├── images ├── 06-gates.png ├── 02-projects.png ├── 07-credscan.png ├── 03-proj-admin.png ├── 08-artifacts.png ├── 09-blueprints.png ├── 05-allow-inherit.png ├── 05-deny-inherit.png ├── 10-agent-com-01.png ├── 10-agent-com-02.png └── 11-secure-file.png ├── practices-docs ├── practice-template.md ├── 05-practice.md ├── 08-practice.md ├── 06-practice.md ├── 15-practice.md ├── 13-practice.md ├── 11-practice.md ├── 04-practice.md ├── 10-practice.md ├── 14-practice.md ├── 03-practice.md ├── 02-practice.md ├── 01-practice.md ├── 09-practice.md ├── 12-practice.md └── 07-practice.md ├── LICENSE └── README.md /images/06-gates.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/06-gates.png -------------------------------------------------------------------------------- /images/02-projects.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/02-projects.png -------------------------------------------------------------------------------- /images/07-credscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/07-credscan.png -------------------------------------------------------------------------------- /images/03-proj-admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/03-proj-admin.png -------------------------------------------------------------------------------- /images/08-artifacts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/08-artifacts.png -------------------------------------------------------------------------------- /images/09-blueprints.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/09-blueprints.png -------------------------------------------------------------------------------- /images/05-allow-inherit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/05-allow-inherit.png -------------------------------------------------------------------------------- /images/05-deny-inherit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/05-deny-inherit.png -------------------------------------------------------------------------------- /images/10-agent-com-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/10-agent-com-01.png -------------------------------------------------------------------------------- /images/10-agent-com-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/10-agent-com-02.png -------------------------------------------------------------------------------- /images/11-secure-file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mpeder/azdevopssecurity/HEAD/images/11-secure-file.png -------------------------------------------------------------------------------- /practices-docs/practice-template.md: -------------------------------------------------------------------------------- 1 | # #XY Title 2 | - Bullets with good information 3 | 4 | ## Links 5 | - Some link [aka.ms/devops][1] 6 | 7 | [1]: aka.ms/devops -------------------------------------------------------------------------------- /practices-docs/05-practice.md: -------------------------------------------------------------------------------- 1 | # #5 Setup Detailed Permissions for Pipeline 2 | - If needed you can control access in details 3 | - Disable default inheritance if needed 4 | 5 | ![allow inherit][allow] 6 | ![deny inherit][deny] 7 | 8 | [allow]: /images/05-allow-inherit.png "Allow" 9 | [deny]: /images/05-deny-inherit.png "Deny" 10 | 11 | -------------------------------------------------------------------------------- /practices-docs/08-practice.md: -------------------------------------------------------------------------------- 1 | # #8 Use Artifacts for Package Management 2 | - Consider controlling package sources, sharing and distribution using Azure Artifacts 3 | - You can control both internal and external packages 4 | - Setup fine-grained permissions on feeds 5 | 6 | ![artifacts][artifacts] 7 | 8 | ## Links 9 | - Azure DevOps Artifacts [https://docs.microsoft.com/en-us/azure/devops/artifacts/index?view=azure-devops][1] 10 | 11 | [1]: https://docs.microsoft.com/en-us/azure/devops/artifacts/index?view=azure-devops 12 | 13 | 14 | [artifacts]: /images/08-artifacts.png "Artifacts" -------------------------------------------------------------------------------- /practices-docs/06-practice.md: -------------------------------------------------------------------------------- 1 | # #6 Use Approvals, Gates & Pull Requests 2 | - Use approvals to control deployment stages 3 | - Can be set both pre and post deployment 4 | - You can also include manual intervention task inside a pipeline 5 | - Use gates to control deployment stages 6 | - Can be set both pre and post deployment 7 | - Use Pull Request for QA 8 | - Both for security and general quality 9 | - Run builds and deployments before merging to Master 10 | - If you use 3rd party solutions for e.g. Feature Toggling consider the security aspects of these services 11 | - And who controls the feature toggle? 12 | - This can also be automated via Pipelines with e.g. LaunchDarkly 13 | 14 | ![gates][gates] 15 | 16 | [gates]: /images/06-gates.png "Gates" -------------------------------------------------------------------------------- /practices-docs/15-practice.md: -------------------------------------------------------------------------------- 1 | 2 | # #15 Use Pipeline Decorators (preview) 3 | - Consider using Pipeline Decorators to inject mandatory steps to the beginning and/or end of each pipeline 4 | - E.g. your organization might require everone to run a virus scanner. 