O N Azure is a cloud computing platform and an online portal that allows you to access and manage cloud services and resources provided by Microsoft. These services and resources include storing your data and transforming it, depending on your requirements. To get access to these resources and services, all you need to have is an active Internet connection and the ability to connect to the Azure portal.
I C R O S O F T A Z U R E Microsoft Azure was first announced October 28, 2008. A cloud computing operating system which was targeted at Business and Developers without additional coding. The original name Windows Azure was a deliberate response in competition to the Amazon EC2 and Google App Engine. Windows Azure was built from as an extension of the Windows NT which was the beginning of Microsoft Cloud Platform as a Service (PaaS). The Windows Azure was an internal project which went by the code name “Project Red Dog”.
A T I O N S E R V I C E S Enabled developers to run the ASP.NET web applications and APIs Announcement of the SQL Azure relational database and support for other programming languages like Java, PHP .NET Framework 4 which supported the Microsoft SQL Server was added Other worthy services added were, OS Versioning, Content Delivery Network (CDN) used to cache static assets of websites geographically to users to increase performance and the Microsoft Azure Service Bus used to connect on-premises applications
R A T I O N S E R V I C E S Developers started adopting Open-Source Software (OSS) because it was cheaper which increased the usage of software like Linux VM and some OSS packages like MySQL, PHP and Apache. Renamed their cloud to “Microsoft Azure” and made the new Microsoft Azure the best place ever to run Linux Operating system Full operations from bottom to top was transform from PaaS to IaaS.
A T I O N S E R V I C E S Partnered with Hortonworks to offer Azure HDInsight, a managed Apache Hadoop service in Microsoft’s cloud. Launched the Azure Data Lake Store and Azure Data Lake Analytics to provide an end-to-end Big Data and analytics platform on Azure. First Cloud service provider to have an end-to-end connected devices stack powered by Event Hub, IoT Hub, Stream Analytics, SQL Database and Power BI.
into Machine Learning and Artificial Intelligence Azure ML Services will support deep learning models, NVIDIA GPU, Intel FPGA, enhanced pipelines, Machine Learning Operations (MLOps) Best platform to work with Artificial Intelligence (AI) models, also the investment in databases, Big Data, AI, IoT not only kept the vision of Intelligent Cloud and Intelligent edge but it also made Microsoft Azure platform for housing rich cloud service F O U R T H G E N E R A T I O N S E R V I C E S
Azure is the number of data centers it has around the world. There are 42 Azure data centers spread around the globe, which is the highest number of data centers for any cloud platform. Also, Azure is planning to get 12 more data centers, which will increase the number of data centers to 54, shortly.
practice used by development teams of automating, merging, and testing code. CI helps to catch bugs early in the development cycle, which makes them less expensive to fix. Automated tests execute as part of the CI process to ensure quality. Continuous Delivery (CD) is a process by which code is built, tested, and deployed to one or more test and production environments. Deploying and testing in multiple environments increases quality. CD systems produce deployable artifacts, including infrastructure and apps. Jenkins is a platform for creating a Continuous Integration/Continuous Delivery (CI/CD) environment.
platform Deploys to different types of targets at the same time Integrates with Azure deployments Builds on Windows, Linux, or Mac machines Integrates with GitHub Works with open-source projects
sure that the product you are developing is secure right from the time you start coding it and that the best practices of ensuring that security are met at every stage of your pipeline and an ongoing practice. In other words, security should be met as one of the key elements from the initial phase of development cycle, rather than looking at the security aspects at the end of the product sign-off/deployment. This is also called as ‘shift-left’ strategy of security. It’s more of injecting security in your pipeline at each stage.
possible attack targets (e.g., sensitive customer data) Outlining possible attack scenarios (e.g., OWASP Top 10 threats or abuses of legitimate logic) Predicting the most likely sources of vulnerabilities Threat modeling in DevSecOps attempts to determine the risks associated with a software asset and the most likely ways an attacker might try to compromise it. This process, which is typically supported by security teams, includes a range of activities:
the DevSecOps pipeline. Automated security scanners play a crucial role here and are often the first (and simplest) security control integrated development workflows. Static, Dynamic, and Interactive Application Security Testing (SAST/DAST/IAST) scanners are an excellent way to uncover simple vulnerabilities in code before it’s pushed to production.
DevSecOps pipeline uncovers plenty of potential issues and vulnerabilities, particularly for new or significantly modified software assets. However, most organizations don’t want to wait for developers to resolve all those issues before pushing code to production—that would slow the pipeline down too much and potentially disrupt business objectives.
step is for the development team to remediate them. The security team may continue to support this process by educating developers on the nature of different threats and possible remediation options. Alternatively, a development team may take complete ownership of this process over time.
development teams track the overall security posture of a software asset as it runs in production. This stage is essential to uncover new vulnerabilities or misconfigurations that can occur over time or even spot weaknesses that were always present but missed by pre-push security practices. MONITORING
the pipeline? There are multiple stages involved in getting your code deployed to your servers/cloud hosted solutions right from the developers coding it from the pipeline till deploying them. Let’s now see few of them and how we can achieve integrating security around our pipelines using this.
and remediate issues quickly in the code even before a developer commits the code to the remote repository. Some of the common issues that can be found or eliminated are credentials exposed in code like SQL connection strings, AWS Secret keys, Azure storage account keys, API Keys, etc. When these are found in the early stage of the development cycle, it helps in preventing accidental damage. Some of the Precommit hooks tools include – Git-Secret, Talisman. Some of the IDE plugins include .NET Security Guard, 42Cruch, etc.
one of the best practices. There could be a secret management tool that you can use like an Azure Key Vault, AWS secret manager, HashiCorp vault built into your pipeline already for accessing the secure credentials. Software Composition Analysis SCA is all about analyzing the software/code for determining the vulnerable open-source components, third party libraries that your code is dependent on. SCA focuses on not only determining the vulnerable open source components, but also shows you if there are any outdated components are present in your repo & also highlights issues with opensource licensing.
technique. Often referred to as “white box testing”, it consists of scans performed on source code to identify the maximum number of potential vulnerabilities, before the resulting artifact could be even built. SAST
challenging security process for organizations, according to IT security professionals. Developers need solutions to help them create secure code, and that is where Application Security (AppSec) tools come into play. AppSec is the discipline of processes, tools and practices aiming to protect applications from threats throughout the entire application lifecycle. Dynamic Application Security Testing (DAST) Mobile Application Security Testing (MAST) Interactive Application Security Testing (IAST) There are many ways to test application security, including: