HB
Uploaded byHenry Been
PDF, PPTX111 views

Henry Been - Secure development: keeping your application secrets private

The document discusses secure secret management strategies for Azure DevOps and applications, highlighting several approaches to avoid sharing secrets and maintaining their integrity. It emphasizes the importance of using tools like Azure Key Vault, ARM templates, and managed identities to protect secrets effectively. The author also mentions the necessity of regularly updating and rolling secrets without manual duplication or risk of exposure.

Embed presentation

Download as PDF, PPTX
SECURE DEPLOYMENTS KEEPING YOUR SECRETS PRIVATE Henry Been "Locks" (CC BY-NC-ND 2.0) by wolf4max
WONDERING WHO IS THAT GUY? HENRY BEEN Independent Devops & Azure Architect E: henry@azurespecialist.nl T: @henry_been L: linkedin.com/in/henrybeen W: henrybeen.nl
So… WHO DOES DEVOPS? @henry_been
THE CASE FOR SECRET MANAGEMENT Develop Build Deploy Operate Dev Ops DevOps @henry_been
Secret management goals No secret sharing or passing Frequently change secrets Have no secrets anymore No secrets in source control @henry_been
HOW NOT TO DO SECRET MANAGEMENT @henry_been
1. Let operations deploy 2. Enter manually in the portal 3. Encrypted in source control 4. Use once, obscure https endpoint HOW NOT TO.. @henry_been
Use once, obscure https endpoint What is that? @henry_been
Use once, obscure https endpoint https://foo.bar/secrets @henry_been
Use once, obscure https endpoint Web Application https://foo.bar/secrets GET @startup Works only once! Release Orchestrator Deploy Reset @henry_been
So… HOW THEN? @henry_been
Approach 1 USING RELEASE ORCHESTRATOR Azure DevOps Secrets Azure Web AppCode @henry_been
DEMO TIME! USING RELEASE ORCHESTRATOR
USING RELEASE ORCHESTRATOR • Secrets are pretty secure • Easy to start with • Fits existing situations • You see and copy secrets • Secrets visible in portal • Duplication of secrets • Cannot roll secrets easily Pros Cons @henry_been
Prerequisite: Have primary & secondary secrets 1. Change the secret in release orchestrator to secondary secret 2. Release 3. Roll primary secret 4. Change the secret in release orchestrator to primary secret 5. Release 6. Roll secondary secret Intermezzo: Roll a secret @henry_been
Approach 2 USING ARM TEMPLATES Azure Web App Key Vault Azure DevOpsCode & Infra @henry_been
DEMO TIME! USING ARM TEMPLATES
USING ARM TEMPLATES • No manual copying or sharing of secrets • No more manual duplication of Azure keys • Secrets visible in portal • Still cannot roll secrets easily Pros Cons @henry_been
Approach 3 DIRECTLY FROM KEY VAULT Azure DevOps Azure Web App Code & Infra Key Vault @henry_been
HOWTO: Local Development 1. Grant your developer account access to (another) Key Vault • Very decent alternative • Requires your to log in to Visual Studio using an authorized account 2. Only use Key Vault in Azure (locally use user secrets) • Default in ASP.NET Core 3. Manually create a development identity and use that • Downside: shared identity is not really an identity • However… do not check secrets for that identity into source control @henry_been
DEMO TIME! DIRECTLY ACCESS KEY VAULT
DIRECTLY ACCESS KEY VAULT • No manual copying or sharing of secrets • No more duplication of Azure keys • Secrets no longer visible in portal • Changed secrets are automatically picked up • Only on supported services Pros Cons @henry_been
Approach 4 DIRECTLY ACCESS SERVICE Azure DevOps Azure Web App Code & Infra AAD Other Service @henry_been
DEMO TIME! DIRECTLY ACCESS SERVICE
DIRECTLY ACCESS SERVICE • No more secrets Only on supported services Pros Cons @henry_been
Supported services • Azure Resource Manager • Azure Key Vault • Azure Data Lake • Azure SQL DB • Azure Event Hubs • Azure Service Bus • Azure Storage https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi @henry_been
Use your release orchestrator Manual deployment NEVER EVER EVUHRR When you deploy only code Keyvault and ARM templates When you also deploy infra Managed identity / KeyVault When available & possible Managed identity / Oauth resource When available & possible WHAT TO USE WHEN?
WHAT IF YOU ARE NOT ON THE LATEST AND GREATEST? @henry_been
Approach 5 KEY VAULT REFERENCE 1. Assign an managed identity 2. Give that identity access to an Key Vault 3. Reference secrets @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secr ets/mysecret/ec96f02080254f109c51a1f14cdb1931) @henry_been
Approach 5 KEY VAULT REFERENCE An unsupported alternative @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secr ets/mysecret) @henry_been
Approach 6 App Configuration 1. Dedicated configuration store 2. Also for secrets 3. Connect using a connection string (location + key) @henry_been
Approach 6 App Configuration App Configuration @henry_been
Approach 6 App Configuration Web Application App Configuration GET @startup WHERE DO WE STORE THE KEY??? @henry_been
Approach 6 App Configuration WHERE DO WE STORE THE KEY??? YES, IT IS TURTLES ALL THE WAY DOWN… @henry_been
ONE MORE THING… Microsoft Security Static Analysis Tools @henry_been
DO TRY THIS AT HOME! HENRY BEEN Independent Devops & Azure Architect E: henry@azurespecialist.nl T: @henry_been L: linkedin.com/in/henrybeen W: henrybeen.nl
Questions? Use Slido! #DVM2019 www.slido.com @henry_been
Henry Been - Secure development: keeping your application secrets private