5 | - Decorators will affect everone in the organization! 6 | 7 | ## Links 8 | - Use a decorator to inject steps into a pipeline [https://docs.microsoft.com/en-us/azure/devops/extend/develop/add-pipeline-decorator?view=azure-devops][1] 9 | - Add a build or release task [https://docs.microsoft.com/en-us/azure/devops/extend/develop/add-build-task][2] 10 | 11 | [1]: https://docs.microsoft.com/en-us/azure/devops/extend/develop/add-pipeline-decorator?view=azure-devops 12 | [2]: https://docs.microsoft.com/en-us/azure/devops/extend/develop/add-build-task 13 | -------------------------------------------------------------------------------- /practices-docs/13-practice.md: -------------------------------------------------------------------------------- 1 | # #13 Use Azure Key Vault 2 | - Secrets Management 3 | - Store and control access to tokens, passwords, certificates, API keys and other secrets 4 | - Key Management 5 | - Certificate Management 6 | - Store secrets backed by Hardware Security Modules 7 | - You can monitor activity by enabling logging for your vaults to see who accesses them 8 | - Operations can perform key rotation and manage keys with out developer involvement 9 | 10 | ## Links 11 | - Variable groups [https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault][1] 12 | - KeyVault logging [https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging][2] 13 | 14 | [1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml#link-secrets-from-an-azure-key-vault 15 | [2]: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging 16 | -------------------------------------------------------------------------------- /practices-docs/11-practice.md: -------------------------------------------------------------------------------- 1 | # #11 Share Configuration Across Pipelines 2 | - The features in this section can help you share things across a number of pipelines in a secure way. This can be especially useful when you manage a large number of pipelines. 3 | - Variable Groups 4 | - Share variables across pipelines 5 | - Can be integrated with KeyVault 6 | - Task Groups 7 | - Share a number of combined tasks across pipelines 8 | - Secure Files 9 | - E.g. keystore files and signing certificates 10 | - Deployment Groups are useful when deploying on a number VMs 11 | - During deployment you can target a group of machines rather than each individual machines 12 | - Machines can automatically register and de-register in a groups hence support deployment to machines you don't know about when creatig the pipeline 13 | - All of the above allows you to control Security in details 14 | 15 | ![securefile][securefile] 16 | 17 | [securefile]: /images/11-secure-file.png "Secure File" 18 | -------------------------------------------------------------------------------- /practices-docs/04-practice.md: -------------------------------------------------------------------------------- 1 | # #4 Design & Maintain Your Pipelines 2 | - Do the right people have access? 3 | - What are the environments/stages involved? 4 | - What the flow between stages? Consider artifact/branch filter 5 | - What is allowed in parallel? Both on the stage and when using multiple agents in a stage 6 | - What is the triggers(s)? 7 | - Pipelines become very important the more you automate! 8 | - It may become critical infrastructure 9 | - The application and infrastructure matters 10 | - IaaS, PaaS, SaaS, Cloud, On-premise, Multi cloud, Azure Stack 11 | - Maintain, test and clean up pipelines 12 | - Your infrastructure might change this can have an effect on your pipelines 13 | - Easier if you use IaC and Pipelines as Code 14 | - Provide guidance on ”good” pipelines design in your environments so that projects/teams can easily adopt the practices relevant in your organization 15 | 16 | ## Links 17 | - Also see #15 [Use Pipeline Decorators][1] 18 | 19 | [1]: /practices-docs/15-practice.md 20 | 21 | 22 | -------------------------------------------------------------------------------- /practices-docs/10-practice.md: -------------------------------------------------------------------------------- 1 | # #10 Understand Security in Agents and Agent Pools 2 | - Pipeline use Agents to do all of the actual work 3 | - Agents are grouped in Agent Pools on which you can control security 4 | - Agent can be hosted by Azure DevOps or yourself 5 | - Hosted agents are patched and update by Azure DevOps 6 | - You can easily have your own in container, in VM, on laptops or on-premise 7 | - But you need proper admin permissions to connect them to Azure DevOps Agent Pools 8 | - Agents required outbound port 443 and line of sight for deployment tasks 9 | 10 | ![agents com][agents-com1] 11 | ![agents com][agents-com2] 12 | 13 | ## Links 14 | - Agent communication [https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops#communication][1] 15 | 16 | [1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops#communication 17 | 18 | [agents-com1]: /images/10-agent-com-01.png "Agent Communication" 19 | [agents-com2]: /images/10-agent-com-02.png "Agent Communication" 20 | 21 | -------------------------------------------------------------------------------- /practices-docs/14-practice.md: -------------------------------------------------------------------------------- 