avatarDavid Olivas

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3189

Abstract

m/blogs/software-security/top-open-source-licenses/">license risks</a>. It is very easy to implement and it’s free to use, although it is a limited version of the WhiteSource complete solution, it works pretty well.</p><p id="6d75">There are other great tools to make security checks of open-source components, such as <a href="https://snyk.io/product/open-source-security-management/">Snyk</a> and<a href="https://www.synopsys.com/software-integrity/open-source-software-audit.html"> Black Duck</a>. These tools also have Azure DevOps extensions to be easily implemented in Azure Pipelines.</p><h2 id="8647">Variable Groups and Key Vault Secrets</h2><p id="f0a6">Keeping sensitive information away from everyone’s eyes is another good practice to enforce security in the development cycle. We want sensitive information to be accessed and managed only by the chosen few and our pipeline.</p><p id="deb1">To achieve this we can store our sensitive information, which needs to be accessed by the pipeline, as Key Vault secrets in Azure, and then read the secret values from Azure Pipelines using variable groups linked to the Key Vault. There are other ways to access Key Vault secrets from a pipeline, but this is the most effective one most of the time, it all depends on our needs.</p><h1 id="d987">Azure Pipeline Example</h1><p id="dda3">In this example, we’ll see how to implement SonarCloud and WhiteSource Bolt in a pipeline to analyze our app’s code and open-source components when building.</p><blockquote id="54a0"><p>Check out these two posts about how to install and implement SonarCloud in an Azure Pipeline and how to use Azure Key Vault secrets in Azure Pipelines.</p></blockquote><div id="9240" class="link-block"> <a href="https://readmedium.com/setting-up-sonarcloud-forazure-pipelines-3ab83eee0e79"> <div> <div> <h2>Setting Up SonarCloud forAzure Pipelines</h2> <div><h3>How to set up SonarCloud to analyze code in Azure Pipelines, detailed guide with all the steps.</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*bkCIl450lsqGmIff)"></div> </div> </div> </a> </div><div id="1ba4" class="link-block"> <a href="https://readmedium.com/how-to-use-key-vault-secrets-in-azure-pipelines-658198f2eea6"> <div> <div> <h2>How to Use Key Vault Secrets in Azure Pipelines</h2> <div><h3>Different ways to access Key Vault secrets in Azure Pipelines. Using variable groups and the Azure Key Vault tasks.</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*z9Qeq6pBuLQeYubA)"></div> </div> </div> </a> </div><p id="8fa9">To use WhiteSource Bolt in our pipeline we simply install the extension to our organization and that’s it, we can start analyzing our project’s open-so

Options

urce dependencies.</p><p id="0fd8">Once we have our extensions installed we can start using them in our pipeline.</p> <figure id="3f43"> <div> <div>

            <iframe class="gist-iframe" src="/gist/d-olivas/dea998071beafc451a974a35bad2deeb.js" allowfullscreen="" frameborder="0" height="undefined" width="undefined">
          </div>
        </div>
    </figure></iframe></div></div></figure><p id="aa45">For the WhiteSource Bolt task, we must specify the directory where the libraries we want to analyze are located. We also define a name for the project that will be created in WhiteSource. In the example above, the open-source dependencies we want to analyze are located in “<i>$(System.DefaultWorkingDirectory)/src</i>”. It’s important to note that the WhiteSource Bolt task must be added after building those dependencies, in this case after doing “<i>npm install</i>”.</p><p id="8a32">The Sonar Cloud tasks do the following; first, we indicate which SonarCloud project we are going to analyze. Then, after building the project, we run the SonarCloud analysis. Finally, we publish the results of the analysis to make them visible in Azure DevOps, this last step is optional, the results can always be seen in the SonarCloud portal.</p><h1 id="a26f">Additional Ways to Shift Security Left</h1><p id="961b">SonarCloud has a VS Code extension called SonarLint to help developers check their code as soon as they write it. Using a linter is a great option to add more security and code quality verifications to a development process.</p><p id="c214">When working with docker container registries, such as Azure Container Registry (ACR), they usually have options to analyze and update images. ACR tasks can be used to automatically build images when a base image is updated, more about ACR tasks <a href="https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tasks-base-images"><b>here</b></a>. Additionally, Azure Defender can be enabled in ACR to analyze every pushed image, more about it <a href="https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction"><b>here</b></a>.</p><p id="b982">If you know other ways to shift security left that are not mentioned here, feel free to share them in a comment.</p><h1 id="a929">Final Thoughts</h1><p id="9598">We are all humans, no one is perfect. Because of this, we need to identify and fix vulnerabilities in our projects as soon as we can. Shifting security left helps us achieve this with our code and our open-source dependencies.</p><p id="888a">Shifting-left security is a good way to start improving our development process. However, this is not the ultimate solution to all our security issues. Having an effective testing strategy, using penetration testing tools like <a href="https://www.zaproxy.org/">OWASP Zap</a>, following the least-privilege principle, constantly monitoring an app’s health and behavior, as well as the overall network and infrastructure’s health and state, all these things, and even more, must be taken into consideration when thinking about security</p></article></body>

DEVOPS GOOD PRACTICES

Shifting-Left Security in Azure Pipelines

Tools for Azure Pipelines to have a more secure development process

Photo by Lianhao Qu on Unsplash

Shifting-left security is applying security validations to our software development process as soon as possible. Let’s say we have a development process with different steps that run from left to right consecutively. Those steps are: writing the code, creating a build, releasing it to a QA environment, releasing it to a Stage environment, releasing it to the production environment to be consumed by the end-users, and constantly monitoring the app, and the process repeats indefinitely. That’s a common and simple development cycle.