More Related Content

PPTX
Secure deployments keeping your application secrets private -duug fest
byHenry Been
 
PPTX
Secure deployments keeping your application secrets private - condensed
byHenry Been
 
PDF
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
byAWS Germany
 
PPTX
API 101 Workshop from APIStrat Conference
byKirsten Hunter
 
PPTX
API101 Workshop - APIStrat Amsterdam 2014
by3scale
 
PDF
NSCoder Keynote - Multipeer Connectivity Framework
byAlex Rupérez
 
PPTX
iOS Coding Best Practices
byJean-Luc David
 
PDF
Making your first alexa skills using lambda functions
byMukul Jain
 
Secure deployments keeping your application secrets private -duug fest
byHenry Been
 
Secure deployments keeping your application secrets private - condensed
byHenry Been
 
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
byAWS Germany
 
API 101 Workshop from APIStrat Conference
byKirsten Hunter
 
API101 Workshop - APIStrat Amsterdam 2014
by3scale
 
NSCoder Keynote - Multipeer Connectivity Framework
byAlex Rupérez
 
iOS Coding Best Practices
byJean-Luc David
 
Making your first alexa skills using lambda functions
byMukul Jain
 

What's hot

PDF
Everything you always wanted to know about API Management (but were afraid to...
byMassimo Bonanni
 
PDF
Building the Eventbrite API Ecosystem
byMitch Colleran
 
PDF
Azure web functions little bites of services
byAaron Petry
 
PPTX
Build Nodejs APIs using Serverless
bySimona Cotin
 
PDF
Extending OnDemand with Atlassian Connect Add-ons
bycolleenfry
 
PPTX
Writing Secure SharePoint Code - SharePoint Saturday Toronto
byEli Robillard
 
KEY
Wireless ad hoc distribution
byCocoaHeads.fr
 
PDF
Secrets as Code
byJohann Gyger
 
PPTX
Dnc2015 azure-microservizi-vforusso
byDotNetCampus
 
PDF
5 step plan to securing your APIs
by💻 Javier Garza
 
KEY
Birdpie
byanupnarkhede
 
PDF
Ansible
byJasim Muhammed
 
PDF
Using Cookies to Store Your Postman Secrets
byPostman
 
PDF
Product Update Elvis - Salesforce integration, Multi-tiered storage, File nam...
byMarco Makfab
 
