While threats are ever-increasing, so are the capabilities, methodologies, and technologies we have at our disposal to mitigate risks at a higher cadence than ever before. In this article, I'll talk about the responsibility we have as developers, solution architects, DevOps engineers, and anyone else involved in your teams. Security is a team effort, and everyone needs to get on board on what processes and rules to follow. Today we can automate a lot of the things we do for code quality and security, so the road to increasing the security posture doesn't have to be a long one. Regardless…
All posts in “security”
Over the years there's been a plethora of API's and approaches to work with artifacts and resources in Azure. In July this year (2019), Microsoft announced the availability of the new Azure SDK API Standards, which is a new set of SDK's in the following languages: Python, Java, JavaScript and .NET. These SDK's are supposed to be a unified approach to building the SDK's, and whatever goes into one API goes into all of them, so there's no disconnect between capabilities in different programming languages. Now that some Azure services have matured and been adopted into business-critical enterprise applications, we…
Azure Functions are usually tied to an Azure Storage Account by using App Settings. Unfortunately, when launching a new Function App project in Visual Studio, or watching demos and examples online, the connection string usually is in App Settings in plain text. In this post I'm sharing a quick tip on how to protect sensitive configuration values in App Settings by using Secrets from a Key Vault, and you can even reference the default Storage Account connection string this way, completely avoiding any type of sensitive data in App Settings, from scratch. Microsoft have some good documentation (links in the…
This post is about increasing automated security posture with Azure DevOps by using the "Microsoft Security Code Analysis extension", which is a set of tasks that helps implement security analysis of your files and code in your pipelines. Microsoft have done an amazing job with making this extension available, so we can make use of automated build tasks to check for some commonly encountered security issues. Follow me in this article to explore how we make use of the Azure DevOps extension for Microsoft Security Code Analysis, which includes these build tasks to help us: Credential Scanner (CredScan)BinSkimTSLintRoslyn AnalyzersMicrosoft…
Launching new websites, services and applications in the cloud is easy. However, the fact that getting something up and running is easy, doesn't mean that it's sufficient for an enterprise-grade or distributed-scale application to operate in the long run. Designing the solution architecture, infrastructure and configuration of your apps and services are extremely important - and if you intend to embrace a real workload (not "see my demo here"), you need to ensure that things are flying at all times, with redundancy and failovers. In this post we'll talk a bit about diagnosing and troubleshooting errors and issues with Azure…
In this post I'm sharing a tip about how you can remove the Azure Sentinel service, but keep your ingested data in Log Analytics so you can actually keep working with the data for reports and auditing reasons.…
When working with Azure DevOps, there's a lot of options and configurations to tailor the service exactly to the needs of your organization. Part of the responsibilities that lie on the ones that managed these pipelines is to ensure that you don't spill the beans - or in other words, leak any sensitive data. With Azure DevOps, you can get sensitive data like Connection Strings, Secrets, API Keys, and whatever else you may classify as sensitive. You can get them directly from an Azure Key Vault, instead of configuring them on your build pipeline. With Azure DevOps, you can get…
A powerful capability of the Azure Sentinel service is that you can ingest data from a wide variety of sources. Using Connectors, you can even ingest data from other places than Azure, and you can get a more complete picture of your security posture across services in your technological landscape. In a previous post I talked about how to ingest Office 365 logs into your Azure Sentinel dashboards. In this post, I'm talking about how we can build our own Azure Log Analytics Data Collector API application to send custom logs to your Log Analytics workspace - and since I'm…