Checking the security of the app was usually done too far to the right of the development process, on the QA environment in the best cases, or when the app was already released to production, or just not at all. Finding security issues too late can be very costly for our app.

With shifting-left security what we want to achieve is to identify security issues as soon as possible. When creating a build and even while the developers are writing the code.

This post shows which tools can be used to shift-left security and how to do it using Azure Pipelines.

Azure Pipeline Tools

Static Code Analysis

Doing this type of analysis will help us detect common bugs, vulnerabilities, and code-smells in the app’s code at the moment of building the app.

One of the most common tools for static code analysis is called SonarQube (SonarCloud for cloud-based code, more about the difference here), it has an Azure DevOps extension to easily analyze code in Azure Pipelines.

Other static code analyzers can be used with Azure Pipelines as well, like Fortify, PMD, FindBugs, Code Dx, and several others.

Open-Source Management Solutions

Checking the security of our open-source components is essential to make sure our app is truly secure. Using open-source components that have security vulnerabilities will make our app vulnerable as well.

WhiteSource Bolt is a good option to easily implement in Azure Pipelines to check for vulnerabilities in open-source components, and it also checks license risks. It is very easy to implement and it’s free to use, although it is a limited version of the WhiteSource complete solution, it works pretty well.

There are other great tools to make security checks of open-source components, such as Snyk and Black Duck. These tools also have Azure DevOps extensions to be easily implemented in Azure Pipelines.

Variable Groups and Key Vault Secrets

Keeping sensitive information away from everyone’s eyes is another good practice to enforce security in the development cycle. We want sensitive information to be accessed and managed only by the chosen few and our pipeline.

To achieve this we can store our sensitive information, which needs to be accessed by the pipeline, as Key Vault secrets in Azure, and then read the secret values from Azure Pipelines using variable groups linked to the Key Vault. There are other ways to access Key Vault secrets from a pipeline, but this is the most effective one most of the time, it all depends on our needs.

Azure Pipeline Example

In this example, we’ll see how to implement SonarCloud and WhiteSource Bolt in a pipeline to analyze our app’s code and open-source components when building.

Check out these two posts about how to install and implement SonarCloud in an Azure Pipeline and how to use Azure Key Vault secrets in Azure Pipelines.

To use WhiteSource Bolt in our pipeline we simply install the extension to our organization and that’s it, we can start analyzing our project’s open-source dependencies.

Once we have our extensions installed we can start using them in our pipeline.

For the WhiteSource Bolt task, we must specify the directory where the libraries we want to analyze are located. We also define a name for the project that will be created in WhiteSource. In the example above, the open-source dependencies we want to analyze are located in “$(System.DefaultWorkingDirectory)/src”. It’s important to note that the WhiteSource Bolt task must be added after building those dependencies, in this case after doing “npm install”.

The Sonar Cloud tasks do the following; first, we indicate which SonarCloud project we are going to analyze. Then, after building the project, we run the SonarCloud analysis. Finally, we publish the results of the analysis to make them visible in Azure DevOps, this last step is optional, the results can always be seen in the SonarCloud portal.

Additional Ways to Shift Security Left

SonarCloud has a VS Code extension called SonarLint to help developers check their code as soon as they write it. Using a linter is a great option to add more security and code quality verifications to a development process.

When working with docker container registries, such as Azure Container Registry (ACR), they usually have options to analyze and update images. ACR tasks can be used to automatically build images when a base image is updated, more about ACR tasks here. Additionally, Azure Defender can be enabled in ACR to analyze every pushed image, more about it here.

If you know other ways to shift security left that are not mentioned here, feel free to share them in a comment.

Final Thoughts

We are all humans, no one is perfect. Because of this, we need to identify and fix vulnerabilities in our projects as soon as we can. Shifting security left helps us achieve this with our code and our open-source dependencies.

Shifting-left security is a good way to start improving our development process. However, this is not the ultimate solution to all our security issues. Having an effective testing strategy, using penetration testing tools like OWASP Zap, following the least-privilege principle, constantly monitoring an app’s health and behavior, as well as the overall network and infrastructure’s health and state, all these things, and even more, must be taken into consideration when thinking about security

Pipelines
Shiftleft
Azure
Azure Devops
Security
Recommended from ReadMedium
avatarSaurabh Mathuria
Azure Kubernetes Service Pipeline via Azure DevOps

What is AKS:  Azure Kubernetes Service (AKS) is a managed Kubernetes service provided by Microsoft Azure. It simplifies deploying…

4 min read
avatarSAURABH RAI
Enhancing Azure DevOps YAML Pipeline for multi-environment Deployments

Automating YAML Pipeline for multi-environment deployments.

6 min read
avatarJean F Beaulieu
How to Deploy a Dockerized React App Using Azure DevOps Pipelines

A Comprehensive Guide to Efficiently Containerize and Deploy React Applications with Docker and Azure DevOps

10 min read
avatarGijs Reijn
Build Self-Service Pipeline to Deploy Self-Hosted Environment Agents on Azure Workloads — The…

The foundational groundwork is set, the floor is mopped, and it’s time to start building the pre-pipeline that leverages the scripts in…

8 min read
avatarSAITEJA IRRINKI
Azure DevOps Helm Deployment 🚀

Are you diving into the world of Kubernetes deployments and feeling a bit lost at sea? Don’t worry, Helm is here to rescue you! Let’s sail…

3 min read
avatarPradip VS
Building Resilience using Azure Chaos Studio (AKS with SQL in VNET) — Part 2

This blog is co-authored with Vijayaraghavan Lakshmikanthan, Cloud Solutions Architect — Microsoft

7 min read