Uploaded byAbdul_Mujeeb
1,078 views

DevSecOps Basics with Azure Pipelines

This document discusses DevSecOps, which integrates security practices into DevOps workflows to securely develop software through continuous integration and delivery. It outlines the basic DevOps process using Azure Pipelines for CI/CD and defines DevSecOps. The document then discusses challenges with security, benefits of DevSecOps for businesses, and common tools used, before concluding with an example DevSecOps demo using Azure Pipelines with security scans at various stages.

Downloaded 51 times
DevSecOps Using Azure Pipelines for Continuous CI CD and Security Mohammed Abdul Mujeeb
Agenda • What is DevOps • DevOps using Azure Pipelines • What is DevSecOps • Why do we need DevSecOps • Demo - DevSecOps using Azure Pipelines
Build Cycle
DevOps • A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers - Microsoft Definition • Any thing that speeds application delivery - Simplified • Automation plays an important role in speeding application delivery
Azure DevOps • Set of tools to achieve DevOps • 5 Modules - Boards, Repos, Pipelines, Test Plan, Artifacts • Azure Pipelines - CI and CD tool
Terminologies • Continuous Integration (CI) - Automated building of code • Continuous Delivery (CD) - Deployment ready, but not all changes will be deployed to production • Continuous Deployment (CD) - Automated deployment to production
Demo Architecture
Demo - Basic DevOps Process 1. Developer makes changes in IDE (VSCode) 2. Developer pushes the code to GIT 3. The push triggers automated build (CI) using Azure pipelines 4. The CI pulls latest source code, builds docker image and pushes docker image to Azure Container Registry (ACR) 5. Successful deployment to ACR triggers CD via Releases 6. The Release Pipeline deploys code to the App Service
Basic DevSecOps Process • Design - Threat Modeling and Risk Assessment • Development - SAST Scan on IDE, Code Reviews • Continuous Integration (CI) - Security Unit Tests, Static Application Security testing, Open Source Analysis, Container Scanning • Continuous Delivery (CD) - Compliance Check, Dynamic Application Security Scanning, Infrastructure Security, Penetration testing • Continuous Deployment (CD) - Compliance Check, Runtime Defense • Security in Production - Monitoring, SSL Configuration,
Challenges • Security as an after thought • Quick software release cycles • Moving workloads to cloud • Organizational Culture
DevSecOps • Shift Security Left • Integrates security with DevOps without slowing down SDLC • Automates Security within the DevOps Workflow • Secure Continuous Development • Is not just about using bunch of security tools. It’s about people, process and tools
DevSecOps for Business • An organization developing software in-house • An organization outsourcing software development • An organization procuring software from a vendor
Tools of the trade • Threat Modeling - Microsoft Threat Modeling .. • SAST Scan - Checkmarx, SonarCloud, Open Source .. • OSA - Whitesource, BlackDuck, OWASP Dependency Check .. • Container Scan - Aqua, Twistlock, Anchore, Clair .. • DAST Scan - OWASP ZAP, TinFoil .. • Many other tools based on the requirement • Prefer open source tools to start
Demo Secure CI and CD using Azure Pipelines Steps - 1. SAST scan using SonarCloud 2. Open Source Scan scan using Whitesource Bolt 3. Container Scan using Anchore 4. DAST Scan using OWASP Zap 5. Compliance Scan on the cloud infrastructure

More Related Content

PDF
DevSecOps | DevOps Sec
byRubal Jain
 
PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
DevSecOps
byJoel Divekar
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
DevSecOps | DevOps Sec
byRubal Jain
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
DevSecOps : an Introduction
byPrashanth B. P.
 
