Shifting Security to the Left with Secure DevOps Kit for Azure (AzSK)

In modern software, development security is a major factor to be concerned with. With software being an interface for businesses the impact of a security breach has on the businesses is huge. Focusing on the security of your applications at the end of the development cycle is not good enough. It must be part of each of the stages in development and the shift-left approach for security must be adopted by development teams.

Secure DevOps Kit for Azure (AzSK) is a set of tools, extensions and automation focused around maintaining security controls across different stages of development. AzSK was created by the Core Service Engineering & Operations division at Microsoft and it was developed with the purpose of helping Microsoft accelerate the adoption of Azure. Though its not an official Microsoft product, it has been opened for the public with great documentation and set of tools, scripts, extensions and automation that we can use in our day-to-day development as well. Let’s take a deeper look at Secure DevOps Kit for Azure.

Areas of Focus

Secure DevOps Kit for Azure mainly focuses on 6 areas.

Subscription Security

For your cloud applications to be secure having a secure cloud subscription is critical and having a secure subscription provides a foundation for the subsequent development and deployments to continue. AzSK provides the capabilities to analyze aspects like Azure RBAC, ARM policies, Security Center, etc. within an Azure Subscription.

Secure Development

Security is important during the early stages of coding as well. Developers need to have the capability to deliver secure code and assess the security configuration of the cloud applications/resources that they are deploying the code to. AzSK provides the capability of running Security Verification Tests that can check Azure resources for security issues.

CI/CD Integration

Automating practices that would improve the quality of the application as part of the CI/CD pipelines is crucial. Security must also be part of these pipelines. AzSK provides extensions that would allow us to run Security Verification Tests and Infrastructure Code Verification as part of your CI/CD Pipelines.

Continuous Assurance

In modern software development, security is not an activity that you do at the end of the development. It has to be a continuous activity. AzSK provides Azure Automation Runbooks that allows you to continuously assess the security state of the application and resources.

Alerting & Monitoring

Alerting and monitoring are equally important when it comes to security. Even if you are implementing security controls, if you are not effectively monitoring them and get timely alerts you may miss critical security issues. AzSK supports sending events to Azure Log Analytics Workspaces and create monitoring dashboards and alerts based on these events

Cloud Risk Governance

AzSK generates events and telemetry in all its activities allowing you to capture the usage, adoption and evaluation results that enable you to make measured improvements to high risk and maximum usage areas.

Source: Secure DevOps Kit for Azure Documentation

What is Included in Secure DevOps Kit for Azure (AzSK)

All the available functionality is packaged as a PowerShell module that can be downloaded and installed from the PowerShell Gallery. This Module contains various PowerShell Commandlets that allows you to analyze different aspects of your cloud solution.

A complete Installation Guide and a complete Feature Set Details can be found on the official documentation which is rich in details.

AzSK providers capabilities to different stakeholders in the organization from Development teams, deployment, and operations teams to IT Security and Compliance teams. All these people can leverage different functionalities provided by Secure DevOps Kit for Azure. Details about what you can use the AzSK for is available in the documentation.

What Else?

Secure DevOps Kit for Azure also provides the capability to secure your Azure DevOps accounts as well with AzSK for Azure DevOps (Preview) which also comes as a PowerShell Module that can be installed from the PowerShell Gallery. You can use the toolkit for scanning your Azure DevOps organization for certain security controls that enables you to secure your Azure DevOps organization. More information about AzSK for Azure DevOps (Preview) can be found in the documentation.

Summary

In this article, we talk about Secure DevOps Kit for Azure and the areas the toolkit focuses on, the capabilities it provides, where and who should use the toolkit and the benefits of using the AzSK toolkit. In subsequent articles, we will look into how to use certain capabilities of AzSK to improve your security controls on Azure and Azure DevOps.