Website security scanning with GitHub Actions and OWASP ZAP

Website security scanning with GitHub Actions and OWASP ZAP

Security is a topic that should be on top of everyone's mind. Particularly security in software is vital, given the enormous growth in threats targeting online resources. I previously wrote about other developer-oriented security aspects that you might find interesting: Embrace a Security Development Lifecycle (SDL) for AzureAutomate Azure DevOps code security analysis with MSCAToday I want to highlight another approach: vulnerability checks on systems running in the cloud or on your servers. That is, not during development, but in the system where they are operating. In this post, I'm discussing how we can do this using GitHub Actions and…

Read More

Create a custom Azure Security Center recommendation with Azure Policy

Create a custom Azure Security Center recommendation with Azure Policy

In Azure Security Center you get a lot of built-in recommendations based on various compliance- and security controls. These are based on industry standards and include things like Azure CIS, PCI DSS, SOC TSP, ISO 27001, and more. However, many organizations have different requirements than the defaults, and sometimes want to introduce additional or modified checks. With Azure Security Center we get the capability to use custom recommendations together with Azure Policy, where we now can define our corporate policies and roll them out as recommendations in ASC. A great way to tailor the experience according to our use cases.…

Read More

Code analysis tools for Azure developers coding in .NET Core

Code analysis tools for Azure developers coding in .NET Core

I love automation. Part of the glory of seeing a green build is to also know that it has passed some type of quality gates. In this post I'll talk a bit about some of my favorite Code Analysis tools for .NET Core. I use them in both personal as well as work projects, in a varietal mix depending on project. It's not an exhaustive list, and by no means the only tools that can be used. These are a select part of my arsenal to ensure I stay on the right path when developing software. Someone asked me recently…

Read More

How Tokens and Scope Maps for Azure Container Registry introduces great repository-level access restrictions

How Tokens and Scope Maps for Azure Container Registry introduces great repository-level access restrictions

I have previously written about various Container-topics on this site. Recently, I also published a post about "Best Practices for security in Azure Container Registry." In this post, I want to bring awareness to how we can make use of one of the tips from that post, namely the Repository-scoped permissions. We can now create more fine-grained permission for our ACR. Time-limited access to help block any access after a specific point in time.Granular permission control helps restrict or allow specific actions on the registry. Actions are usually things like Read (pull), Write (push), Delete.Help your organization delegate…

Read More

A few tips for securing your remote workforce in a Microsoft cloud landscape

A few tips for securing your remote workforce in a Microsoft cloud landscape

Are you a CIO, CISO, or are you at any level responsible for security in your organization? Are you just getting started with Azure and the cloud, and having a remote workforce - or are you seasoned in the cloud, but your users are not? Here's a couple of tips from the field that I hope can help. Work From Home, or #WFH, is a thing today. I have been successfully working remotely for more than seven years, and I have enjoyed every minute of it - but it isn't without challenges. I get questions regularly now, both from family…

Read More