Sunday, 6 February 2022

Azure DevOps Series - Integrating Security into Azure DevOps

Overview: Integrate automate security testing into your CI/CD  Azure Pipelines, this area is of expertise is sometimes refered to as DevSecOps.  Azure DevOps provides build and automation servers.  In the OSAWP 2021, number 8 is Software and Data integrity failures.  This covers securing CI/CD pipelines.

CI/CD Pipeline hardening - Code is written and committed to source code repository, Linting (SonarQube), build , test, and deploy.  Can also include infrastructure and networking setup.  YAML & JSON are common for building pipelines.  All these steps need to be hardened.  

Ensure only authorized intended actors can run/use the pipeline or part within the pipeline.  Eg. ensure only developers can check in code, they must have permissions.  

  • Harden but you have to be pragmatic so developer can do there work but also don't over allow access.
  • Ensure logging is running.  
  • Keep plugins and reference frameworks up to date to avoid weaknesses being exploited.  Ensure OS and containers are up to date.
  • Use dedicate build/service accounts.  
  • Using Azure DevOps (ADO) does a lot of hardening automatically.  
  • Don't expose sensitive information in you logs like pswds as if the logs are hacked you have a problem.
  • Ensure artifacts are correctly locked down.  To get artifacts the pipeline only needs read access.
  • Verify SaaS service you use are secure.  Integrate external security SaaS software.
  • For security there are native tools for security, plugins or external service as mentioned above.  Mend/WhiteSource Bolt is a tool used for scanning packages for vulnerabilities.  AzureDevOps has Mend Bolt as a add-in.  There is a free service but it is fairly limited.  Can also run these scans from Developer level and not just in the pipeline.

Azure DevOps Series Posts:

  1. Azure DevOps Series - Overview 
  2. Azure DevOps Series - Azure Boards 
  3. Missing
  4. Azure DevOps Series - Azure Pipelines 
  5. Azure DevOps Series - DevSecOps (This Post)
Note: AWS Pipelines refered to as CodePipelines is the same as Azure DevOps in AWS world.  


Post a Comment