PDF
Gigigo Workshop - iOS Extensions
byAlex Rupérez
 
PDF
Web app development with Flask
byJasim Muhammed
 
PPTX
Git store
byKirsten Hunter
 
PDF
Gigigo Keynote - Geofences & iBeacons
byAlex Rupérez
 
PDF
Gigigo Workshop - Create an iOS Framework, document it and not die trying
byAlex Rupérez
 
Everything you always wanted to know about API Management (but were afraid to...
byMassimo Bonanni
 
Building the Eventbrite API Ecosystem
byMitch Colleran
 
Azure web functions little bites of services
byAaron Petry
 
Build Nodejs APIs using Serverless
bySimona Cotin
 
Extending OnDemand with Atlassian Connect Add-ons
bycolleenfry
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
byEli Robillard
 
Wireless ad hoc distribution
byCocoaHeads.fr
 
Secrets as Code
byJohann Gyger
 
Dnc2015 azure-microservizi-vforusso
byDotNetCampus
 
5 step plan to securing your APIs
by💻 Javier Garza
 
Birdpie
byanupnarkhede
 
Ansible
byJasim Muhammed
 
Using Cookies to Store Your Postman Secrets
byPostman
 
Product Update Elvis - Salesforce integration, Multi-tiered storage, File nam...
byMarco Makfab
 
Gigigo Workshop - iOS Extensions
byAlex Rupérez
 
Web app development with Flask
byJasim Muhammed
 
Git store
byKirsten Hunter
 
Gigigo Keynote - Geofences & iBeacons
byAlex Rupérez
 
Gigigo Workshop - Create an iOS Framework, document it and not die trying
byAlex Rupérez
 

Similar to Henry Been - Secure development: keeping your application secrets private

PPTX
Zero Credential Development with Managed Identities for Azure resources
byJoonas Westlin
 
PDF
Secure Your Code Implement DevSecOps in Azure
bykloia
 
PPTX
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
byCodit
 
PPTX
Passwordless Development using Azure Identity
bySarah Dutkiewicz
 
PPTX
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
PPTX
Managing your secrets in a cloud environment
byTaswar Bhatti
 
PDF
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
PPTX
Configuration in azure done right
byRick van den Bosch
 
PPTX
Top 13 best security practices
byRadu Vunvulea
 
PPTX
Zero credential development with managed identities
byJoonas Westlin
 
PPTX
Zero Credential Development with Managed Identities
byJoonas Westlin
 
PPTX
Secure your Azure Web App 2019
byFrans Lytzen
 
PPTX
Secure your web app presentation
byFrans Lytzen
 
PPTX
Zero credential development with managed identities
byJoonas Westlin
 
PPTX
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
byTom Kerkhove
 
PPTX
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
byTom Kerkhove
 
PPTX
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
PDF
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
PDF
Service for Storing Secrets on Microsoft Azure.pdf
byZen Bit Tech
 
PDF
Automation Patterns for Scalable Secret Management
byMary Racter
 
Zero Credential Development with Managed Identities for Azure resources
byJoonas Westlin
 
Secure Your Code Implement DevSecOps in Azure
bykloia
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
byCodit
 
Passwordless Development using Azure Identity
bySarah Dutkiewicz
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
Managing your secrets in a cloud environment
byTaswar Bhatti
 
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
Configuration in azure done right
byRick van den Bosch
 
