AzureFunBytes Episode 54 – @GitHub Integration with @Azure and Shifting Left
AzureFunBytes is a weekly opportunity to learn more about the fundamentals and foundations that make up Azure. It’s a chance for me to understand more about what people across the Azure organization do and how they do it. Every week we get together at 11 AM Pacific on Microsoft LearnTV and learn more about Azure.
Security is not an option when deploying applications. Considerations into what keeps your users safe must be part of your software delivery lifecycle. Whether it’s adding correct firewalls rules to a server or knowing your
npm package dependencies don’t have cryptocurrency miners, you must always take steps to further your security posture. There’s no reason to wait till after deployment to consider security, if we begin the process of securing, scanning, and shifting left we can greatly reduce our potential for intrusions.
What do I mean by shifting left? The goal for shifting left is to move quality upstream by performing security-focused tasks earlier in the pipeline. Rather than play catch-up after a potential security incident, developers can take reduce their exposure to troublesome incidents by utilizing DevSecOps practices.
What is DevSecOps? Azure’s DevOps solutions page defines it as:
DevSecOps involves utilizing security best practices from the beginning of development, shifting the focus on security away from auditing at the end and towards development in the beginning using a shift-left strategy.
This week on AzureFunBytes I welcome Lavanya Kasarbada to help me understand how DevSecOps can create a better environment for your applications. Lavanya Kasarabada is a Senior Program Manager with the Azure Security Team. She works on Container and Serverless Security!
Lavanya covers how to secure your container workloads. She discusses how the GitHub integration with Azure will provide end to end traceability and visibility into shift left security assessments.
Our agenda includes:
- Enabling Defender for Containers
- Enabling and configuring Vulnerability scanning in GitHub workflow
- Viewing detailed results in Azure Security Center
00:00:00 – Opening
00:03:17 – Let’s meet Lavanya
00:05:45 – Satya commits to $20 Billion to advance security solutions
00:06:39 – So how did you get here?
00:07:26 – What do we mean by “shift-left” exactly?
00:11:00 – A DevSecOps data flow
00:21:26 – Value proposition
00:23:03 – Security Scenarios
00:24:52 – Personas in our organization
00:27:47 – Public Preview Release
00:30:42 – Azure Security Center Demo
00:34:06 – GitHub Actions workflow and security scanning
00:37:41 – Let’s look at the build logs
00:42:30 – Reviewing scan results
00:46:45 – Recommendations and score
00:49:44 – Azure Defender
00:53:52 – What’s your biggest challenge with the ASC product today?
We’ll dive into how all the parts fit together and learn to shift-left on Azure.
Learn about Azure fundamentals with me!
Live stream is normally found on Twitch, YouTube, and LearnTV at 11 AM PT / 2 PM ET Thursday. You can also find the recordings here as well:
Get $200 in free Azure Credit
Microsoft Learn: Introduction to Azure fundamentals
Enable DevSecOps with Azure and GitHub
DevOps solutions on Azure
DevSecOps in Azure
Shift left to make testing fast and reliable
Azure Security Center integration with GitHub Actions, in public preview
Azure Security Center
Identify vulnerable container images in your CI/CD workflows
Use Azure Defender for container registries to scan your images for vulnerabilities
Scaling DevSecOps with GitHub and Azure