Securing with Secrets
Compliant Development Process
The course is part of this learning path
Configuration is an important aspect of determining an application’s behavior. Settings files often include sensitive information like passwords and API keys. In this course, we will look at how to protect that sensitive information while the app is being developed and when it is in production.
Azure’s App Configuration Service allows you to manage access to settings data and we will see how to use it within a .Net application. We will look at using Azure Key Vault in conjunction with App Configuration Service, and how to access Azure Key Vault directly from your application and from apps running in a container within a Kubernetes cluster.
Next, we look at the idea of shifting left security testing within your development process, and how we can automate security testing as part of implementing a compliant development process. Much of this will involve using extensions from the Azure marketplace within your DevOps build pipeline.
This course contains numerous demonstrations from the Azure platform so that you can get a first-hand look at the topics we will be covering. If you have any feedback relating to this course, please contact us at firstname.lastname@example.org.
- Learn about app configuration
- Run and deploy apps with the Azure App Configuration service
- Use Azure Key Vault to store secrets and certificates
- Access Key Vault directly from your apps, including those running within a Kubernetes cluster
- Create a compliant development process by integrating code analyzers, branch policies, quality gates, open-source library scanning, and automated penetration into a build pipeline
- Intermediate-level developers, DevOps engineers, and product managers
- Anyone interested in learning how to implement secure app configurations and development pipelines
To get the most out of this course, you should have some pre-existing knowledge of software development and of using Microsoft Azure.
So far, I've been talking exclusively about Visual Studio and demonstrating in C#. Which I guess is fair enough as it is a Microsoft technology like Azure DevOps. Obviously, there're a lot of other programming languages out there and in fact, C# is not the most popular by a long way. I want to look at integrating Sonar Cloud into my pipeline.
For all intents and purposes, Sonar Cloud is language agnostic. It supports COBOL through to Go and all the usual suspects in-between, such as Java, PHP, Python, Ruby, Scala, Swift, quite an extensive list. Sonar Cloud is a service that can be integrated into Azure DevOps via an extension. I'll just go to the marketplace and search for Sonar Cloud. So here we can see SonarQube and Sonar Cloud. Now, Sonar Cloud is the one we're after. SonarQube is for use with on-premise code repositories. Right, I'll just hit Get it Free.
Okay, it looks like I'm not logged in as the account administrator. Yes, for reasons too complicated and pedestrian to go into I'm going to have to open up another browser and approve that request and install the extension. Back at the project, I need to set up a service connection to Sonar Cloud. It's easy enough. I just go into New service connections and select it from the dropdown.
Next, I need to go over to my Sonar Cloud account, and under Security, I'm going to generate a new token for howlinuxconfig project that I've already set up as public. With Sonar Cloud you can have a free account as long as it's public, so I need to make sure that my Azure DevOps project is also public. Just paste in the Sonar Cloud token and verify it, and I'll give the service connection name and verify and save.
So now I can go back to my pipeline and add the Sonar tasks. This is a three-step process, which involves adding a preparation task followed by the code analysis task and then publishing the results of the analysis. Firstly, I will add the prepare analysis configuration task, which is going to go before my build task. This task basically sets up the connection with Sonar Cloud using the already created service connection, using our project key which just coincidentally happens to be my project name, and then the project name. Add that.
Next, I need to add the tasks that will do the actual code analysis, so it's just a simple add. And finally, the task that's going to publish the results which I'll just add straight after the Sonar Cloud analysis task. I'll add a comment basically to the effect that we've added Sonar Cloud. And I'll save that, which will trigger my pipeline to run. We'll just quickly run through the build. Sonar Cloud tasks are executing without incident.
To see the results of Sonar Cloud analysis we go to the build summary and under the Extensions tab, click on the link to Sonar Cloud. So under Security, we can dig into what looks like an E rating which doesn't look too good. We can see that the usual unused variables have been highlighted. We can actually dig through the project structure to look at the different files where the issues are and here again, we can see the same SQL injection type issues being highlighted plus a bug.
Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.