|Designing And Developing Secure Azure Solutions|
Author: Michael Howard, Heinrich Gantenbein and Simone Curzi
Moving applications to the cloud opens them to a different class of security threats, and this book sets out to explain how to make your azure solutions more secure.
This book is written as a practical tutorial for developers working in Azure with specific reference to security challenges and how to address them in Azure, from design and development to testing, deployment, governance, and compliance.
The first part of the book considers security principles, opening with a chapter looking at secure development lifecycle processes and the components that make up a secure development lifecycle. Having set the scene, the authors then move on to introduce secure design in general and as applied to Azure.
Chapter 3 examines security patterns, the definitions of problems that occur repeatedly along with the core of the solution to that problem. This is followed by a meaty chapter on threat modeling with coverage of threat classification systems such as Stride (spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege). The authors also include a look at different threat modeling tools, and a good example of how to model threats.
Chapter 5 considers the security of identity, authentication and authorization. This is another long chapter that takes each of the three areas in turn and looks at how to manage them securely.
Monitoring and auditing is the next topic to be examined with an introduction to Azure's tools for monitoring, auditing and logging. A chapter on governance and how it relates to the developer comes next, mainly concentrating on the Azure Security Benchmark. This opening section ends with a chapter on compliance and risk programs with brief introductions to the various compliance standards you might encounter such as HIPAA, FIPS 140, GDPR and MITRE.
Part Two of the book moves on to secure implementation, starting with a chapter on secure coding. This is a long and well written chapter that makes sense right from the outset with the rule that 'all input is evil'. There's a good look at common vulnerabilities, sensible advice on using C++, and on keeping developers honest with fuzz testing.
The next chapter looks at cryptography in Azure, with sections on securing keys, Azure services and cryptography, and protecting data in transit.
Confidential computing is the topic for the next chapter, with an examination of various confidential computing processors. This is followed by good chapters on container security and database security. The database chapter looks at security in SQL Server, including the control plane and data plane, then moves on to Cosmos DB security.
A chapter on CI/CD security looks at source control systems and supply chain attacks, and the book ends with a chapter on network security that considers topics such as NVAs and gateways, PaaS and private networking, and Kubernetes Service networking. An appendix of core cryptographic techniques brings the book to a close/
This is a well written book that I'd recommend to any developer working with Azure.