallon Campbell
 
Continuous Integration and Continuous Delivery on Azure
byCitiusTech
 
Azure DevOps Interview Questions PDF By ScholarHat
byScholarhat
 
Secure Your Code Implement DevSecOps in Azure
bykloia
 
Leveraging Azure DevOps across the Enterprise
byAndrew Kelleher
 
1 - Introduction of Azure DevOps
byBhaumik Patel
 
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
byPredica Group
 
Azure-DevOps-Training presentation downloadable
byNamanGoyal428595
 
AzureDevOps
byUdaiappa Ramachandran
 
Azure DevOps Training Online | Microsoft Azure DevOps Training
byranjithvisualpath44
 
Azure DevOps Online Training | Azure DevSecOps Online Training
byranjithvisualpath44
 
Wellington MuleSoft Meetup 2021-02-18
byMary Joy Sabal
 
Azure DevOps työkalut - Roundtable 14.3.2019
byJanne Mattila
 
All Day DevOps - Azure DevOps from Start to Star
byÁngel Rayo
 
What are the key features of Azure DevOps and how are they beneficial to the ...
bykzayra69
 
End_to_End_DevOps.pptx
byCristianoSouza80853
 

More from Kazushi Kamegawa

PDF
Azure DevOps Online Vol.3 - Inside Azure Pipelines
byKazushi Kamegawa
 
PDF
Deploy Strategy with Azure Pipelines
byKazushi Kamegawa
 
PDF
Azure DevOpsとセキュリティ
byKazushi Kamegawa
 
PDF
Azure DevOps入門~TechLab編
byKazushi Kamegawa
 
PDF
How to create your own Azure Pipeline's image
byKazushi Kamegawa
 
PDF
はじめてのコンテナーDocker & Windows & Linux
byKazushi Kamegawa
 
PDF
Azure Boards and Azure Test Plans inside out.
byKazushi Kamegawa
 
PDF
Ignite 2021 振り返り(DevOps)
byKazushi Kamegawa
 
PDF
Azure boards for beginners
byKazushi Kamegawa
 
PDF
「何もしないのにCIが失敗した」を防ぐ
byKazushi Kamegawa
 
PPTX
What's Azure DevOps
byKazushi Kamegawa
 
PDF
DevOps and Compliance and Security
byKazushi Kamegawa
 
PDF
Ignite 2021秋 recap - 開発者向け新機能紹介
byKazushi Kamegawa
 
PPTX
What's new Azure DevOps in //Build 2019
byKazushi Kamegawa
 
PDF
NET5 and Diagnostics
byKazushi Kamegawa
 
PPTX
Deploy to Azure by ??? Azure Repos or GitHub
byKazushi Kamegawa
 
PDF
Getting Start for Azure Pipelines
byKazushi Kamegawa
 
PDF
Introduce TFSUG and Azure DevOps Server 2020
byKazushi Kamegawa
 
PDF
Azure DevOps Management in Organization
byKazushi Kamegawa
 
PDF
Azure DevOps's security
byKazushi Kamegawa
 
Azure DevOps Online Vol.3 - Inside Azure Pipelines
byKazushi Kamegawa
 
Deploy Strategy with Azure Pipelines
byKazushi Kamegawa
 
Azure DevOpsとセキュリティ
byKazushi Kamegawa
 
Azure DevOps入門~TechLab編
byKazushi Kamegawa
 
How to create your own Azure Pipeline's image
byKazushi Kamegawa
 
はじめてのコンテナーDocker & Windows & Linux
byKazushi Kamegawa
 
Azure Boards and Azure Test Plans inside out.
byKazushi Kamegawa
 
Ignite 2021 振り返り(DevOps)
byKazushi Kamegawa
 
Azure boards for beginners
byKazushi Kamegawa
 
「何もしないのにCIが失敗した」を防ぐ
byKazushi Kamegawa
 
What's Azure DevOps
byKazushi Kamegawa
 
DevOps and Compliance and Security
byKazushi Kamegawa
 
Ignite 2021秋 recap - 開発者向け新機能紹介
byKazushi Kamegawa
 
What's new Azure DevOps in //Build 2019
byKazushi Kamegawa
 
NET5 and Diagnostics
byKazushi Kamegawa
 
Deploy to Azure by ??? Azure Repos or GitHub
byKazushi Kamegawa
 
Getting Start for Azure Pipelines
byKazushi Kamegawa
 
Introduce TFSUG and Azure DevOps Server 2020
byKazushi Kamegawa
 
Azure DevOps Management in Organization
byKazushi Kamegawa
 
Azure DevOps's security
byKazushi Kamegawa
 

Recently uploaded

PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
December Patch Tuesday
byIvanti
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 