Introduction to DevSecOps
byabhimanyubhogwan
 
The What, Why, and How of DevSecOps
byCprime
 
DevSecOps
byJoel Divekar
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 

What's hot

PPTX
Azure DevOps CI/CD For Beginners
byRahul Nath
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
Tour of Azure DevOps
byCallon Campbell
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
Azure dev ops
bySwaminathan Vetri
 
PDF
Practical DevSecOps - Arief Karfianto
byidsecconf
 
PDF
Security Process in DevSecOps
byOpsta
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
byJanusz Nowak
 
PPTX
DEVSECOPS.pptx
byMohammadSaif904342
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PPSX
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PPTX
DevSecOps
byCheah Eng Soon
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PPTX
DevOps introduction
byMettje Heegstra
 
PPTX
Azure DevOps
byFelipe Artur Feltes
 
Azure DevOps CI/CD For Beginners
byRahul Nath
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
Introduction to DevSecOps
bySetu Parimi
 
Tour of Azure DevOps
byCallon Campbell
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
Azure dev ops
bySwaminathan Vetri
 
Practical DevSecOps - Arief Karfianto
byidsecconf
 
Security Process in DevSecOps
byOpsta
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
byJanusz Nowak
 
DEVSECOPS.pptx
byMohammadSaif904342
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
Zero-Trust SASE DevSecOps
byAraf Karsh Hamid
 
2019 DevSecOps Reference Architectures
bySonatype
 
DevSecOps
byCheah Eng Soon
 
DevSecOps reference architectures 2018
bySonatype
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
Demystifying DevSecOps
byArchana Joshi
 
DevOps introduction
byMettje Heegstra
 
Azure DevOps
byFelipe Artur Feltes
 

Similar to DevSecOps Basics with Azure Pipelines

PPTX
Azure DevOps
byJuan Fabian
 
PPTX
Azure DevOps
byMichael Jesse
 
PDF
[JAZUG Tohoku Azure DevOps] Azure DevOps
byNaoki (Neo) SATO
 
PDF
Azure DevOps - Azure Guatemala Meetup
byGuillermo Zepeda Selman
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PPTX
DevOps and Tools
byMohammed Fazuluddin
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PPTX
Azure_DevOps_Presentation BASIC SLIDES.pptx
bySantoshAiwale4
 
PPTX
How to Execute DevOps Using Azure CI CD.pptx
byXavor Corporation - Redefining Health Technology
 
PPTX
Devops Basic Concepts, Lifecycle of Devops
bySwapnilPawar483968
 
PDF
Security Scanning Solutions_ Protecting Applications in the DevOps Era.pdf
byDevseccops.ai
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
Enhancing Devops Workflow and he details
byInvensis Learning
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
Azure DevOps Day - Kochi
byAmal Dev
 
PDF
Azure DevOps Day - Trivandrum
byAmal Dev
 
PPTX
Drive business outcomes using Azure Devops
byBelatrix Software
 
Azure DevOps
byJuan Fabian
 
Azure DevOps
byMichael Jesse
 
[JAZUG Tohoku Azure DevOps] Azure DevOps
byNaoki (Neo) SATO
 
Azure DevOps - Azure Guatemala Meetup
byGuillermo Zepeda Selman
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
DevOps and Tools
byMohammed Fazuluddin
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Azure_DevOps_Presentation BASIC SLIDES.pptx
bySantoshAiwale4
 
How to Execute DevOps Using Azure CI CD.pptx
byXavor Corporation - Redefining Health Technology
 
Devops Basic Concepts, Lifecycle of Devops
bySwapnilPawar483968
 
Security Scanning Solutions_ Protecting Applications in the DevOps Era.pdf
byDevseccops.ai
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
Enhancing Devops Workflow and he details
byInvensis Learning
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
Scale security for a dollar or less
byMohammed A. Imran
 
Azure DevOps Day - Kochi
byAmal Dev
 
Azure DevOps Day - Trivandrum
byAmal Dev
 
Drive business outcomes using Azure Devops
byBelatrix Software
 

Recently uploaded

PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
PDF
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
PPTX
ScalaF: Functional Refactoring and Automated Code Transformations
byhelloshrikha
 
PDF
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PDF
Performance.sync(): 7 Levels of a Web Performance Journey
bySergeyChernyshev
 
PDF
Streamline complex activities with AI PCs featuring AMD Ryzen processors
byPrincipled Technologies
 
PPTX
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
PPTX
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
PDF
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
PDF
The State of Adventure Capital - Grant Gregory | Cantos
byRazin Mustafiz
 
PDF
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
PDF
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PDF
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
PPTX
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
SQL Server BI Modeling Designing Data for Success with SqlDBM.pdf
bySQL DBM
 
ScalaF: Functional Refactoring and Automated Code Transformations
byhelloshrikha
 
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
Performance.sync(): 7 Levels of a Web Performance Journey
bySergeyChernyshev
 
Streamline complex activities with AI PCs featuring AMD Ryzen processors
byPrincipled Technologies
 
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
The State of Adventure Capital - Grant Gregory | Cantos
byRazin Mustafiz
 
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
In this document
Powered by AI

Introduction to DevSecOps and its relevance using Azure Pipelines; outlines the agenda.

