Reed Robison spotlights the Secure DevOps: Application Security Principles and Practices Workshop.

Developers juggle so many technologies that it’s incredibly difficult to consider all the security ramifications of the code they build. Almost every customer I work with will say that security is a priority, and most have dedicated security teams that go to great lengths to validate secure infrastructure and architecture. That said, when it comes to applying secure practices in the development of code, very few invest to upskill developers. Security is a partnership of stakeholders, and if you ignore this with developers, it can be a costly oversight. In this post, I want to spotlight a workshop we offer that can help– Secure DevOps: Application Security Principles and Practices.

Many of the posts on our blog are technical in nature, but from time to time I like to spotlight services and workshops under our Premier and Unified Support relationships that you may not be aware of. Beyond the incident support in these support agreements, there is a large catalog of workshops available to help teams build skills.

This is a workshop available to Premier and Unified Support customers, so if you are not familiar with those programs, you can learn more here. If you just want to drill into more info about some of the topics covered in the workshop, see the Additional Resources links at the bottom of this article.

Let’s look at the Secure DevOps: Application Security Principles and Practices Workshop.

From the syllabus:

Secure DevOps: Application Security Principles and Practices is a two-day workshop that focuses on concepts, methodologies, and workflows that have been proven to yield more secure code. In this class, we discuss practices adopted at Microsoft (and other companies) that have facilitated improvements in application security. This workshop takes a hands-on approach to implementing secure design, secure verification, and secure implementation techniques to produce more secure software. Target audience are individuals in a technical role who are involved in building, architecting, testing, and designing secure software. People who manage software development teams and software development processes will also find much of the Security Development Lifecycle and Secure DevOps content helpful. This workshop also has a an optional 1-day add-on that discuss the OWASP Top 10.

The workshop covers 2-3 days in duration and drills into the following areas:

Module 1: Evolution to Secure DevOps

• Threat Landscape
• Privacy and Compliance
• Microsoft’s History with App Security
• Software Development Evolution
• Secure DevOps Culture and Mindset Shift

Module 2: Secure DevOps Principles and Practices

• Secure DevOps Principles
• Secure DevOps Practices Assume Breach
• Practices Alignment
• Organizational Considerations
• Supporting SDL Practices

Module 3: Application Security Principles

• Secure Application Basic Concepts
• Understanding Organizational Threats
• Secure by Design

Module 4: Automating a Secure and Compliant Pipeline

• Automated Security Verification
• Managing Secrets
• Securing automated deployments

Module 5: Threat Modeling Concepts

• What is Threat Modeling
• Threat Modeling Process
• Threat Modeling Tool

Module 6: Policy and Standards

• Establishing Secure Standards
• Understanding Compliance
• Threat Modeling for Compliance

Module 7: Introduction to Red and Blue Teams

• Defining Red/Blue Team Activities
• Kill Chain Analysis
• Attack Decomposition
• Monitoring and risk management

Module 8: Manual Security Verification

• Requirements and Design Verification
• Development Phase

Module 9: Live Site Operations

• Continuous monitoring, alerting, logging
• Threat Detection

OWASP Top 10

Overview of the OWASP Top 10 Each threat will be explained, and mitigation examples will be provided. The focus will be on .NET Core, and ASP.NET applications.

• A1:2017 – Injection
• A2:2017 – Broken Authentication
• A3:2017 – Sensitive Data Exposure
• A4:2017 – XML External Entities (XXE)
• A5:2017 – Broken Access Control
• A6:2017 – Security Misconfiguration
• A7:2017 -Cross-Site Scripting (XSS)
• A8:2017 – Insecure Deserialization
• A9:2017 – Using Components with Known Vulnerabilities
• A10:2017 – Insufficient Logging & Monitoring

Secure software requires design well beyond parameter and infrastructure security. It starts with getting developers on board with important concepts and considerations as the code is being written—long before it’s released.

The Secure DevOps: Application Security Principles and Practices Workshop is an excellent way to establish core security knowledge into your application development lifecycle and ensure your developers are invested in delivering secure solutions.

Premier and Unified Support customers should contact their Customer Success Account Manager (CSAM) for more information and help with workshop scheduling.

Additional Resources

• Microsoft Security Best Practices | Microsoft Docs
• Microsoft Security DevOps
• Microsoft Security Development Lifecycle
• Secure coding guidelines for .NET | Microsoft Docs
• Secure development best practices on Microsoft Azure | Microsoft Docs