Test Driven Security for your Azure Resources with the Secure DevOps Kit for Azure (AZSK)

Photo by sebastiaan stam on Unsplash

Test Driven Security ? What is that ?

I borrowed the phrase Test Driven Security (TDS) from Mozilla’s Security Wiki and added a couple of words (in bold) that, in my opinion, makes the definition more complete and does not leave it open for interpretation.

What is the Secure DevOps Kit for Azure (AzSK) ?

Secure DevOps Kit for Azure (AzSK) is a free and open source toolkit built at Microsoft that helps integrate security and operational best practices into how resources are configured in Azure. You can find the documentation here.

Scott Hanselman on Azure Friday

How to run my first security scan with AzSK ?

I am assuming that you have basic experience with PowerShell. A quick crash course is provided by the AzSK team on their website. How nice of them. 😄

Install-Module AzSK -Scope CurrentUser -AllowClobber -Force
  • Prompt you for a Subscription Name. This is the subscription where you will store the scan results in a new Log Analytics work-space inside a resource group named AzSK-GettingStarted-RG.
  • Install AzSK and the required dependent Azure PowerShell modules.
  • Add the AzSK view in your work-space with in-built queries and visualization.
  • Send any future security scan results run on your machine to this work-space.
  • Prompts for the name of the subscription that you would like to scan. This can be different from the Subscription Name you provided in the previous step.
  • Scans the security status of your subscription and the resources inside the target subscription.
  • The list of resource types currently supported by AzSK is available here.
  • Prints real time progress of the scan results on the console and also summarizes the results in CSV, PDF, Json formats.
  • Sends the results across to the Log Analytics work-space created as part of the previous step.
  • Generates fix scripts to fix the problem wherever possible.

Where are the scan results stored ?

They are stored inside a folder called AzSKLogs relative to the current working directory. The CSV results provide a good starting point to understand the results. They contain detailed information about the control scanned, the status, the severity and other details. The PDF file is a great email attachment to send your boss. Thank me later.

How to integrate AzSK in my DevOps pipeline ?

Running these Security tests periodically from a PS console is great but integrating them in your CI / CD pipeline is even better. AzSK provides extensions for Azure DevOps (formerly VSTS) and Jenkins.

Azure DevOps (VSTS) Extensions

How can I continuously monitor all my systems?

Integrating AzSK in your deployment pipeline is great but sometimes you might not have control over the deployment pipeline. You might also have systems that are already live and want to monitor the security posture continuously to avoid ‘security drift’.

What other things can I do with AzSK ?

  • AzSK in Continuous Assurance mode also supports webhooks which can be very useful to integrate the scan results from AzSK into your existing monitoring solutions.
  • AzSK also provides a possibility to customize the security controls which helps you to do things such as disable certain controls, change control severity, modify recommendation messages etc.
  • Since all the scan results are sent to Azure Log Analytics workspace, you can configure alerts or query and visualize the results with custom charts and dashboards using the Log Analytics API.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gurucharan Subramani

Gurucharan Subramani

Dev, Ops, Pokemon and everything in between