Azure DevOps

Tools for Microsoft provides version control, reporting, requirements management. Project management. automated builds , testing and release capabilities.

Continuous Integration 

• Automated tests make sure that the bugs are captured in the early phases, and fewer bugs reach the production phase. 
• After the issues are resolved efficiently, it becomes easy to build the release.
• Developers are alerted when they break any build, so they have to rebuild and fix the build before moving forth on to the next task.
• • As Continuous Integration can run multiple texts within seconds, the costs for testing decreases excessively.
• When lesser time is invested in testing, more time can be spent in the improvement of quality.

Continuous Delivery

• The process of deploying software is no more complex, and now the team does not need to spend a lot of time preparing the release anymore.
• • The releases can be made more frequently, this in turn speeds up the feedback loop with the customers.
• The iterations in the case of the process become faster.

Continuous Deployment

• There is no need to stop the development for releases anymore, as the entire deployment process is now automated.
• • The release process is less prone to risks and is easily fixable in the case of any issues, as only the small batches of changes are deployed.
• There is a continuous chain of improvements in quality with every passing day. The process of development now does not take long duration like a month or a year.

Continuous Delivery vs Deployment Continuous Delivery is a software engineering practice where the code changes are prepared to be released. Continuous Deployment aims at continuously releasing the code changes into the production environment.

Azure pipelines

• Build pipelines: These takes instructions from yaml file and build and publish artifacts from cloned source code.
• Release pipeline These pipelines are deploy build artifacts into Agent machines.
• Create release This one help us for complete end to end pipeline for ci/cd impl.

Example azure yaml templates url

Azure Board supports Agile boards

Azure DevSecOps URL

• SAST(Static Application Security testing)
• SCA (Software Composition Analysis)
• DAST (Dynamic Application Security Testing)
• IAST(Interactive Application Security Testing)
• IAC(infrastructure as code)
• API Security

Shift left approach is DevSecOps approach.

Development stage

• Git secrets
• Security Plugins in IDE
• TruffleHog (has enterprise license) similar to git secrets

Security

• Code Quality tools (Sonarqube)
• SAST security tools (Fortify, Veracode,Chackmarx)
• SCA tools (Snyk,veracode, fortify,blackduck)
• DAST tools (OWASP,ZAP,WebInspect,Veracode,DAST,ACunetix)
• IAC tools (Synk, bridgecrew)
• Container security (Aqua,Qualys,PrismaCloud)

Operations

• Build pipeline tools (Jenkins, AWS, GCP Cloudbuild,Azure devops, github actions, Gitlab)
• Cloud security posture (AQUA, bridgeCrews)
• Container Registry Scanning Tools (Aqua,AWS native registry scanning)
• Infrastructure Scanning tools ( Chef inspec(Compliance) ,nessus)
• Clouud security (Azure defender, aws security hub )

Devsecops in Azure DevOps

Take a look at repository section.

https://github.com/asecurityguru/just-another-vulnerable-java-application

Added Azure DevOps yaml ⇒ https://github.com/asecurityguru/devsecops-azure-devops-simple-yaml-file-repo

SonarCloud

SaaS code quality and security tool. recordingangel

Sonar cloud custom quality gate ⇒ for devsecops pipeline add azure yaml.

use section 4 for custom show examples.

Need to add quality gate for our pipeline

Use enviroment section in azure devops for token in YAML.

Snyk

• Source code
• SaaS
• Open source Third party libraries
• Containers
• Infra as Code.

OWASP ZAP