Explains DevOps as a combination of development and operations; details Azure DevOps tools and CI/CD terminologies.

Presents demo architecture of basic DevOps process using Azure Pipelines to automate builds and deployments.

Details the integrated DevSecOps process including threat modeling, security testing, and compliance checks.

Discusses common challenges faced in implementing DevSecOps, including cultural and operational issues.

Highlights the importance of integrating security into DevOps, emphasizing workflow automation and a holistic approach.

Describes how different organizations can implement DevSecOps whether in-house, outsourced, or vendor sourced.

Lists essential tools for DevSecOps processes including SAST, DAST, and container scanning tools as well as open-source options.

Shows steps involved in securing CI/CD processes using Azure Pipelines with various scanning tools for compliance.

DevSecOps Basics with Azure Pipelines

  • 1.
    DevSecOps Using Azure Pipelinesfor Continuous CI CD and Security Mohammed Abdul Mujeeb
  • 2.
    Agenda • What isDevOps • DevOps using Azure Pipelines • What is DevSecOps • Why do we need DevSecOps • Demo - DevSecOps using Azure Pipelines
  • 3.
  • 4.
    DevOps • A compoundof development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers - Microsoft Definition • Any thing that speeds application delivery - Simplified • Automation plays an important role in speeding application delivery
  • 5.
    Azure DevOps • Setof tools to achieve DevOps • 5 Modules - Boards, Repos, Pipelines, Test Plan, Artifacts • Azure Pipelines - CI and CD tool
  • 6.
    Terminologies • Continuous Integration(CI) - Automated building of code • Continuous Delivery (CD) - Deployment ready, but not all changes will be deployed to production • Continuous Deployment (CD) - Automated deployment to production
  • 7.
  • 8.
    Demo - BasicDevOps Process 1. Developer makes changes in IDE (VSCode) 2. Developer pushes the code to GIT 3. The push triggers automated build (CI) using Azure pipelines 4. The CI pulls latest source code, builds docker image and pushes docker image to Azure Container Registry (ACR) 5. Successful deployment to ACR triggers CD via Releases 6. The Release Pipeline deploys code to the App Service
  • 9.
    Basic DevSecOps Process •Design - Threat Modeling and Risk Assessment • Development - SAST Scan on IDE, Code Reviews • Continuous Integration (CI) - Security Unit Tests, Static Application Security testing, Open Source Analysis, Container Scanning • Continuous Delivery (CD) - Compliance Check, Dynamic Application Security Scanning, Infrastructure Security, Penetration testing • Continuous Deployment (CD) - Compliance Check, Runtime Defense • Security in Production - Monitoring, SSL Configuration,
  • 10.
    Challenges • Security asan after thought • Quick software release cycles • Moving workloads to cloud • Organizational Culture
  • 11.
    DevSecOps • Shift SecurityLeft • Integrates security with DevOps without slowing down SDLC • Automates Security within the DevOps Workflow • Secure Continuous Development • Is not just about using bunch of security tools. It’s about people, process and tools
  • 12.
    DevSecOps for Business •An organization developing software in-house • An organization outsourcing software development • An organization procuring software from a vendor
  • 13.
    Tools of thetrade • Threat Modeling - Microsoft Threat Modeling .. • SAST Scan - Checkmarx, SonarCloud, Open Source .. • OSA - Whitesource, BlackDuck, OWASP Dependency Check .. • Container Scan - Aqua, Twistlock, Anchore, Clair .. • DAST Scan - OWASP ZAP, TinFoil .. • Many other tools based on the requirement • Prefer open source tools to start
  • 14.
    Demo Secure CI andCD using Azure Pipelines Steps - 1. SAST scan using SonarCloud 2. Open Source Scan scan using Whitesource Bolt 3. Container Scan using Anchore 4. DAST Scan using OWASP Zap 5. Compliance Scan on the cloud infrastructure