DevSecOps

Integrate security into every aspect of the software delivery lifecycle.

Read the documentation

Explore the Microsoft products and services that enable secure DevOps

With cyberthreats on the rise, teams that build and operate applications are facing new, strong challenges every day. Learn about how Microsoft offers a complete solution to enable DevSecOps, or secure DevOps, for apps on the cloud (and anywhere) with Azure and GitHub.

Building and operating secure applications is an effort that requires the involvement of everyone, from development to operations to support.

The concept of shifting-left security requires empowering, and keeping accountable for, teams to include security thinking from the early stages of planning, to development, to packaging and deploying the application.

While this is as much of a cultural shift as it is about tools, Microsoft can help with products and services from Azure and GitHub.

Almost all new applications being built leverage code written by third parties, including open-source components, in at least some forms. While this provides clear benefits, allowing higher productivity and better collaboration, it also creates challenges related to controlling and securing your software supply chain.

Microsoft and GitHub offer solutions to have confidence in the code you’re running in production, by inspecting your code and allowing its traceability down to the work items and insights on the third-party components that are in use.

With Azure, you can leverage an extensive set of services that make operating your application more convenient and safer.

Run your code on managed application platforms, including Kubernetes, and leverage trusted services to manage your keys, tokens, and secrets securely. Increase confidence in the security of your environment with policies. Then, ensure smooth, safe operations by leveraging real-time monitoring solutions for your applications and infrastructure.

Tight access control is the often first step to protect your application and your code and infrastructure. Azure offers leading identity services, both for users within your organization and for external consumers accessing your applications.

Leverage our identity platform to secure access to your code on GitHub, manage permissions for Azure resources granularly, and even offer authentication and authorization services for your applications.

Leverage a complete, end-to-end set of products and services

Or pick only the ones that are most relevant to you

Safe applications start with safe code, but securing your code is often not enough. Managing your software supply chain with confidence is just as important as ensuring your code is secure.

GitHub, the world’s most popular developer platform, offers advanced features that help you secure your app’s code and dependencies:

  • GitHub Advanced Security leverages CodeQL, the industry’s leading semantic code analysis engine, to identify vulnerabilities in your code.
  • Identify and remediate security issues in your dependencies using security alerts and automated security updates (Dependabot).
  • Get alerts with secret scanning when credentials and tokens are mistakenly committed into source control.

Using Azure Pipelines for continuous integration, your code is compiled and packaged into a Docker container on each commit and automatically deployed to a test environment with Azure Dev Spaces.

Additionally, the continuous delivery capabilities of Azure Pipelines allow you to confidently build production-ready container images, with full, end-to-end traceability. You can trace back to the commits, work items, and artifacts of every image, to gain understanding of all the code running in your environment.

Production container images are stored on Azure Container Registry, where they are automatically scanned for vulnerabilities thanks to the integration with Azure Security Center.

AKS offers a Kubernetes cluster that is maintained and secured by Microsoft.

You can deploy your AKS cluster directly from your CI/CD pipeline, using infrastructure-as-code solutions, such as Terraform.

Integrate Azure Policy with AKS to ensure that operations are compliant.

For development and test environments, Azure Dev Spaces can provision a test Kubernetes cluster for each build and in response to a pull request.

Your applications can leverage Azure Key Vault to securely store keys, certificates, tokens, and other secrets, so your applications can load them at run-time. This is a safer alternative than including them with your applications’ code.

Whether you’re building an external-facing app or an internal line-of-business one, you can leverage Azure Active Directory (Azure AD) to securely manage identity and access control.

Use Azure AD to authenticate with your organization’s directory, leveraging advanced security features such as Multi-Factor Authentication, Identity Protection, and Anomalous Activity Report.

For external-facing apps, Azure AD B2C lets you conveniently manage authentication and authorization of external users, even using social accounts.

Azure AD also protects access to your Azure resources and the Azure portal, thanks to granular role-based access control.

With Azure Monitor, you can monitor both your application and infrastructure in real-time, identifying issues with your code and potential suspicious activities and anomalies.

Azure Monitor integrates with release pipelines in Azure Pipelines to enable automatic approval of quality gates or release rollback based on monitoring data.

Learn more about DevSecOps products and services

Interested in DevOps? View the DevOps solutions from Microsoft

Learn more

DevSecOps in Azure

Security is a prime concern for business that are storing any sort of custom or client data. The solution that is covering the management and interface of this data should be developed with security in mind. DevSecOps involves utilizing security best practices from the beginning of development, shifting the focus on security away from auditing at the end and towards development in the beginning using a shift-left strategy.

Ready to get started with DevSecOps?

Read the documentation