This document provides an overview of crafting secure and composable Sitecore SaaS-based applications. It discusses increasing attack surfaces with SaaS and microservices architectures. It then covers security topics like the layered security model, zero trust architecture, securing Docker and Kubernetes, infrastructure as code, automated security testing, and a reference security solution architecture. The presentation emphasizes security by design, automation, and people/process through concepts like DevSecOps. It aims to educate on building security into applications from the start through frameworks, best practices and automation.
31. I am a proud community member!
Please contact me on the following handles:
sitecorechat.slack.com twitter
32. • Layer 1 – port protection of your laptop and
hardware; access to systems, login expiration
• Layer 2 - VLANS
• Layer 3 – Front Door
• Layer 4 – Front Door
• Layer 5 – Front Door
• Layer 6 – Front Door
• Layer 7 – Front Door (bot protection,
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
https://learn.microsoft.com/en-us/azure/frontdoor/web-application-firewall
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-ddos
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-ddos
https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?tabs=app-service-
functions&pivots=front-door-standard-premium
33. DevSecOps Sitecore pipeline
33
Pull Image
Developers
Image
Repository
Container
Registry
System
Admins
DevOps
Engineers
Commit
Listen
Manage
Manage
Store image
DEV SVT PRD
DEV Deployment SVT Deployment PRD Deployment
Container Image Pull
Gitlab CI
Gitlab CD
Gitlab DAST
Selenium UI
Tests
Unit Tests
Quality and SAST
Scans
Upload
Run
Run
Upload Run
Page Speed
Tests
Load Tests
Run Run
35. ” –
Quote somebody on their
brilliance as everybody in our
community deserves a best
friend!
Akshay Sura
36. • Proin magna enim, hendrerit nec justo non, gravida
efficitur leo. Phasellus pharetra gravida turpis, sed
laoreet dui efficitur nec. Nulla auctor mi et ligula
dignissim, ac consectetur ligula rutrum.
• Sed accumsan mollis consectetur. In et sem eget orci
placerat condimentum. Nunc tortor sapien, pellentesque
eu aliquet vel, gravida eu lorem.
• These are actually valid points.
At some point, add proper content too!
37. Each presentation must end with the following three
slides. As the conference is a from-the-community-for-the-
community event we find it important that you share your
social channels you feel comfortable with, mainly the Slack
channel and Twitter.
Also, we couldn’t organize this event without our
community sponsors. Please leave them at the end of your
slide deck.
Please don’t change the following 3 slides
40. Team changes and upskilling
QA
Quality Assurance
and testing
Developer
Front and backend
development.
DevOps Engineer
Release processes
and automation
DevOps Security
Champion
Security automation
Monitoring
Notifications
Development Security
Champion
Code Scanning & Reviews
QA Security Champion
Dynamic application
testing
Security Bridge Team
Specialized Security
Personnel
Software, DevOps,
Forensic Analysis,
etc.
CISO
Security program
development.
Security Team
Development Team