Gone are the days of tossing a build over the wall and hoping that it works in production. Now development and operations are joined together as one in DevOps. DevOps accelerates the velocity with which products are deployed to customers. However, the catch with DevOps is that it moves fast, and security must move faster to keep up and make an impact. When products were built under the waterfall process, the release cycle was measured in years, so security process could take almost as long as it wanted. Face it, DevOps is here to stay, and it is not getting any slower. Application security must speed up to keep pace with the speed of business. Security automation is king under DevOps.

1. Managing
Application Config
and Secrets

2. HELLO!
I am Eng Teong Cheah
Microsoft MVP
You can find me at @walkercet
2

3. Introduction to Security
3
1

4. Introduction to Security
▰ Security is everyone’s responsibility and needs
to be looked at holistically across the
application life cycle.
4

5. SQL Injection Attack
SQL Injection (SQLi) is a type of an injection
attack that makes it possible to execute
malicious SQL statements.
5

6. 6
2Implement Secure &
Compliant Development
Processes

7. Threat Modeling
▰ Define security requirements
▰ Create an application diagram
▰ Identify threats
▰ Mitigate threats
▰ Validate that threats have been mitigated
7

8. Key Validation Points
▰ Continuous security validation should be
added at each step from development through
production
8

9. Continuous Integration
▰ The CI build should be executed as part of the
pull request (PR-CI) process and once the
merge is complete
▰ Be sure to scan third party packages for
vulnerabilities and check OSS license usage
9

10. Infrastructure Vulnerabilities
▰ Be sure to validate the infrastructure
▰ Use the Azure Security Center and Azure
Policies
10

11. Application Deployment to DEV and TEST
▰ OWASP ZAP can be used for penetration
testing
▰ Testing can be active or passive
▰ Conduct a quick baseline scan to identify
vulnerabilities
▰ Conduct nightly more intensive scans
11

12. Results and Bugs
12
▰ OWASP ZAP provides a report with results and
bugs
▰ Use a holistic and layered approach to security

13. 13
3
Rethinking Application
Config Data

14. Rethinking Application Config Data
14
▰
▰
▰

15. Separation of Concerns
15
▰
▰
▰
▰

16. External Configuration Store Patterns
16
▰
▰

17. Integrating Azure Key Vault with Azure Pipeline
17
▰

18. 18
4
Manage Secrets, Tokens,
and Certificates

19. Manage Secrets, Tokens & Certificates
19
▰
▰
▰
▰
▰

20. Kubernetes and Azure Key Vault
20
▰
▰
▰
▰

21. 21
5Implement Tools for
Managing Security and
Compliance

22. SonarCloud
22
▰
▰

23. Implement Continuous Security Validation
23
▰

24. 24
THANKS!
Any questions?
You can find me at
@walkercet

25. CREDITS
▰ Microsoft Docs
25