1 | 2 | # #14 Manage Extensions 3 | - Extensions are great and helps solve a lot of things for the creator of Pipelines, but they need to be managed 4 | - Consider the security implications of an extension before "releasing" it for use inside your organization 5 | - Extensions has to be approved by Collection Administrator, by limiting the number of Collection Administrators you can ensure a uniform process on approving new extensions 6 | - If you build and use your own Extensions make that you have proper security scanning and reviews in place 7 | - Define a plan for maintaining your Extensions - just like any other software you build 8 | 9 | 10 | ## Links 11 | - Azure Marketplace [https://marketplace.visualstudio.com/azuredevops][1] 12 | - Approve extension requests [https://docs.microsoft.com/en-us/azure/devops/marketplace/approve-extensions?view=azure-devops][2] 13 | 14 | [1]: https://marketplace.visualstudio.com/azuredevops 15 | [2]: https://docs.microsoft.com/en-us/azure/devops/marketplace/approve-extensions?view=azure-devops 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Michael Pedersen 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /practices-docs/03-practice.md: -------------------------------------------------------------------------------- 1 | # #3 Understand the Main Security Concepts in Azure DevOps 2 | - You can control permissions on almost anything in Azure DevOps 3 | - Some permissions are on Project level and some on Collection Level 4 | - Some artifacts have permissions set directly e.g. Service Connections and Secure Files 5 | - Permissions are automatically set based on the security group that you add users to and can be overridden on the specific level 6 | - Access levels control access to product features (Basic, VS Enterprise, or Stakeholder) 7 | - Limit the number of Admins! 8 | 9 | ![project admin image][projadmin] 10 | 11 | ## Links 12 | - Security and identity [https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-security-identity?view=azure-devops][3] 13 | - Security roles [https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-security-roles?view=azure-devops][2] 14 | - Permissions and groups [https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops ][3] 15 | 16 | [1]: https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-security-identity?view=azure-devops 17 | [2]: https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-security-roles?view=azure-devops 18 | [3]: https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops 19 | 20 | [projadmin]: /images/03-proj-admin.png "Projects" 21 | 22 | -------------------------------------------------------------------------------- /practices-docs/02-practice.md: -------------------------------------------------------------------------------- 1 | # #2 Know Your Azure DevOps Account & Projects 2 | - An account is called an "Organization" 3 | - You might have more than one to manage! 4 | - Do you know how many exists inside your organization? 5 | - Decide on what consititutes a ”Project” inside your organization 6 | - This will be important for managing user access 7 | - Pipelines exists inside Projects 8 | - Projects are usually larger than you think 9 | - All Projects might not be the same from a security perspective! 10 | - Don’t limit access and control just because you can… 11 | - Only add resrictions when needed! 12 | 13 | ![projects image][projects] 14 | 15 | ## Links 16 | - Organization structure [https://docs.microsoft.com/en-us/azure/devops/user-guide/plan-your-azure-devops-org-structure][1] 17 | - Organization management in Azure DevOps [https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/?view=azure-devops][2] 18 | - About projects and scaling your organization [https://docs.microsoft.com/en-us/azure/devops/organizations/projects/about-projects?view=azure-devops][3] 19 | 20 | 21 | [1]: https://docs.microsoft.com/en-us/azure/devops/user-guide/plan-your-azure-devops-org-structure 22 | [2]: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/?view=azure-devops 23 | [3]: https://docs.microsoft.com/en-us/azure/devops/organizations/projects/about-projects?view=azure-devops 24 | 25 | [projects]: /images/02-projects.png "Projects" -------------------------------------------------------------------------------- /practices-docs/01-practice.md: -------------------------------------------------------------------------------- 1 | # #1 Secure Your Azure DevOps Account 2 | - Connect to Azure AD and use MFA 3 | - Azure DevOps can also use AAD Conditional Access 4 | - You can require conditions, such as security group membership, location and network identity, a specific OS, an enabled device in a management system, and so on. 5 | - If possible use AD Groups not individual user accounts 6 | - Note: Nested groups is currently not supported 7 | - If relevant consider limiting "shadow IT" by restricting organization creation via Azure AD tenant policy 8 | - Consider connecting to Express Route 9 | - User Azure DevOps Audit feature 10 | 11 | ## Links 12 | - Azure AD [https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops][1] 13 | - Conditional Access [https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops][2] 14 | - ExpressRoute [https://devblogs.microsoft.com/devops/expressroute-for-azure-devops][3] 