Develop a security and compliance plan Flashcards
What percent of the total exam questions are dedicated to this subject?
10% to 15%
How do we get access to the outside world?
Typically through a service connection.
How do we control the resources which an Azure Service Connection can connect to?
Define users, pipelines and project access permissions to the service connection.
How is an Azure Service Connnection used?
Once configured, it is referred to by name in a typical pipeline instruciton format.
What is a persinal access token and how is it used on Azure DevOps?
A PAT contains your security credentials. You can create and manage your PATs thoguh the Azure UI or the PAT lifecycle management API.
PATs should be assigned an explicit set of permissions and an expiration date/time.
Are variable groups a safe way to persist credentials?
Yes, variable groups are protected resources and can offer a secret variable type (once written, you will not be able to read them back). Variable groups can be scoped to to users, projects and pipelines to limit the exposure of the secrets in the variable group.
- Save the secrets directly to the pipeline
- Save the secrets as ‘secret’ type in a variable group
- Store the secrets in Azure key vault and map the necessary secret keys to the variable group (only the key not the value is visible in the variable group). This way the credentials are usable but unknowable. Azure Key Vault offers logging and management features and any changes from within Azure Key Vault will then be reflected accross every pipeline which accesses the updated secrets via this variable group -> secret mapping.
How to design a secrets storage and retrieval strategy?
- Grant user, group, pipeline etc. most limited access/permissions necessary
- Keep a separate store for configuration and secrets
- Create separate vaults for application or stage
- Grant access to groups rather than users to facilitate access management as team size fluctuates
What are the best practices around files which contain secrets or confidential information in an Azure Pipeline?
Examples of sensitive files are:
* Signing Certificates
* Apple provisioning profiles
* Android keystore files
* SSH keys
You can store them using the Secure Files library and so they are treated as secrets but can be shared accross pipelines.
An alternative option would be to use Azure Key Vault and variable groups.
What are some best practices to avoif leakage of sensitive information?
To protect from contributed code:
- Don’t provide secrets to fork builds
- Consider manually triggering fork builds
- Use Microsoft hosted agents for fork builds
Other considerations:
- Don’t rely on PATH (not very predictable)
- Maintain a log of secrets but do not print the secret values
- Lock down containers
- Control available tasks
- Use the auditing service
What are the four possible aids in a good code compliance solution?
- Use githooks (pre-commit, scans, audits, vunderabilities etc.)
- Use GitHub Security (features like vunerability scanning and dependabot)
- Use Pipelein based scans (tools available through Azure Marketplace like whitesource or checkmarx)
- USe SonarQube (opensource, inspects code quality)
At what stages can and should dependency scanning happen?
- Client side (IDE plugins and pre-commit hooks etc.)
- CI side (Azure services like GitHub Security)
- Source side (Services or tools like CodeQL or whitesource)
What are the target features of WhiteSource and GitHub when it comes to automated security scanning?
At what scopes can an Azure DevOps service connection be granted access?
- pipeline
- project
You need a compliance solution to help manage vulnerabilities in application dependencies. What possible options would you have?
- Whitesource Bolt
- Github dependabot
What is Static Code Analysis?
identify potential vulnerabilities in code by analyzing the code without executing it (SonarQube)
