Securing Applications
Download as PPTX, PDF•1 like•261 views
The document discusses securing applications throughout their lifecycle, emphasizing the importance of application security fundamentals, risk management, and best practices for secure coding and operations. It outlines the roles of various security tools and techniques, including GitHub's advanced security capabilities, to integrate security into the development process through a 'shift left' approach. The document also provides resources for further learning and tools to manage software supply chain risks and maintain security diligence.
Securing Applications
- 1. Design, develop, deploy and run secure applications Mark Harrison – Microsoft, Azure AppDev Specialist Nick Liffen – GitHub, Security Specialist
- 2. Agenda Application security fundamentals GitHub Advanced Security capabilities
- 3. Information Security Confidentiality, integrity and availability are the basic concepts and at the core of infosec efforts Protect applications and associated data Attackers – internal / external Accidents / incompetence Natural disasters
- 4. Cybercrime Huge industry Attacker’s Advantage… …and Defender’s dilemma Attacker only needs one weak point Attacker can probe for unknown vulnerabilities Attacker can strike at will Attacker can play dirty Defender must defend all points Defender must defend against known attacks Defender must be constantly vigilant Defender must play by the rules There are huge numbers of attackers
- 5. Risk Management Identify Risks Likelihood of being exercised Impact that it will cause Address risk: Avoid Mitigate Transfer Accept Reduce risks by: Secure by design Secure the code Secure the environment Secure the operations
- 6. Secure the App Secure by Design Threat Modeling Zero Trust User least privileged access Verify explicitly Assume breach Identity Data Classification Transport & Storage Secure the Code Secure the Environment Secure the Operations
- 7. Secure the App Secure by Design Secure the Code Secret Management Code Management Code Quality Dependency Management Static Analysis Secure the Environment Secure the Operations
- 8. Secure the App Secure by Design Secure the Code Secure the Environment Policies Infrastructure as code Access Controls Network OS Patching Secure the Operations
- 9. Secure the App Secure by Design Secure the Code Secure the Environment Secure the Operations Monitoring Telemetry & Audits Incident Management Forensics Threat intelligence Disaster Recovery
- 10. Secure the App Secure by Design Secure the Code Secure the Environment Secure the Operations Automation where possible - Embrace everything-as-code
- 11. Software Supply Chain Open Source Potentially many levels of dependencies resulting in a lot of software being used from unknown sources Dependency Risks Software vulnerabilities – what flaws/bugs have you inherited into your application? New version – is it compatible with your application? Licensing constraints – it is allowed for commercial use? What must you share back? Understand your SBOM (Software Bill of Materials) Software Composition Analysis tools
- 12. DevOps Driving innovation – reduce time to value Develop, deploy and improve products at a faster pace than they can with traditional software development approaches The union of people, process, and products to enable continuous delivery of value Production Development Develop +Test Monitor + learn Collaboration Plan Build + Release Requirements / Work Items
- 13. Security Shift Left DevSecOps Security practises should be automated and baked into DevOps in a pervasive manner Shift left – introduce security earlier into the dev lifecycle Security first culture Production Development Develop +Test Monitor + learn Collaboration Plan Build + Release Requirements / Work Items
- 14. GitHub Advanced Security capabilities GitHub Code Scanning The interrogatable tool that provides the world class developer experience developers expect when it comes to consuming security & quality alerts CodeQL CodeQL is the analysis engine used by developers to automate security checks, and by security researchers to perform variant analysis GitHub Secret Scanning Automatic notifications of any API tokens or other secrets exposed anywhere in your git history GitHub Security Overview A single pane of glass for everything security in, and out of GitHub GitHub Supply Chain (Dependency Review) Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request
- 15. GitHub Advanced Security capabilities Demo Time
- 16. Resources Session specific resources Azure Security Documentation 👉https://aka.ms/build/uk/azure-security GitHub Security 👉https://aka.ms/build/uk/github-security General learning resources Microsoft Learn 👉 https://aka.ms/build/uk/learn Microsoft Docs 👉 https://aka.ms/build/uk/docs Microsoft Build Cloud Skills Challenge 👉 https://aka.ms/build/uk/csc Microsoft Certifications 👉 https://aka.ms/build/uk/certs Microsoft UK Training Days 👉 https://aka.ms/build/uk/training Microsoft UK Developer Hub 👉 https://aka.ms/build/uk/developers Microsoft UK Community Map 👉 https://aka.ms/build/uk/community
- 18. © Copyright Microsoft Corporation. All rights reserved.