DevSecOps in Azure

Boards
Azure DevOps
Monitor
Pipelines
Policy

Solution ideas

This article is a solution idea. If you'd like us to expand the content with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know by providing GitHub feedback.

DevSecOps prioritizes security throughout the development and operations. The focus is using security best practices at beginning of the development process ("shifting left") when it's easier and cheaper to resolve security issues.

Architecture

Architecture diagram shows the flow from the developer to the end user and where devsecops can be employed, devsecops in Azure.

Download a Visio file of this architecture.

Dataflow

  1. Azure Active Directory (Azure AD) is configured as the identity provider for GitHub. Multi-factor authentication (MFA) gives extra authentication security.
  2. Developers commit to GitHub Enterprise, driven by work items and bugs tracked with Azure Boards.
  3. GitHub Enterprise integrates automatic security and dependency scanning through GitHub Advanced Security and GitHub Open Source Security.
  4. Pull requests trigger CI builds and automated testing in Azure Pipelines.
  5. The CI build in Azure Pipelines generates a Docker container image that is stored to Azure Container Registry. It's used at release time by Azure Kubernetes Service.
  6. Microsoft Defender for Cloud will scan the image for Azure-native vulnerabilities and for security recommendations for the pushed image upon uploading to the Azure Container Registry.
  7. A release on Azure Pipelines integrates the Terraform tool. It manages both the cloud infrastructure as code, provisioning resources such as Azure Kubernetes Service, Azure Application Gateway, and Azure Cosmos DB.
  8. Azure Pipelines enable Continuous Delivery (CD) to Azure Kubernetes Service by accessing the Container Registry through a secure service connection.
  9. Azure Policy can be applied to Azure Pipelines to enforce post-deployment gateways and can be applied directly to the AKS engine for policy enforcement.
  10. Azure Key Vault is used to securely inject secrets and credentials into an application at runtime, abstracting sensitive information away from developers.
  11. End users can authenticate with Azure AD B2C. They are required to use MFA for extra security and are routed through an Application Gateway that provides load balancing and security for core services.
  12. Continuous monitoring with Azure Monitor extends to release pipelines to gate or rollback releases based on monitoring data. Azure Monitor also ingests security logs and can alert on suspicious activity.
  13. Microsoft Defender for Cloud provides active threat monitoring on the Azure Kubernetes Service at the Node level (VM threats) and for internals.

Components

  • Azure AD provides identity and access management services for your organization, allowing control over access to the resources inside Azure, GitHub Enterprise, and Azure DevOps.
  • Source code is hosted on GitHub Enterprise, where developers can collaborate within your organization and the open-source communities. GitHub Enterprise offers advanced security features to identify vulnerabilities in the code you write and in open-source dependencies
  • Use Azure Boards to plan work and track its progress, using Agile tools such as Kanban boards.
  • Azure Pipelines is a service that provides Continuous Integration and Continuous Delivery jobs to build and release your application automatically.
  • Host your Docker container images on Azure Container Registry. This service includes container image scanning with the integration with Microsoft Defender for Cloud.
  • Azure Kubernetes Service offers a Kubernetes cluster that is fully managed by Azure and ensures the availability and security of your infrastructure.
  • Terraform is a third-party product developed by HashiCorp that allows infrastructure automation on Azure and on other environments.
  • Azure Policy lets you create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. It also integrates with Azure Kubernetes Service.
  • You can use Azure Key Vault to store certificates, connection strings, tokens, and other secrets. This sensitive information is read by your application at run-time, so it's abstracted away from your developers.
  • Azure Cosmos DB is a globally distributed, multi-model database service that is fully managed and compatible with multiple APIs, including MongoDB, Cassandra, SQL.
  • Azure Application Gateway is a Layer-7 load balancer that serves as the ingress for AKS. It has advanced routing rules and integrates a Web Application Firewall (WAF).
  • Using Azure Monitor collects logs and metrics from AKS. You get insights on the availability and performance of your application and infrastructure. It also gives you access to signals to monitor your solution's health and spot abnormal activity early.
  • Using Azure AD B2C you can provide identity services to consumers (end-users) of your application, even if they're not part of your organization.

Potential use cases

Some organizations utilize DevSecOps:

  • To help developers write more secure code, embracing security best practices.
  • To respond quickly to software supply chain vulnerabilities.
  • So teams can collaborate and release code faster and more securely.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author: Alessandro Segala | Product Marketing Manager for VS Code

Next steps