15 | - Azure DevOps Audit [https://docs.microsoft.com/en-us/azure/devops/organizations/settings/azure-devops-auditing?view=azure-devops][4] 16 | - Restrict organization creation via Azure AD tenant policy [https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops] [5] 17 | 18 | [1]: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops 19 | [2]: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops 20 | [3]: https://devblogs.microsoft.com/devops/expressroute-for-azure-devops 21 | [4]: https://docs.microsoft.com/en-us/azure/devops/organizations/settings/azure-devops-auditing?view=azure-devops 22 | [5]: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops 23 | -------------------------------------------------------------------------------- /practices-docs/09-practice.md: -------------------------------------------------------------------------------- 1 | # #9 Implement ”Regular” Azure Governance 2 | - RBAC & Roles 3 | - Subscriptions and Ressource Groups Design 4 | - Service Principals 5 | - Locks & Tags 6 | - Policies, Management Groups & Blueprints 7 | 8 | ![blueprints][blueprints] 9 | 10 | [blueprints]: /images/09-blueprints.png "Blueprints" 11 | 12 | ## Links 13 | - What is role-based access control (RBAC) for Azure resources? [https://docs.microsoft.com/en-us/azure/role-based-access-control/overview][1] 14 | - Resource access management in Azure [https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/governance/resource-consistency/azure-resource-access][2] 15 | - Application and service principal objects in Azure Active Directory [https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals][3] 16 | - Use tags to organize your Azure resources [https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags][4] 17 | - Lock resources to prevent unexpected changes [https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources][5] 18 | - Overview of the Azure Blueprints service [https://docs.microsoft.com/en-us/azure/governance/blueprints/overview][6] 19 | - Overview of the Azure Policy service [https://docs.microsoft.com/en-us/azure/governance/policy/overview][7] 20 | 21 | [1]: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview 22 | [2]: https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/governance/resource-consistency/azure-resource-access 23 | [3]: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals 24 | [4]: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags 25 | [5]: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources 26 | [6]: https://docs.microsoft.com/en-us/azure/governance/blueprints/overview 27 | [7]: https://docs.microsoft.com/en-us/azure/governance/policy/overview 28 | -------------------------------------------------------------------------------- /practices-docs/12-practice.md: -------------------------------------------------------------------------------- 1 | # #12 Secure Service Connections & Service Principals 2 | 3 | - Service Principals are the system identities used when doing anything in an Azure subscription 4 | - Service Principals are used in Service Connection to allow Task to do their work 5 | - Keep the keys safe! 6 | - Limit the permissions and scope accordingly 7 | - Service Connection default wizard will use your user and create a - Service Principal, which probably not what you want... 8 | - Use ”Advanced Mode” in Service Connections Setup 9 | - Allows you to specify a specific Service Principal 10 | - Consider whether you want to set the Service Connection ”Allow all pipelines to use this endpoint” option 11 | - You can use Management Group to control access across multiple subscriptions 12 | - Familiarize yourself with the build and release permissions and security roles 13 | - For permissions, you grant or restrict permissions by setting the permission state to Allow or Deny, either for a security group or an individual user 14 | - You can control who can define new service connections 15 | 16 | ## Links 17 | - Service Principals [https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals][1] 18 | - Build and release permissions and security roles [https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=azure-devops][2] 19 | - Service connections for builds and releases [https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops#secure-a-service-connection][3] 20 | - Connect to Microsoft Azure [https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops][4] 21 | 22 | [1]: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals 23 | [2]: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=azure-devops 24 | [3]: https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops#secure-a-service-connection 25 | [4]: https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops 26 | 27 | 28 | -------------------------------------------------------------------------------- /practices-docs/07-practice.md: -------------------------------------------------------------------------------- 1 | # #7 Use Continuous Security Tools in Pipelines 2 | - Security needs to be evaluated at every step of the process in a continuous process 3 | - Static Code Analysis 4 | - There is a number of tools available and the best tool for you will also depend on the programming language(s) used 5 | - Some examples of code analytis tools are Visual Studio Code