There are many things to explore, but there is only so little time.
Pick and choose any of the assignments below, or explorer on your own.
As a nice repo to work with, you can use this one https://github.com/XpiritBV/GDBC2018-GDBCWebsite
In you own Azure DevOps account, make sure that you enforce the 4-eyes principle on every code change. Think of the following things you can do
- Protect the master branch with a branch policy
- Add another user (the security office) as a required reviewer
- Test the flow by adding a Pull Request
- Try to enforce a succesful build before merging
On this website you can request a preview for the CredScan tools, or maybe you already have. We can provide you a NuGet Package so you can run it locally. Ask us and we mail it to you
- Run CredScan on one of your repositories and see what happens
Try to run dependency scans on your codebase. You can find vulnerable packages in this online DB . Try to add one and run a scan in your pipeline with one of the tools.
- WhiteSource (Bolt)
- Snyk
- BlackDuck
You can request trials for each of them
Explore the Azure Security as Code module and baseline the security of 1 resource group.
- Try to add a user via scripts
Scan your Azure Infrastructure by running the Azure Security DevOps Toolkit.
- Start locally
- Run the scans in the pipeline
- Set up Continuous Assurance and check Log Analytics
Set up a SQL Server and set up Threat Detetction. Run a SQL Injection Script and see the alert come in
function _Execute-NonQuery
{
param
(
[string]$servername,
[string]$dbname,
[string]$username,
[string]$password,
[bool]$isIntegrated,
$timeout=30
)
$conn = new-object data.sqlclient.sqlconnection "server=$($servername).database.windows.net;database=$($dbname);Integrated Security=false;User ID=$($username);Password=$($password);";
$title = "Men at Work%' ORDER BY title --";
$query= "SELECT * FROM Albums WHERE title LIKE '%" + $title+ "%'"
$cmd=New-Object System.Data.SqlClient.SqlCommand($query,$conn)
$cmd.CommandTimeout=$timeout
try {
$cmd.Connection.Open();
$cmd.ExecuteNonQuery();
}
catch
{
Write-Error "Error executing SQL Statement. $ErrorMessage"
Write-Error $_.Exception|format-list -force
}
finally
{
$cmd.Connection.Close()
}
}
$Database = ""
$ServerInstance = ""
$Username = ""
$Password = ''
_Execute-NonQuery -servername $ServerInstance -dbname $Database -username $Username -password $Password