In the past few years, enterprise security threats have emerged in an endless stream, and the situation has become more and more severe. Hackers attempt to compromise dependencies and engineering systems upstream of the development process, and similar advanced attacks can affect the entire development environment and software supply chain. For example, a recent example occurred at a software vendor whose developer workflow and software supply chain was attacked, and after the attacker gained access, the attacker uploaded a new image to scan thousands of versions of its software supply chain, extracting Confidentiality, and expand the loopholes.
From this point of view, it is not enough to just integrate security on DevOps workflows, but to strengthen and protect the security of the workflows themselves. The question is - how to protect the upstream development environment?
GitHub Codespaces
The GitHub Codespaces solution enables developers to securely interact with untrusted code in a sandboxed environment, available anywhere and on any device. Managing user permissions, storing encrypted information in the right place, and implementing GPG verification has never been easier and faster with GitHub Codespaces. Development teams can go from scratch to a functioning development environment in under 10 seconds. Developers can carve out new code spaces for parallel workflows without any overhead. Improve developer productivity while ensuring security compliance.
GitHub Actions
In addition to developer machines, businesses need to secure DevOps workflows. GitHub Actions helps development teams easily create secure and automated workflows to build, test, package, publish, and deploy applications to Azure or other clouds. Azure provides rich GitHub Actions integration to help developers adopt an "everything as-code" DevOps model - compliance and security policies, build and release pipelines, and more are all written in code to enable Continuous improvement, better reusability and greater transparency.
The ever-increasingly complex security risks mentioned earlier are compounded by the fact that development teams must store Azure service principal confidential data in GitHub, which is redundant and increases the risk of tampering. Recently, Microsoft announced a series of preview features that enable developers to ensure that their code is securely deployed to Azure without having to store credentials in GitHub for extended periods of time.
Remove credentials from developer environment with latest Azure and GitHub integration
A key strategy to strengthen defense against attacks is to remove long-lived Azure credentials from development environments - now, with Azure AD workload federation, you can deploy to Azure from a GitHub repo without having to create, store, or manage Azure AD Credentials for the application. The new feature alleviates the need to manage Azure service principal secrets and other long-lived cloud credentials in the GitHub secrets store. With this integration, you can securely manage access to all cloud resources in Azure. These features also minimize the possibility of service downtime due to expired credentials in GitHub.
Setting up OpenID Connect (OIDC) integration with Azure AD and GitHub Actions
To complete this setup, you will need:
- Active Directory application with a service principal that has contributor access to your subscription
- An Active Directory application configured with federated credentials to trust tokens published by GitHub Actions to your GitHub repository. You can configure in the Azure portal or using the Microsoft Graph REST API
- A GitHub Actions workflow that requests GitHub issue tokens to the workflow and uses the azure/login@v1.4.0 action
Having introduced so many of our solutions, back to the question at the beginning of the article, do you have any other ways to protect the upstream development environment? Feel free to share your insights with us or ask your questions about this article in the comments section below! Also welcome to scan the QR code below to learn more about DevSecOps
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。