Top 13 best security practices
byRadu Vunvulea
 
Zero credential development with managed identities
byJoonas Westlin
 
Zero Credential Development with Managed Identities
byJoonas Westlin
 
Secure your Azure Web App 2019
byFrans Lytzen
 
Secure your web app presentation
byFrans Lytzen
 
Zero credential development with managed identities
byJoonas Westlin
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
byTom Kerkhove
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
byTom Kerkhove
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
Service for Storing Secrets on Microsoft Azure.pdf
byZen Bit Tech
 
Automation Patterns for Scalable Secret Management
byMary Racter
 

More from Henry Been

PPTX
Henry been - Multi-tenant applications using 30k databases
byHenry Been
 
PPTX
Logging, Instrumentation, Dashboards and Alerts - for developers
byHenry Been
 
PPTX
Writing, build and releasing your own vsts extension
byHenry Been
 
PDF
Serverless computing henry been - continuous deployment of azure functions
byHenry Been
 
PPTX
Focus on business value by going Serverless
byHenry Been
 
PPTX
Continuous delivery for the it pro
byHenry Been
 
PPTX
Henry been azure resource manager - inside out
byHenry Been
 
PDF
Cloud brew henry been - logging instrumentation dashboards alerts
byHenry Been
 
PDF
Serverless computing henry been - logging instrumentation dashboards alerts
byHenry Been
 
PPTX
Cloud brew cloudcamp
byHenry Been
 
PDF
Dot netsaterday henry been - logging instrumentation dashboards alerts
byHenry Been
 
PDF
Henry been database-per-tenant with 50k databases
byHenry Been
 
Henry been - Multi-tenant applications using 30k databases
byHenry Been
 
Logging, Instrumentation, Dashboards and Alerts - for developers
byHenry Been
 
Writing, build and releasing your own vsts extension
byHenry Been
 
Serverless computing henry been - continuous deployment of azure functions
byHenry Been
 
Focus on business value by going Serverless
byHenry Been
 
Continuous delivery for the it pro
byHenry Been
 
Henry been azure resource manager - inside out
byHenry Been
 
Cloud brew henry been - logging instrumentation dashboards alerts
byHenry Been
 
Serverless computing henry been - logging instrumentation dashboards alerts
byHenry Been
 
Cloud brew cloudcamp
byHenry Been
 
Dot netsaterday henry been - logging instrumentation dashboards alerts
byHenry Been
 
Henry been database-per-tenant with 50k databases
byHenry Been
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
The year in review - MarvelClient in 2025
bypanagenda
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
The Landscape of Computer Software Development Companies
byYash Singh
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 

