3. Information Security
Confidentiality, integrity and
availability are the basic concepts
and at the core of infosec efforts
Protect applications and
associated data
Attackers – internal / external
Accidents / incompetence
Natural disasters
4. Cybercrime
Huge industry
Attacker’s Advantage…
…and Defender’s dilemma
Attacker only needs one weak point
Attacker can probe for unknown vulnerabilities
Attacker can strike at will
Attacker can play dirty
Defender must defend all points
Defender must defend against known attacks
Defender must be constantly vigilant
Defender must play by the rules
There are huge numbers of attackers
5. Risk Management
Identify Risks
Likelihood of being exercised
Impact that it will cause
Address risk:
Avoid
Mitigate
Transfer
Accept
Reduce risks by:
Secure by design
Secure the code
Secure the environment
Secure the operations
6. Secure the App
Secure by Design
Threat Modeling
Zero Trust
User least privileged access
Verify explicitly
Assume breach
Identity
Data Classification
Transport & Storage
Secure the Code Secure the Environment Secure the Operations
7. Secure the App
Secure by Design Secure the Code
Secret Management
Code Management
Code Quality
Dependency Management
Static Analysis
Secure the Environment Secure the Operations
8. Secure the App
Secure by Design Secure the Code Secure the Environment
Policies
Infrastructure as code
Access Controls
Network
OS Patching
Secure the Operations
9. Secure the App
Secure by Design Secure the Code Secure the Environment Secure the Operations
Monitoring
Telemetry & Audits
Incident Management
Forensics
Threat intelligence
Disaster Recovery
10. Secure the App
Secure by Design Secure the Code Secure the Environment Secure the Operations
Automation where possible - Embrace everything-as-code
11. Software Supply Chain
Open Source
Potentially many levels of dependencies resulting in a lot
of software being used from unknown sources
Dependency Risks
Software vulnerabilities – what flaws/bugs have you
inherited into your application?
New version – is it compatible with your application?
Licensing constraints – it is allowed for commercial use?
What must you share back?
Understand your SBOM (Software Bill
of Materials)
Software Composition Analysis tools
12. DevOps
Driving innovation – reduce time to value
Develop, deploy and improve products at a
faster pace than they can with traditional
software development approaches
The union of people, process, and products
to enable continuous delivery of value
Production
Development
Develop
+Test
Monitor
+ learn
Collaboration
Plan
Build + Release
Requirements /
Work Items
13. Security
Shift Left
DevSecOps
Security practises should be automated and
baked into DevOps in a pervasive manner
Shift left – introduce security earlier into the
dev lifecycle
Security first culture
Production
Development
Develop
+Test
Monitor
+ learn
Collaboration
Plan
Build + Release
Requirements /
Work Items
14. GitHub Advanced Security capabilities
GitHub Code Scanning
The interrogatable tool that provides the world
class developer experience developers expect when
it comes to consuming security & quality alerts
CodeQL
CodeQL is the analysis engine used by developers
to automate security checks, and by security
researchers to perform variant analysis
GitHub Secret Scanning
Automatic notifications of any API tokens or other
secrets exposed anywhere in your git history
GitHub Security Overview
A single pane of glass for everything security in,
and out of GitHub
GitHub Supply Chain (Dependency Review)
Dependency review helps you understand
dependency changes and the security impact of
these changes at every pull request. It provides an
easily understandable visualization of dependency
changes with a rich diff on the "Files Changed" tab
of a pull request
16. Resources
Session specific resources
Azure Security Documentation
👉https://aka.ms/build/uk/azure-security
GitHub Security
👉https://aka.ms/build/uk/github-security
General learning resources
Microsoft Learn
👉 https://aka.ms/build/uk/learn
Microsoft Docs
👉 https://aka.ms/build/uk/docs
Microsoft Build Cloud Skills Challenge
👉 https://aka.ms/build/uk/csc
Microsoft Certifications
👉 https://aka.ms/build/uk/certs
Microsoft UK Training Days
👉 https://aka.ms/build/uk/training
Microsoft UK Developer Hub
👉 https://aka.ms/build/uk/developers
Microsoft UK Community Map
👉 https://aka.ms/build/uk/community