The cloud is evolving rapidly, developers are advancing at a rapid pace, and attackers are constantly "innovating."
- How to keep up with the situation and secure cloud deployments?
- How do security practices differ between cloud systems and on-premises systems?
- How to ensure consistency among multiple independent development teams?
Microsoft has found that using security baselines can help you quickly secure cloud deployments and enable you to quickly reduce the risk to your organization. The Azure Security Benchmark (ABS) contains a set of security recommendations that can be used to help protect services used in Azure, including security controls and service baselines. Azure Security Benchmarks focus on cloud-centric controls that are consistent with well-known security benchmarks such as: Center for Internet Security (CIS) controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Benchmark as described by the Security Standard (PCI-DSS).
Today, we focus on DevOps security with security controls. DevOps Security covers the controls related to security engineering and operations in the DevOps process, including deploying critical security checks (such as static application security testing, vulnerability management prior to the deployment phase), ensuring security throughout DevOps, and also covers common topics such as : Threat modeling and software supply chain security and more.
Perform Threat Modeling
Identify potential threats and ensure threat modeling is used to protect your applications and services during the production runtime phase, as well as to protect projects, underlying CI/CD pipelines, and other tool environments for builds, tests, and deployments.
Securing the Software Supply Chain
Make sure your enterprise's Software Development Lifecycle or process includes a set of security controls to control internal and third-party software components, including proprietary and open source software that have dependencies on applications. Define restriction criteria to prevent malicious components from being integrated and deployed into your environment.
Secure DevOps Infrastructure
Ensure DevOps infrastructure and pipelines follow security best practices across environments, including build, test, and production stages. Security controls typically include the following scope:
- Project repository for source code, generated packages and images, project and business data
- Servers, services and tools to host CI/CD pipelines
- CI/CD pipeline configuration
Integrate static or dynamic application security testing into DevOps pipelines
Ensuring static or dynamic application security testing is part of the gating control of your CI/CD workflow. Gating can be set based on test results to prevent vulnerable packages from being committed to the repository, built into packages, or deployed to production.
During the DevOps Lifecycle
Ensure workloads are protected throughout their lifecycle during development, testing, and deployment. Use the Azure Security Benchmark to evaluate controls such as: network security, identity management, privileged access, and more, which can be set as guardrails by default, or shifted left before the deployment phase.
Enable logging and monitoring in DevOps
Make sure your logging and monitoring scope includes non-production environments and CI/CD workflow elements used in DevOps (and any other development process). Vulnerabilities and threats targeting these environments can pose significant risks to your production environment if not properly monitored. Events from the CI/CD build, test, and deploy workflows should also be monitored to identify deviations in the CI/CD workflow jobs.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。