Getting Started with Secure DevOps Kit for Azure

Security is important aspect of any software development project. DevOps is essential part of software development. Improving security measures of software development, delivery and deployment is now can be enhanced with Secure DevOps kit for Azure. This security kit comes with PowerShell unitalities as well as CI CD extensions etc. for securing your software projects. Let’s explore the Secure DevOps Kit with couple of posts. In this first post let’s look at an overview as well as how to get started with Azure Subscription health scans using PowerShell utilities.

Secure DevOps Kit for Azure

Following are the basic level overview of Secure DevOps Kit for Azure.

Source: Microsoft Documentation

Subscription Security: Set of tools to enable creating and managing a secure Azure cloud environment.
Secure Development: Using Security IntelliSense and Security Verification Tests (SVTs) in order to identify vulnerabilities while development.
Security for CI/CD: Using CI/CD extensions for Azure DevOps to ensure security of the committed and deployed code.
Continuous Assurance: Check the “drift” from the secure system using tools and ensure your system is secure in the cloud environment continuously.
Alerting and Monitoring: Using analytics and monitoring tools with DevOps to assure the system is kept at the expected security level.
Cloud Risk Governance: Usage of Telemetry to come up with governance policies for secure system.

Let’s explore each of these tools in detail in the upcoming posts. As the first step of it let us do a basic level security scan of an Azure subscription using the Secure DevOps Kit for Azure.

Setup Secure DevOps Kit for Azure

There are two prerequisites to setup Secure DevOps Kit for Azure.

1. PowerShell 5.0 or higher
2. Windows OS

To install the Secure DevOps Kit for Azure, execute the below command in an administrative PowerShell window. It is advisable to have Az module installed as well even though it is not mandatory.

Install-Module -Name AzSK -Scope CurrentUser -AllowClobber -Force

If you want for the scope you can use AllUsers instead of CurrentUser. If you have already used Login-AzAccount and log onto your Azure subscriptions, then make sure to execute Logout-AzAccount to ensure installation proceeds.

After installation execute below command to check if the AzSK module is installed.
Get-InstalledModule

Execute Health Scan of an Azure Subscription

To scan health of your Azure subscription, execute the below command providing your Azure subscription id.

Get-AzSKSubscriptionSecurityStatus -SubscriptionId yourazuresubscriptionid

However, you might run into below issue when executing the command.

InvalidArgument: Please provide a valid tenant or a valid subscription.
Note: If you are using Privileged Identity Management (PIM), make sure you have activated your access.

To resolve this issue, execute Login-AzAccount and logon to your Azure Subscription account when prompted. Then execute the scan command again and the scan of subscription starts.

Once execution competes you can see a log of analysis is created as a CSV file. You can read the log and identify any vulnerabilities in your Azure subscription.

We have explored health scan of Azure subscription with a basic overview of Secure DevOps Kit for Azure in this post. In the coming posts let’s further explore using the Kit for ensure security of cloud deployments of software.