How to keep your code protected?

Secure software development

I covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s talk about that for a while.

But before we start, let’s clear one thing up.

DevOps is not just for applications

When talking about DevOps in general, typically people immediately think of software development. And of course, this is largely true. But the principles of DevOps and security also apply to infrastructure.

Keep reading, as I will give you some pointers for it here.

Key points:

  • What can you do with Azure DevOps?
  • What are the key security considerations for Azure DevOps?
  • What are example tools you can use to secure your code?

The key features of Azure DevOps

If you’re new to Azure DevOps, there’s a useful mind map that details the available functionalities.

The main strength of Azure DevOps is definitely its end-to-end approach. You can use the software to manage a project from beginning to end, starting with Azure Boards, allowing your team to plan their work and see progress on every project as you go, either in a list or Kanban format.

From the security perspective, what you need to look after is Azure Repos. Here is where you can collaborate on code, validate added dependencies, and make sure that code has a good quality.

This is also where you want to protect your code to make sure no unauthorized or dubious changes are made. My colleague and MVP Daniel Krzyczkowski has written a practical guide on this topic – check out the links below to learn how to secure your code in Azure DevOps with manual reviews, limiting merge types, etc.

Want more updates like this? Leave your email address to get the latest insights every two weeks. Subscribe

Security essentials in Azure DevOps

As a reminder from the previous post, here is what our customers indicate as their top concerns right now:

  • Secure dependencies
  • Secure code
  • Secure secrets
  • Secure DevOps

What can you do about them in the Azure environment?

Secure dependencies

If you use external dependencies in your projects, it is best to secure them from the early stage – with the “shift left” approach. For example, in GitHub, you can use Dependabot to verify your source code and detect potential vulnerabilities.

Azure DevOps enables installing additional extensions and security tools to allow you to check on your dependencies. Internally, you should regularly check your Dependency Risk Graph to make sure no one inadvertently compromised your code during development.

In any case, you should also add trusted vulnerability scanners, such as Snyk or WhiteSource Bolt to scan your dependencies for issues.

Secure code

The key to protecting your dependencies in ADO is securing your code. There is quite in-depth documentation on it. But as usual, it all comes down to the basics: permissions and automation.

Just because you have multiple stakeholders in a project doesn’t mean they all need read & write access. Use the least privilege principle to make sure only developers who really need to access your code can really edit it.

As for automation – you can go so far as to set up automated deployment of a landing zone with Azure Pipelines, so starting a new project will just be a matter of a few clicks. The highlights?

  • Standardization of permission levels
  • Automation of identity management in Azure AD
  • Resource cost monitoring

It’s much easier to manage a project when you set it up right to begin with.

Secure secrets

I came across a video you may find interesting. It is not about Azure DevOps directly, but about the concept of “secretless coding”. Here Christos Matskas, Identity Expert from Microsoft, talks about how to develop code without including secrets using Azure AD.

This approach can eliminate the problem of credentials to prod environments being valid years later (which happens more often than any of us like to think).

And as a bonus – it’s not limited to Azure, you can use it on-premises as well. Check it out below:


Secretless coding in Azure

Secure DevOps

This topic could warrant an entire series on its own, and I will keep coming back to it in these e-mails. But if you’re brand new to it, a good place to start is to create a DevOps Center of Excellence.

In it, you can store set rules and policies that everyone working on projects will need to adhere to. Standardizing your processes and sharing lessons from every engagement is the best way to teach everyone involved how DevOps should be practiced at your organization.

The Center of Excellence can basically be a wiki that stores your project policies. It can be as general or as detailed as you like. For example, here is what we keep information about in ours:

  • Process
  • Extensions
  • Backlog definition
  • Dashboards and metrics
  • Wiki
  • Version control
  • Branching strategy
  • Branch policies
  • Build pipelines
  • Release pipelines.

And so, you’ll find there a section on Branch policies, specifying:

  • Direct merge to master – forbidden
  • Linked work items for each branch
  • At least one reviewer
  • Reset code reviewer votes when there are new changes
  • Description of what was changed.

Keeping all these notes in one place speeds up introducing new people to the project.

Further reading

Making your processes consistent and measurable by using a shared set of standards is the easiest way to start securing your projects. As for tools – I’ll talk about them a bit more in the next article.

As is the tradition, here are some technical guides for you:

  1. Security quick reference index
  2. Securing Azure Pipelines
  3. Secure your code with GitHub
  4. Implement Security and Compliance in an Azure DevOps pipeline
  5. Microsoft Security Code Analysis
  6. Azure Tenant Security Solution

Do you use any of these features? Or maybe something different? Did anything surprise you? Let me know – I will happily discuss it in more detail.

Key takeaways:

    1. Azure DevOps allows you to plan and manage your software development project end-to-end.
    2. When coding in Azure DevOps, you need to pay particular attention to Azure Repos and dependencies.
    3. The key step to improving your security practices is developing a DevOps Center of Excellence that allows you to standardize your development processes. If you need help setting one up, feel free to contact us for assistance.