DevOps and compliance and security

  • 1.
    DevOps and Compliance andSecurity KAMEGAWA Kazushi(kkamegawa)
  • 2.
    Who am I? personal: name:KAMEGAWA Kazushi(Last-First) alias: kkamegawa community: MVP: Microsoft MVP for Developer Technologies(2009-) Users Group: Team Foundation Server Users Group URL: https://dev.azure.com/tfsug/tfsuginfo Blog: URL: https://kkamegawa.hatenablog.jp devblog radio: https://devblog.connpass.com/
  • 3.
    This contents basedon 2021/4/21
  • 5.
  • 7.
    Deploy 5W1H When WhoWhere How What Why
  • 8.
  • 9.
    Azure Web Apps’sCI/CD | Microsoft Docs Basic CI/CD for Azure Web Apps
  • 10.
    Automated deploy iscool, but? We MUST use Japan Region. I didn’t know when deployed.
  • 11.
    Security and Compliancefeature in Azure
  • 12.
    Compliance and Securityfor CI/CD DO NOT deploy illegal environment. Tracking when it is deployed. Make them follow the rules of the deployment procedure. Perform a vulnerability check.
  • 13.
    Collaborate Azure Pipelinesand Azure Policy 1. Policy checking when deploying artifacts. 2. Deploy if the policy is satisfied. 3. Deny if the policy is not satisfied.
  • 14.
    Define Azure Policy(sample) AzurePolicy | Microsoft Docs Define Azure Policy with Resource group or Subscription Evaluate the policy over a period. It seems like not evaluate immediately the policy at Pipelines.
  • 15.
    Evaluation deploy withAzure Policy. Policy is satisfied (Deploy go) Policy is not satisfied (can’t deploy)
  • 16.
    Azure Pipelines andAzure Policy Azure Policy Task only supports Classic Release. But Pipeline supports, Build definition is YAML, Release is Classic.
  • 19.
    It looks like usefulfor that Image
  • 21.
    Azure Pipelines andContainer registry mcr.microsoft.com malware.example.com ghcr.io/xxxxx Artifact policy checks | Microsoft Docs Don't use Environments to deploy anything other than images from specific allowed container registries. Queries are written in a language called Rego. There is a template that you can use at first.
  • 22.
    Arrow list inEnvironments.
  • 23.
    Define in AzurePipelines Unknown Container Image Environment Deploy failed when use container image other side mcr.microsoft.com
  • 24.
    Creating a pipelineby yourself will cause problems. Service connection Limit the pipelines that can be referenced. Prepare a YAML template that defines the environment for deployment, manage it separately from the build, and separate it from those who can deploy it. Pull Request driven
  • 26.
    Let’s copy this OSS‘sa part of source code!
  • 28.
    OSS source codescan in Azure Pipelines If you specify an extension in a YAML template and build it, you will see a report in the result. It is up to the service to send the source to another service or not. Also check for software license
  • 29.
    Extension for securityscan Let’s install extension for WhiteSource Bolt https://marketplace.visualstudio.com/items?itemName=whitesource .ws-bolt There are a variety of other paid and free extensions available as well. https://marketplace.visualstudio.com/search?term=security&target =AzureDevOps&category=All%20categories&sortBy=Relevance If you want to use it all the time, specify Template as environment.
  • 30.
    Specify a templatein Environments
  • 31.
  • 32.
    Track release eventsin the audit log 90 days for storage in Azure DevOps It must be exported periodically.  Event Grid  Splunk  Azure Monitor  REST API Create audit streaming | Microsoft Docs
  • 33.
    Stream Audit logor Export with Logic Apps. Logic AppsでAzure DevOpsの監査ログをCosmos DBへ保存する
  • 34.
    Summary Automation is great,but keep records so you don't end up wondering when you did it! It's silly for a human to do it, so let's have a machine do it (also tamper- proof). To be able to think, "If I make a mistake,
  • 35.
    Appendix and Reference Securitythrough templates https://docs.microsoft.com/en- us/azure/devops/pipelines/security/templates?WT.mc_id=DOP-MVP- 4039781?view=azure-devops Other security considerations https://docs.microsoft.com/en- us/azure/devops/pipelines/security/misc?WT.mc_id=DOP-MVP- 4039781?view=azure-devops Create and target an environment https://docs.microsoft.com/en- us/azure/devops/pipelines/process/environments?WT.mc_id=DOP-MVP- 4039781?view=azure-devops