Azure DevOps: Enabling DevSecOps in Azure
Learn about Azure services that can help you set up an integrated DevSecOps pipeline in the Azure cloud.
What Is Azure DevOps?
Azure DevOps is an application development service suite that helps DevOps teams plan workflows, build code collaboratively, and implement deployment. It helps organizations promote collaborative work culture, supporting DevOps processes that bring project managers, developers, and other contributors together. Azure DevOps can be used to promote a DevSecOps process in which security is integrated into all stages of the development lifecycle.
Organizations can use Azure DevOps to create, publish, and modify products in fast, frequent release cycles. It provides a competitive edge by enabling faster software development than traditional approaches. Azure DevOps Services support cloud-based software development workloads, while Azure DevOps Server supports on-premises workloads.
Related content: Read our guide to DevOps tools
In this article:
Azure DevOps Services and Tools
Azure DevOps provides the following components that can help you build a full DevSecOps pipeline in the Azure cloud.
Azure Boards
Azure Boards helps development teams manage and collaborate on software projects. It supports processes based on Agile, Scrum, and Kanban methodologies, calendar views, configurable dashboards, and consolidated reporting across multiple projects.
Azure Repos
Azure Repos is a version control system that can help teams of developers manage their work on a codebase. Azure Repos helps keep track of changes to code over time, save work done by developers, and coordinate code changes across a team. As developers work on code, they can instruct Azure Repos to take a snapshot of a file. These snapshots are stored permanently, so any member of the team can recall them when needed.
Azure Pipelines
Azure Pipelines automatically builds and tests code projects. It works with all popular languages and project types, and is suitable both for open source and commercial software projects. Azure Pipelines provides a full continuous integration and continuous delivery (CI/CD) pipeline to test, build, and deploy code to any destination.
Implementing a CI/CD pipeline with Azure Pipelines ensures consistent, high-quality builds that are ready to release to users. Key capabilities include:
- Simultaneous deployment to different targets
- Integration with Azure infrastructure for deployment automation
- Supports build servers running on Windows, Linux, or Mac
- Integration with GitHub
Azure Test Plans
Azure Test Plans allows software development teams to collaboratively manage manual testing efforts, in order to improve quality throughout the development process. It provides a browser-based test management solution that enables:
- Planning manual testing activity
- Conducting user acceptance testing (UAT)
- Conducting exploratory testing
- Gather feedback from stakeholders
Azure Artifacts
Azure Artifacts allows developers to share code and manage all packages in one place. It lets developers publish packages to a feed and share them within their teams, across the organization, or publicly. Developers can also use packages from feeds created by other developers or organizations, as well as public registries such as NuGet.org and npmjs.com.
Azure Artifacts supports several package management systems: NuGet, npm, Python, Maven, and Universal Packages.
Additional Services that Enable DevSecOps in Azure
DevSecOps requires additional components beyond the development pipeline itself. Azure offers several additional services that can help organizations implement DevSecOps workflows.
Bridge to Kubernetes
Bridge to Kubernetes is an Azure DevOps tool (replacing the Dev Spaces tool), which facilitates Kubernetes application development by helping run containers and debug code. Developers often need to manage multiple development and testing tasks simultaneously while accessing Kubernetes and Docker configuration files for different services. It can be challenging to test applications locally while interacting with dependent services.
Bridge to Kubernetes lets developers run code and debug issues on their own machines, connecting them to the Kubernetes cluster that houses other services and application components. It supports end-to-end code testing and development cluster sharing. Developers can hit breakpoints on their running code.
Azure Identity and Access Management
Microsoft Identity Platform is an IAM service based on Azure Active Directory (Azure AD). Developers can use it to create applications that use Microsoft identifies to sign, with tokens to make Microsoft API calls. They can also use Microsoft identities for their own APIs.
Azure Active Directory Business-to-Customer (B2C) is an identity-as-a-service offering. Customers can access all apps and APIs via single sign-on using their social, local, or enterprise account identities.
Cloud resource access management is critical for organizations with cloud-based applications. Azure Role-Based Access Control (Azure RBAC) facilitates access permission management, providing organizations with greater control over which users can access their Azure resources and how. The Microsoft Identity Platform also offers authentication for DevOps tools, providing native Azure DevOps support and facilitating GitHub Enterprise integrations.
Azure Key Vault
Azure Key Vault is a secret and key management service that allows organizations to securely store and manage access to secrets, including passwords, tokens, certificates, and API keys. It enables the centralized storage of application secrets for enhanced control over secret distribution.
Key Vault minimizes the risk of accidental exposure, allowing developers to use secrets without having to store security data within the application. This ability also makes coding easier because developers do not have to incorporate information about secrets into the code. When applications attempt to connect to the database, they can retrieve the connecting string from the secure store. However, it is important to ensure developers actually use Key Vault to secure their secrets.
Azure Policy
Azure Policy is one of the Azure platform’s cloud hardening capabilities. Hardening is important because most clouds favor usability over security to support smooth business operations. Azure Policy helps organizations adjust the default settings for cloud deployments, ensuring that configurations align with organizational policies.
Azure Policy allows administrators to define the hardening for cloud services and resources using desired state configuration (DSC) methods. It provides alerts and can block or remediate deployments. Azure Policy offers enforcement environments, which should be an integral part of the Azure tenant subscription plan.
Admins can apply policies at various levels, including subscription, resource group, and management group. These policies help enforce compliance through the deployment process, from testing/staging to production. DevOps teams mature over time and should eventually incorporate security into their daily operations. In addition to Azure Policy, they can leverage Azure Advisor and Azure Security Center services to enhance their security posture.
A disadvantage of Azure Policy is that, while it is very flexible and provides granular control, it can be complex to configure and manage.
Related content: Read about other tools beyond the Azure cloud in our guide to DevSecOps tools
Learn more about chain-bench, an open source tool from Aqua that can help you secure the Azure DevOps toolset
Azure DevSecOps with Aqua Security
Aqua enables organizations to automate secure controls from source to runtime, helping to secure the software supply chain by protecting the integrity of the code base and pipeline. Aqua spot and fix dangerous misconfigurations of your Azure Devops and establish a zero-trust DevOps environment.
Aqua enforces Least Privilege Access, so you can easily audit privileges across your SDLC, and detect which users have access to code repositories, CI pipelines, or Artifact registries. Then enforce least privilege policies and implement separation of duties to reduce security risks and meet compliance requirements.
More details about how integrate Azure Devops with Aqua:
- Integrate Azure Pipelines with the Aqua supply chain security module to protect the integrity of your source code, builds and deployments.
- Use the Aqua Azure extensions in your Azure pipeline, you can add a build step to scan the images or your serverless function. Aqua will use the Default Image Assurance Policy; for images in a registry.
And don’t forget to protect your workloads at runtime. Check our full lifecycle security protection for azure containers and Azure functions.
Take a look to new azure initiatives together with Trivy:
- Use imageCleaner based on Azure Eraser and Trivy to clean up stale images on your Azure Kubernetes Service cluster. Read more here.
- Use Microsoft Defender for container registries and Trivy. Identify vulnerable container images in your CI/CD workflows. Read more here.
Next steps: