Skip to content

Instantly share code, notes, and snippets.

@renevanosnabrugge

renevanosnabrugge/HandsOn-ALMMeetup1309.md

Last active September 12, 2018 20:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save renevanosnabrugge/5f24baeed2f071f23ceda7767cfb5c07 to your computer and use it in GitHub Desktop.
Save renevanosnabrugge/5f24baeed2f071f23ceda7767cfb5c07 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
HandsOn-ALMMeetup1309.md

HandsOn Dutch Microsoft ALM Group 13/9/2018 - The Shift to Rugged DevOps

There are many things to explore, but there is only so little time.

Pick and choose any of the assignments below, or explorer on your own.

As a nice repo to work with, you can use this one https://github.com/XpiritBV/GDBC2018-GDBCWebsite

Shift left security

In you own Azure DevOps account, make sure that you enforce the 4-eyes principle on every code change. Think of the following things you can do

  • Protect the master branch with a branch policy
  • Add another user (the security office) as a required reviewer
  • Test the flow by adding a Pull Request
  • Try to enforce a succesful build before merging

Add Credential Scan

On this website you can request a preview for the CredScan tools, or maybe you already have. We can provide you a NuGet Package so you can run it locally. Ask us and we mail it to you

  • Run CredScan on one of your repositories and see what happens

Run Dependency scans

Try to run dependency scans on your codebase. You can find vulnerable packages in this online DB . Try to add one and run a scan in your pipeline with one of the tools.

  • WhiteSource (Bolt)
  • Snyk
  • BlackDuck

You can request trials for each of them

Baseline you Azure Security with Azure Security as Code

Explore the Azure Security as Code module and baseline the security of 1 resource group.

  • Try to add a user via scripts

Run Azure DevOps Security ToolKit

Scan your Azure Infrastructure by running the Azure Security DevOps Toolkit.

  • Start locally
  • Run the scans in the pipeline
  • Set up Continuous Assurance and check Log Analytics

Set up SQL Threat Detection

Set up a SQL Server and set up Threat Detetction. Run a SQL Injection Script and see the alert come in

function _Execute-NonQuery
{
    param
    (
        [string]$servername,
        [string]$dbname,
        [string]$username,
        [string]$password,
        [bool]$isIntegrated,
        $timeout=30
    )        

    $conn = new-object data.sqlclient.sqlconnection "server=$($servername).database.windows.net;database=$($dbname);Integrated Security=false;User ID=$($username);Password=$($password);";
        $title = "Men at Work%' ORDER BY title --";
        $query= "SELECT * FROM Albums WHERE title LIKE '%" + $title+ "%'"
        $cmd=New-Object System.Data.SqlClient.SqlCommand($query,$conn)
        $cmd.CommandTimeout=$timeout

    try {
        $cmd.Connection.Open();

        $cmd.ExecuteNonQuery();
    }
    catch
    {
        Write-Error "Error executing SQL Statement. $ErrorMessage"
        Write-Error $_.Exception|format-list -force
    }
    finally
    {
        $cmd.Connection.Close()
    }
}

$Database = ""
$ServerInstance = ""
$Username = ""
$Password = ''

  _Execute-NonQuery -servername $ServerInstance -dbname $Database -username $Username -password $Password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment