Securing with Secrets
Compliant Development Process
The course is part of this learning path
Configuration is an important aspect of determining an application’s behavior. Settings files often include sensitive information like passwords and API keys. In this course, we will look at how to protect that sensitive information while the app is being developed and when it is in production.
Azure’s App Configuration Service allows you to manage access to settings data and we will see how to use it within a .Net application. We will look at using Azure Key Vault in conjunction with App Configuration Service, and how to access Azure Key Vault directly from your application and from apps running in a container within a Kubernetes cluster.
Next, we look at the idea of shifting left security testing within your development process, and how we can automate security testing as part of implementing a compliant development process. Much of this will involve using extensions from the Azure marketplace within your DevOps build pipeline.
This course contains numerous demonstrations from the Azure platform so that you can get a first-hand look at the topics we will be covering. If you have any feedback relating to this course, please contact us at email@example.com.
- Learn about app configuration
- Run and deploy apps with the Azure App Configuration service
- Use Azure Key Vault to store secrets and certificates
- Access Key Vault directly from your apps, including those running within a Kubernetes cluster
- Create a compliant development process by integrating code analyzers, branch policies, quality gates, open-source library scanning, and automated penetration into a build pipeline
- Intermediate-level developers, DevOps engineers, and product managers
- Anyone interested in learning how to implement secure app configurations and development pipelines
To get the most out of this course, you should have some pre-existing knowledge of software development and of using Microsoft Azure.
While you've been working away in Visual Studio, you no doubt, in fact, it's almost certain that you have found the suggestions, the hints, the tooltips, whatever you wanna call them, sometimes very helpful and sometimes quite a nuisance. They're included as part of the Roslyn code analyzer packages. If we go over to Solution Explorer and click on dependencies and then analyzers, you can expand the different analyzer packages. At the moment, we've got some warnings about unused variables, which in and of themselves aren't really a security risk.
Now it's possible to add other code analyzing packages. I'll just open up NuGet package manager and search for FxCop. Here we are at the top of the list code analysis FxCop analyzer. I'll just install that and accept the license agreement. Now we can see some extra packages have been added under analyzers. You can expand the different analyzers and view the rules that they support and if you right click on a rule, you can see the rule severity and have a look at its properties.
Now that I've added FxCop analyzer, when I do a rebuild, I see a bunch of warnings about SQL command strings accepting any user input. This is another way of saying that it is a possible entry point for injection attacks, specifically SQL injection attacks. If I click on that warning, I can drill down into the piece of code and see exactly where the issue is. What I can do is customize the rules, warnings and alerts for a particular analyzer. If I go to the NuGet folder under my profile and drill down into the FxCop's folder, I can find the file that is related to the security rules under rule sets. The one I'm looking for is SecurityRulesEnabled.ruleset. I copy that file and paste it into the root of my project.
Okay, let's have a look inside that file by double clicking, and it will bring up the rule window, but we can also open it with the XML Editor. So here we have a bunch of warnings and at the very top, there is review SQL queries for security vulnerabilities. What I'm going to do is change the action from a warning to an error. This is the same as right clicking on the rule in Solution Explorer and selecting severity from the context menu and changing the severity there. As it turns out, injection attacks specifically SQL injection attacks are the number one type of attack of the top 10 that is compiled by OWASP. To integrate these rules into my project, I need to add a code analysis rule set tag to my project file and then specify the file with the rules.
So I've edit the rule set. Now, I'll just put in some actual code to call my deviant database procedures. Not that it's really necessary as the analyzer is already really picking up the problems. Now, when I compile a code, instead of getting a warning, I get errors and the compilation fails. These customizable rules and severity levels are a great way to enforce coding standards within your team and project. These analyzer packages can be edit either as a Visual Studio extension or as we have done here just into the project itself.
Adding the packages and rules to the project means that everyone that is developing on the project gets the same set of rules. Obviously it doesn't make much sense to have the stored procedure name, giving an error for SQL injection, so I'm going to change the action of the CA2100 rule back to warning from error.
Next, I'll commit the code to my repo, adding little comment about adding the FxCop rules. I'll just push that to my repo. If I go over to the build pipeline, we can see a build has been triggered and we can see the same warnings about SQL commands accepting user input have been displayed in our build task. The FxCop NuGet packages were polled as part of the build process and the customized rules edit to the source code repository.
Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.