Embedding Zero Trust security into your developer workflow

מאמר
04/17/2024

As a developer, you need to feel confident and secure to move at speed. The need for security starts as soon as you clone your code. In this article, you'll learn how to develop using Zero Trust principles so that you can innovate quickly and securely. The Zero Trust security strategy and approach for designing and implementing applications comprises these principles:

Verify explicitly. Always authenticate and authorize based on all available data points.
Use least privilege access. Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach. Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Embedding security into your workflow helps you to:

Pinpoint security vulnerabilities more quickly.
Provide more secure developer tooling.
Create connections to improve collaboration between security and development teams.

Power innovation and secure your workflow as you create code

Microsoft's unified solution, illustrated in the following diagram, bridges across DevOps and SecOps teams to help you accelerate and secure code-to-cloud development.

Our solution to safeguard DevOps relies on two main components: providing developers with tooling to power innovation and securing the developer workflow as developers create code. Watch the Accelerate and secure your code to cloud development session from Microsoft Build 2022 to learn how these components can secure your development environment.

Implement the following best practices that work together in Azure and GitHub to secure your development solution.

Because security starts when developers clone code, enable DevSecOps with Azure and GitHub to bridge across DevOps and SecOps teams and secure your development environments.
Provide flexible and powerful developer tools for any developer, language, and stack with Visual Studio and Visual Studio Code.
Simplify new developer onboarding and third-party collaboration with an entire development lifecycle tool in the cloud using GitHub Codespaces and Microsoft Dev Box.
Include built-in intellectual property protection for code that you no longer disperse into multiple locations. Help your teams collaborate, develop, automate, and deploy code wherever they want with GitHub Actions and Azure Pipelines.
Get security guidance and continuous security feedback within the developer workflow with code scanning, secret scanning, and dependency review using GitHub Advanced Security.
Instill zero-trust security throughout your organization using identity management services in Microsoft Entra ID.

Fit Zero Trust security into your development lifecycle

From pre-commit to commit through deploy then operate and monitor, you need security solutions in place throughout all of your development lifecycle stages.

Pre-commit stage

Threat modeling
IDE security plug-in
Pre-commit hooks
Secure coding standards
Peer review

Eighty-five percent of code defects appear during the development pre-commitment phase, mostly due to human error. Focus on security before you commit your code by writing your code in Visual Studio Code, Visual Studio, or GitHub Codespaces to identify vulnerabilities and secure code. Use peer reviews to encourage secure coding practices.

Commit (CI) stage

Static code analysis
Security unit tests
Dependency management
Credential scanning

During the commit stage, use extensive security methods to review your code (including static code analysis) and scan your code as you check it into your source control. Use credential scanning (also known as secret scanning or token scanning) to expose credentials that you may have inadvertently introduced into the codebase. Catch insecure dependencies before you introduce them to your environment with dependency review.

Deploy (CD) stage

Infrastructure as code (IaC) scanning
Dynamic security scanning
Cloud configuration checks
Security acceptance tests

During the deploy stage, look at the overall health of your codebase and perform high-level security scanning to identify risks. Perform cloud configuration checks, infrastructures code checks, and security acceptance tests to ensure alignment with organizational security goals.

Operate and monitor stage

Continuous monitoring
Threat intelligence
Blameless postmortems

During the operate and monitor phase, use continuous monitoring and threat intelligence to mitigate overall dependency vulnerabilities that you may inherit over time. Perform postmortems to take away lessons learned and continue iterating through your DevOps cycle.

Implement dependency, code, and secret scanning

To make securing code easier for developers, use native and automated capabilities to provide continuous feedback with continuous security features throughout your development lifecycle. Provide overall security to developers and communities with GitHub Advanced Security dependency scanning, code scanning, and secret scanning.

Dependency scanning

Integrated review of dependencies
Alerts and security updates

Get risk levels of dependencies and automated fixes to vulnerable dependencies in your codebase with continuous dependency scanning. As a continuous process, it nudges your developers in the right direction in a friendly and non-obtrusive way.

Code scanning

Extensible framework for code scanning
Integrated within the developer workflow
Backed by industry leading CodeQL engine

Implement code scanning as you generate code with no other steps to run at separate locations. Ease fixes early in your development lifecycle by viewing scanning results in your familiar GitHub user experience.

Secret scanning

Scan for leaked secrets in public and private repos
Partnership with 40+ providers
Push protection
- Move from remediation to prevention
- Check for high-confidence secrets
- Enable protection with one click

Scan your code for hardcoded credentials and tokens with secret scanning. Push protection scans for secrets and tokens before you push to your codebase. Check for high-confidence secrets as developers push code, blocking the push when GitHub identifies a secret.

Manage and secure workload identities

Lifecycle management
Access governance
Secure adaptive access

Get visibility into the activity of your workload identities and enable periodic cleanup. Determine who owns workload identities and how you keep this information up to date across organization changes. Track when you have last used workload identities, when you last issued tokens and when tokens expire.

To mitigate the potential for leaked secrets and credentials, periodically conduct access reviews. Require users to review their workload identities and remove unnecessary access privileges. Have users report overprivileged and underutilized access privileges. Discuss how you'll protect workload identities from breach. Enable conditional access to ensure that access is originating from expected resources.

Secure identities with GitHub OIDC and Microsoft Entra Workload ID Federation

To further secure your organization, use GitHub OpenID Connect (OIDC) with Microsoft Entra Workload Identity Federation and minimize the need to store and access secrets. Securely manage Azure server principal secrets and other long-lived cloud credentials resources to minimize service downtime due to expired credentials. Integrate with developer platforms, like GitHub Actions, to securely build your apps.

Our recommended Workload Identity Federation workflow, illustrated in the following diagram, comprises six steps.

Set up trust in Microsoft Entra ID and request a token.
Configure the GitHub workflow to allow actions to get the token.
GitHub workflow sends a request to Azure ID.
Microsoft Entra ID validates the trust on the application and fetches the keys to validate the token.
Microsoft Entra ID accesses and issues the token.
The deploy action uses the Microsoft Entra access token to deploy to resources in Azure.

Watch April Edwards, Senior Cloud Advocate and DevOps Practice Lead, demo the Workload Identity Federation workflow. The demonstration begins at the 19:14 mark in the Accelerate and secure your code to cloud development Microsoft Build 2022 session that is also available on YouTube (embedded below).

Next steps

Sign up for Azure Developer CLI, an open-source tool that accelerates the time it takes to get started on Azure.
Configure Azure to trust GitHub's OIDC as a federated identity. OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Azure without needing to store the Azure credentials as long-lived GitHub secrets.
Implement Zero Trust principles as described in memorandum 22-09 (in support of US executive order 14028, Improving the Nation's Cyber Security) by using Microsoft Entra ID as a centralized identity management system.
Accelerate and secure your code with Azure DevOps with tools that give developers the fastest and most secure code to cloud experience.
Securing the developer environment helps you to implement Zero Trust principles in your development environments with best practices for least privilege, branch security, and trusting tools, extensions, and integrations.
Securing DevOps environments for Zero Trust describes best practices for securing your DevOps environments for preventing hackers from compromising developer boxes, infecting release pipelines with malicious scripts, and gaining access to production data via test environments.
Customizing tokens describes the information that you can receive in Microsoft Entra tokens and how to customize tokens to improve flexibility and control while increasing application zero trust security with least privilege.
Configuring group claims and app roles in tokens shows you how to configure your apps with app role definitions and assign security groups to app roles to improve flexibility and control while increasing application zero trust security with least privilege.