Henry Been - Secure development: keeping your application secrets private

  • 1.
    SECURE DEPLOYMENTS KEEPING YOUR SECRETSPRIVATE Henry Been "Locks" (CC BY-NC-ND 2.0) by wolf4max
  • 2.
    WONDERING WHO IS THATGUY? HENRY BEEN Independent Devops & Azure Architect E: henry@azurespecialist.nl T: @henry_been L: linkedin.com/in/henrybeen W: henrybeen.nl
  • 3.
  • 4.
    THE CASE FORSECRET MANAGEMENT Develop Build Deploy Operate Dev Ops DevOps @henry_been
  • 5.
    Secret management goals Nosecret sharing or passing Frequently change secrets Have no secrets anymore No secrets in source control @henry_been
  • 6.
    HOW NOT TODO SECRET MANAGEMENT @henry_been
  • 7.
    1. Let operationsdeploy 2. Enter manually in the portal 3. Encrypted in source control 4. Use once, obscure https endpoint HOW NOT TO.. @henry_been
  • 8.
    Use once, obscurehttps endpoint What is that? @henry_been
  • 9.
    Use once, obscurehttps endpoint https://foo.bar/secrets @henry_been
  • 10.
    Use once, obscurehttps endpoint Web Application https://foo.bar/secrets GET @startup Works only once! Release Orchestrator Deploy Reset @henry_been
  • 12.
  • 14.
    Approach 1 USING RELEASEORCHESTRATOR Azure DevOps Secrets Azure Web AppCode @henry_been
  • 15.
  • 16.
    USING RELEASE ORCHESTRATOR •Secrets are pretty secure • Easy to start with • Fits existing situations • You see and copy secrets • Secrets visible in portal • Duplication of secrets • Cannot roll secrets easily Pros Cons @henry_been
  • 17.
    Prerequisite: Have primary& secondary secrets 1. Change the secret in release orchestrator to secondary secret 2. Release 3. Roll primary secret 4. Change the secret in release orchestrator to primary secret 5. Release 6. Roll secondary secret Intermezzo: Roll a secret @henry_been
  • 18.
    Approach 2 USING ARMTEMPLATES Azure Web App Key Vault Azure DevOpsCode & Infra @henry_been
  • 19.
  • 20.
    USING ARM TEMPLATES •No manual copying or sharing of secrets • No more manual duplication of Azure keys • Secrets visible in portal • Still cannot roll secrets easily Pros Cons @henry_been
  • 21.
    Approach 3 DIRECTLY FROMKEY VAULT Azure DevOps Azure Web App Code & Infra Key Vault @henry_been
  • 22.
    HOWTO: Local Development 1.Grant your developer account access to (another) Key Vault • Very decent alternative • Requires your to log in to Visual Studio using an authorized account 2. Only use Key Vault in Azure (locally use user secrets) • Default in ASP.NET Core 3. Manually create a development identity and use that • Downside: shared identity is not really an identity • However… do not check secrets for that identity into source control @henry_been
  • 23.
  • 24.
    DIRECTLY ACCESS KEYVAULT • No manual copying or sharing of secrets • No more duplication of Azure keys • Secrets no longer visible in portal • Changed secrets are automatically picked up • Only on supported services Pros Cons @henry_been
  • 25.
    Approach 4 DIRECTLY ACCESSSERVICE Azure DevOps Azure Web App Code & Infra AAD Other Service @henry_been
  • 26.
  • 27.
    DIRECTLY ACCESS SERVICE •No more secrets Only on supported services Pros Cons @henry_been
  • 28.
    Supported services • AzureResource Manager • Azure Key Vault • Azure Data Lake • Azure SQL DB • Azure Event Hubs • Azure Service Bus • Azure Storage https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi @henry_been
  • 29.
    Use your releaseorchestrator Manual deployment NEVER EVER EVUHRR When you deploy only code Keyvault and ARM templates When you also deploy infra Managed identity / KeyVault When available & possible Managed identity / Oauth resource When available & possible WHAT TO USE WHEN?
  • 30.
    WHAT IF YOUARE NOT ON THE LATEST AND GREATEST? @henry_been
  • 31.
    Approach 5 KEY VAULTREFERENCE 1. Assign an managed identity 2. Give that identity access to an Key Vault 3. Reference secrets @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secr ets/mysecret/ec96f02080254f109c51a1f14cdb1931) @henry_been
  • 32.
    Approach 5 KEY VAULTREFERENCE An unsupported alternative @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secr ets/mysecret) @henry_been
  • 33.
    Approach 6 App Configuration 1.Dedicated configuration store 2. Also for secrets 3. Connect using a connection string (location + key) @henry_been
  • 34.
    Approach 6 App Configuration AppConfiguration @henry_been
  • 35.
    Approach 6 App Configuration WebApplication App Configuration GET @startup WHERE DO WE STORE THE KEY??? @henry_been
  • 36.
    Approach 6 App Configuration WHEREDO WE STORE THE KEY??? YES, IT IS TURTLES ALL THE WAY DOWN… @henry_been
  • 37.
    ONE MORE THING… MicrosoftSecurity Static Analysis Tools @henry_been
  • 38.
    DO TRY THISAT HOME! HENRY BEEN Independent Devops & Azure Architect E: henry@azurespecialist.nl T: @henry_been L: linkedin.com/in/henrybeen W: henrybeen.nl
  • 39.