Managing Application Config and Secrets
0 likes141 views
The document emphasizes the importance of holistic security practices throughout the application lifecycle and discusses specific threats such as SQL injection. It outlines a secure development process, including threat modeling, continuous security validation, and the use of tools like OWASP ZAP for vulnerability scanning. Additionally, it highlights the management of application configuration and secrets through external stores like Azure Key Vault and the need for tools to ensure security compliance.
Managing Application Config and Secrets
- 2. HELLO! I am Eng Teong Cheah Microsoft MVP You can find me at @walkercet 2
- 4. Introduction to Security ▰ Security is everyone’s responsibility and needs to be looked at holistically across the application life cycle. 4
- 5. SQL Injection Attack SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. 5
- 6. 6 2Implement Secure & Compliant Development Processes
- 7. Threat Modeling ▰ Define security requirements ▰ Create an application diagram ▰ Identify threats ▰ Mitigate threats ▰ Validate that threats have been mitigated 7
- 8. Key Validation Points ▰ Continuous security validation should be added at each step from development through production 8
- 9. Continuous Integration ▰ The CI build should be executed as part of the pull request (PR-CI) process and once the merge is complete ▰ Be sure to scan third party packages for vulnerabilities and check OSS license usage 9
- 10. Infrastructure Vulnerabilities ▰ Be sure to validate the infrastructure ▰ Use the Azure Security Center and Azure Policies 10
- 11. Application Deployment to DEV and TEST ▰ OWASP ZAP can be used for penetration testing ▰ Testing can be active or passive ▰ Conduct a quick baseline scan to identify vulnerabilities ▰ Conduct nightly more intensive scans 11
- 12. Results and Bugs 12 ▰ OWASP ZAP provides a report with results and bugs ▰ Use a holistic and layered approach to security
- 14. Rethinking Application Config Data 14 ▰ ▰ ▰
- 16. External Configuration Store Patterns 16 ▰ ▰
- 17. Integrating Azure Key Vault with Azure Pipeline 17 ▰
- 18. 18 4 Manage Secrets, Tokens, and Certificates
- 19. Manage Secrets, Tokens & Certificates 19 ▰ ▰ ▰ ▰ ▰
- 20. Kubernetes and Azure Key Vault 20 ▰ ▰ ▰ ▰
- 21. 21 5Implement Tools for Managing Security and Compliance
- 23. Implement Continuous Security Validation 23 ▰
- 24. 24 THANKS! Any questions? You can find me at @walkercet