Analysis, Roslyn Security Analyzers, Checkmarx and BinSkim 6 | - Vulnerability Scans 7 | - Modern application development involves using different package managers. By using the you can easily end up using 100s of packages 8 | - 3rd party packages should be analyzed for vulnarbilities, licensing and old versions 9 | - WhiteSource and Black Duck are good examples of tools for vulnerability scanning 10 | - Infrastructure as Code Scans 11 | - By scanning IaC you can find problems before doing actual deployment 12 | - An example of such a tool is AzSK ARM Template Checker 13 | - Credential Scans 14 | - Creadentials not never be checked in to your repos 15 | - These tools look for secrets, password and usernames in the code checked in to your repos and can then fail a build or deployments 16 | - An example of such a tool is the Credential Scanner (aka CredScan) 17 | ![credscan][credscan] 18 | - External library Scanning 19 | - External dependencies such as Maven, NuGet or NodeJS packages will have security vulnerabilities 20 | - Use tools suck as Source Clear, Black Duck etc 21 | - Container Image Scanning 22 | - Just like external dependencies, you build on 3rd party image layers for your container, so vet these too 23 | - Some great tools for this is WhiteSource, Black Duck, Aqua and Twistlock 24 | - These can also be integrated with Azure Container Registry 25 | - Secure DevOps Kit for Azure & Microsoft Security Code Analysis is a great collection of tools that can easily be integrated into Azure DevOps Pipelines 26 | - Define enterprise wide baseline for all these tools 27 | - Consider also scanning for technical debt using a tool like SonarQube/SonarCloud 28 | 29 | [credscan]: /images/07-credscan.png "Credscan" 30 | 31 | ## Links 32 | - Security validation in CI/CD pipeline [https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=azure-devops][1] 33 | - Secure DevOps Kit for Azure [https://azsk.azurewebsites.net/][2] 34 | - Microsoft Security Code Analysis [https://secdevtools.azurewebsites.net/][3] 35 | - Also see #15 [Use Pipeline Decorators][4] 36 | 37 | [1]: https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=azure-devops 38 | [2]: https://azsk.azurewebsites.net/ 39 | [3]: https://secdevtools.azurewebsites.net/ 40 | [4]: /practices-docs/15-practice.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Azure DevOps: Recommended Practices for Secure Pipelines 2 | 3 | ## Introduction 4 | This repos started as part of building a customer presentation. After digging into it I found that I could keep on adding content related to this topic. So this is an attempt on doing so in a structured way. 5 | 6 | I would love to get feedback on the content and would like to keep expanding and updating the content. So please add your comments/issues and I will look into it when I have time :-) 7 | 8 | Pipelines in the context of Azure DevOps covers both build (CI) and release pipelines (CD). Most of the stuff here is related to Azure DevOps when deploying to Azure, but might be equally applicable in many other situations as well. Feel free to use the information anyway you want - see the [LICENSE](LICENSE). These are my _personal_ recommendations! No guarantees of any kind given and I am not responsible for any damages :-) 9 | 10 | For a general introduction to the security in the Azure DevOps service please see the [security whitepaper](https://docs.microsoft.com/en-us/azure/devops/articles/team-services-security-whitepaper?view=azure-devops). 11 | 12 | If you are interested in DevSecOps from a cultural perspective I would recommend this article: [https://docs.microsoft.com/en-us/azure/devops/learn/devops-at-microsoft/security-in-devops](https://docs.microsoft.com/en-us/azure/devops/learn/devops-at-microsoft/security-in-devops) 13 | 14 | ## Practices 15 | 1. [Secure Your Azure DevOps Account][1] 16 | 2. [Know Your Azure DevOps Account & Projects][2] 17 | 3. [Understand the Main Security Concepts in Azure DevOps][3] 18 | 4. [Design & Maintain Your Pipelines][4] 19 | 5. [Setup Detailed Permissions for Pipeline][5] 20 | 6. [Use Approvals, Gates & Pull Requests][6] 21 | 7. [Use Continuous Security Tools in Pipelines][7] 22 | 8. [Use Artifacts for Package Management][8] 23 | 9. [Implement Regular Azure Governance][9] 24 | 10. [Understand Security in Agents and Agent Pools][10] 25 | 11. [Share Configuration Across Pipelines][11] 26 | 12. [Secure Service Connections & Service Principals][12] 27 | 13. [Use Azure Key Vault][13] 28 | 14. [Manage Extensions][14] 29 | 15. [Use Pipeline Decorators][15] 30 | 31 | 32 | [1]: /practices-docs/01-practice.md 33 | [2]: /practices-docs/02-practice.md 34 | [3]: /practices-docs/03-practice.md 35 | [4]: /practices-docs/04-practice.md 36 | [5]: /practices-docs/05-practice.md 37 | [6]: /practices-docs/06-practice.md 38 | [7]: /practices-docs/07-practice.md 39 | [8]: /practices-docs/08-practice.md 40 | [9]: /practices-docs/09-practice.md 41 | [10]: /practices-docs/10-practice.md 42 | [11]: /practices-docs/11-practice.md 43 | [12]: /practices-docs/12-practice.md 44 | [13]: /practices-docs/13-practice.md 45 | [14]: /practices-docs/14-practice.md 46 | [15]: /practices-docs/15-practice.md 47 | 48 | Current version: v1.3 49 | 50 | Last update: 03-12-2019 --------------------------------------------------------------------------------