Shifting Security to the Left with Secure DevOps Kit for Azure (AzSK)
In modern software, development security is a major factor to be concerned with. With software being an interface for businesses the impact of a security breach has on the businesses is huge. Focusing on the security of your applications at the end of the development cycle is not good enough. It must be part of each of the stages in development and the shift-left approach for security must be adopted by development teams.
Secure DevOps Kit for Azure (AzSK) is a set of tools, extensions and automation focused around maintaining security controls across different stages of development. AzSK was created by the Core Service Engineering & Operations division at Microsoft and it was developed with the purpose of helping Microsoft accelerate the adoption of Azure. Though its not an official Microsoft product, it has been opened for the public with great documentation and set of tools, scripts, extensions and automation that we can use in our day-to-day development as well. Let’s take a deeper look at Secure DevOps Kit for Azure.
Areas of Focus
Secure DevOps Kit for Azure mainly focuses on 6 areas.
For your cloud applications to be secure having a secure cloud subscription is critical and having a secure subscription provides a foundation for the subsequent development and deployments to continue. AzSK provides the capabilities to analyze aspects like Azure RBAC, ARM policies, Security Center, etc. within an Azure Subscription.
Security is important during the early stages of coding as well. Developers need to have the capability to deliver secure code and assess the security configuration of the cloud applications/resources that they are deploying the code to. AzSK provides the capability of running Security Verification Tests that can check Azure resources for security issues.
Automating practices that would improve the quality of the application as part of the CI/CD pipelines is crucial. Security must also be part of these pipelines. AzSK provides extensions that would allow us to run Security Verification Tests and Infrastructure Code Verification as part of your CI/CD Pipelines.
In modern software development, security is not an activity that you do at the end of the development. It has to be a continuous activity. AzSK provides Azure Automation Runbooks that allows you to continuously assess the security state of the application and resources.
Alerting & Monitoring
Alerting and monitoring are equally important when it comes to security. Even if you are implementing security controls, if you are not effectively monitoring them and get timely alerts you may miss critical security issues. AzSK supports sending events to Azure Log Analytics Workspaces and create monitoring dashboards and alerts based on these events
Cloud Risk Governance
AzSK generates events and telemetry in all its activities allowing you to capture the usage, adoption and evaluation results that enable you to make measured improvements to high risk and maximum usage areas.
Source: Secure DevOps Kit for Azure Documentation
What is Included in Secure DevOps Kit for Azure (AzSK)
All the available functionality is packaged as a PowerShell module that can be downloaded and installed from the PowerShell Gallery. This Module contains various PowerShell Commandlets that allows you to analyze different aspects of your cloud solution.
AzSK providers capabilities to different stakeholders in the organization from Development teams, deployment, and operations teams to IT Security and Compliance teams. All these people can leverage different functionalities provided by Secure DevOps Kit for Azure. Details about what you can use the AzSK for is available in the documentation.
Secure DevOps Kit for Azure also provides the capability to secure your Azure DevOps accounts as well with AzSK for Azure DevOps (Preview) which also comes as a PowerShell Module that can be installed from the PowerShell Gallery. You can use the toolkit for scanning your Azure DevOps organization for certain security controls that enables you to secure your Azure DevOps organization. More information about AzSK for Azure DevOps (Preview) can be found in the documentation.
In this article, we talk about Secure DevOps Kit for Azure and the areas the toolkit focuses on, the capabilities it provides, where and who should use the toolkit and the benefits of using the AzSK toolkit. In subsequent articles, we will look into how to use certain capabilities of AzSK to improve your security controls on Azure and Azure DevOps.
You Might Also Like
← Previous Post
July 06, 2019
Next Post →