Integrate security into every aspect of the software delivery lifecycle.Read the documentation
Explore the Microsoft products and services that enable secure DevOps
With cyberthreats on the rise, teams that build and operate applications are facing new, serious challenges every day. Learn about how Microsoft offers a complete solution to enable DevSecOps, or secure DevOps, for apps on the cloud (and anywhere) with Azure and GitHub.
Building and operating secure applications is an effort that requires the involvement of everyone, from development to operations and support.
The concept of shift-left security requires empowering, and remaining accountable for, teams in order to include security thinking from the early stages of planning to developing, packaging and deploying the application.
While this is as much a cultural shift as it is about tools, Microsoft can help with products and services from Azure and GitHub.
Almost all new applications being built leverage code written by third parties, including open-source components, in at least some forms. While this provides clear benefits, allowing higher productivity and better collaboration, it also creates challenges related to controlling and securing your software supply chain.
Microsoft and GitHub offer solutions that help you gain confidence in the code you’re running in production, by inspecting your code and ensuring its traceability down to the work items and insights on the third-party components that are in use.
With Azure, you can leverage an extensive set of services that make operating your application more convenient and safer.
Run your code on managed application platforms, including Kubernetes, and leverage trusted services to manage your keys, tokens and secrets securely. Increase confidence in the security of your environment with policies. Then, ensure smooth, safe operations by leveraging real-time monitoring solutions for your applications and infrastructure.
Tight access control is often the first step to protecting your application and your code and infrastructure. Azure offers leading identity services, both for users within your organisation and for external consumers accessing your applications.
Leverage our identity platform to secure access to your code on GitHub, manage permissions for Azure resources granularly and even offer authentication and authorisation services for your applications.
Leverage a complete, end-to-end set of products and services
Or only pick the ones that are most relevant to you
Safe applications start with safe code, but securing your code is often not enough. Managing your software supply chain with confidence is just as important as ensuring that your code is secure.
GitHub, the world’s most popular developer platform, offers advanced features that help you secure your app’s code and dependencies:
- GitHub Advanced Security leverages CodeQL, the industry’s leading semantic code analysis engine, to identify vulnerabilities in your code.
- Identify and remedy security issues in your dependencies using security alerts and automated security updates (Dependabot).
- Get alerts with secret scanning when credentials and tokens are mistakenly committed into source control.
Additionally, the continuous delivery capabilities of Azure Pipelines allow you to build production-ready container images confidently and with full, end-to-end traceability. You can trace back to the commits, work items and artifacts of every image, to gain understanding of all the code running in your environment.
AKS offers a Kubernetes cluster that is maintained and secured by Microsoft.
You can deploy your AKS cluster directly from your CI/CD pipeline, using infrastructure-as-code solutions, such as Terraform.
Integrate Azure Policy with AKS to ensure that operations are compliant.
For development and test environments, Azure Dev Spaces can provision a test Kubernetes cluster for each build and in response to a pull request.
Your applications can leverage Azure Key Vault to securely store keys, certificates, tokens, and other secrets, so your applications can load them at run-time. This is a safer alternative than including them with your applications’ code.
Whether you’re building an external-facing app or an internal line-of-business one, you can leverage Azure Active Directory (Azure AD) to securely manage identity and access control.
Use Azure AD to authenticate with your organisation’s directory, leveraging advanced security features such as Multi-Factor Authentication, Identity Protection and Anomalous Activity Reports.
For external-facing apps, Azure AD B2C lets you conveniently manage authentication and authorization of external users, even using social accounts.
Azure AD also protects access to your Azure resources and the Azure portal, thanks to granular role-based access control.
With Azure Monitor, you can monitor both your application and infrastructure in real-time, identifying issues with your code and potential suspicious activities and anomalies.
Azure Monitor integrates with release pipelines in Azure Pipelines to enable the automatic approval of quality gates or to release rollback based on monitoring data.
Learn how integrate your security team with an existing DevOps team
Read six tips to integrate security into your DevOps practices to learn how cutting-edge organisations have implemented DevSecOps across their businesses.
Learn more about DevSecOps products and services
Innovate at scale by bringing open-source code and best practices to your enterprise projects securely.
Manage, control and monitor access to critical resources in your organisation with identity and access management.
DevSecOps in Azure
Security is a prime concern for businesses that are storing any sort of custom or client data. The solution that is covering the management and interface of this data should be developed with security in mind. DevSecOps involves utilising security best practices from the beginning of development, shifting the focus on security away from auditing at the end and towards development at the beginning using a shift-left strategy.