Category: Azure

Global Azure BootCamp 2020 – Glasgow Edition

Saturday April 25th, 2020 is the date for this years Global Azure BootCamp Glasgow edition, in conjunction with the Glasgow Azure user Group.

You can read about last year’s event and learn about whats involved and the format for the day, were looking for 6 speakers to come to Glasgow on April 25th and give a 60 minute talk on anything Azure related.


The call for speakers page to submit a talk is now open

The page for signing up to attend will go live Monday 20/01/2010.

We hope to see you there!



Azure Advent Calendar wrap-up

The #azureadventcalendar was a shared idea between myself and @pixel_robots

Some quick stats as I write this: –

15,800 thousand YouTube views
15,000 website views from over 120 countries
1,300 hours of videos watched
1,200 subscribers

We set out with the idea of asking the Azure community for 25 videos / blog posts with a Christmas theme, with the idea in mind that it would give people the chance to show off their skills, learn new skills and contribute back to the community over December.

We asked people via twitter who would like to contribute to this idea in the middle of September to give people time to decide if they could manage to contribute in December (a 20-30 minute video isn’t easy, especially towards that time of year).

Before we knew it we had more than 25 filled up and it was clear that this might be a bit more popular than first thought, we increased it to 50 and before you know it we had increased it to 75. In order to avoid too many duplicate subjects we decided to cap it at 75.

Wow! 75 videos/blog post contributions would be pretty amazing.

We considered several ideas but wanted to keep it simple: –

  • Anyone could contribute
  • We could have had advertisements but kept it without as it was a community project for the community by the community and this was important to us both.

I would create the website and keep that up to date daily, and chase people for content, Richard was looking after our YouTube channel and scheduling the videos to go out at midnight.

Richard also designed the logo which I loved the second I saw it and we decided to use this as the brand and he also created video thumbnails for each video for people to use on twitter, videos and blog posts.

Now the real reason this was successful was due to the contributors, we were both blown away by the quality of content from each contributor and the Christmas theme just made it pretty cool.

Richard and I both had our Twitter and LinkedIn full with tweets and articles with the above logo in it, very regularly throughout the month which was super cool to see.

Setup
The website was basic and I was updating it daily with links to blog posts and using a very simple .Net Web app, and using Azure DevOps to build and deploy the web app to Azure, I also made use of staging slots to deploy the changes, check the links etc worked and then swapped the staging slot for production – super easy to do and well worth it.

Richard had the YouTube channel setup with the logo and scheduled the videos to be released using a schedule which was pretty sweet. He also created a thumbnail for each video for the contributor to use as they saw fit.

Highlights
The highlights for me were many, but one that stands out for me personally was seeing people who had never taken part in something like this, some had never created a blog post, many had never created a video before.

The hard part of the project was chasing people for content, especially when it was mid December and everyone is busy!

To end this post I want to mention the next project which you should keep your eye on by Joe Carlyle and Thomas Thornton called the #AzureSpringCleanup – personally looking forward to see more azure community coming together and creating awesome new content.

Please leave any feedback you have on the #azureadventcalendar below.




Azure Advent Calendar – Week 1 recap

Week 1 of the Azure Advent Calendar has come and gone and we have seen some incredible content.

Content covered includes: –

An Azure Poem, Azure Governance, Azure Logic Apps, Azure Service Health, Azure Container Instance, Azure Devops Pipelines, Azure NetApp Files, Azure Certification Paths, Azure AKS, Azure API Manangement, Azure Lighthouse, Azure Site Recovery, Azure Functions, Azure WebApps, Azure MFA, Azure Role Based Certification,  Being Successful in Azure, Azure Migrate, Azure Key Vault, AKS monitoring with Prometheus and Terraform for Azure.

Phew that’s a lot to learn about in just 1 week, there is a lot more to come so please subscribe to our dedicated YouTube Channel 

So far we have over 700 subscribers, and there has been over 350 hours of videos watched which is absolutely awesome.

The Azure Advent Calendar website has been view in over 120 countries around the globe and had almost 6 thousand hits in the last 90 days.

We wanna take this time to thank everyone for taking part and hope that everyone is enjoying the #azureadventcalendar so far, we appreciate all of the tweets, LinkedIn coverage etc its been a blast so far, loving all the Christmas jumpers on show etc.

Thanks all from Gregor and Richard aka @Pixel_Robots



Azure Resource Graph Dashboards

I attended a session at Experts Live EU 2019 which was about Azure initialization from zero to hero: on-boarding, governance & resources deployment and one of the subject was Azure Resource Graph.

Azure Resource Graph  is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

With Azure Resource Graph you can write queries against your Azure resource so you can gain some very insightful information into your resources., before it wasn’t possible to see all of your resources if you had more than 2000. Queries that you write can be kept private or shared, shared queries are stored within a Resource Group for other users to run.

Resource Graph Explorer allows you to open existing queries, create new queries and run them within the portal and see the results.

An example of a query would be like so: –

I wont show the results for obvious reasons 👀

The really nice benefit I see from Azure Resource Graph is that you can save these to a dashboard and share the dashboard with members of your team/company.

At Experts Live EU @ExchangeGoddess shared an example dashboard which is a simple json file.

The beautiful thing is that the json can be exported and imported into your subscription(s), it doesn’t store subscription id’s etc as it only contains the queries. I was able to take this file and import it into a brand new dashboard and instantly see a very useful dashboard which looks like the following: –

 

 

 

Clicking on the charts take you to the actual query which produces the dashboard, the queries are written in a language called Kusto. You can learn more about Kusto on Pluralsight.

You can grab the json file which @ExchangeGoddess kindly shared from my github repo and then within dashboards insode the Azure portal simply use the upload capability to upload the json file and bingo you’ll have a nice new dashboard where you can learn about your resources and learn more from the existing Kusto queries within the dashboard you now have.

Big thanks to @ExchangeGoddess for sharing this, enjoy!

 



Azure Web App Staging Slots

With this years Azure Advent Calendar I made some site improvements and also upgraded the site from .Net 2.2 to 3.0, the code built and ran locally just fine, I push it to production and boom! – sites down, not good for a number of reasons.

The take away from this is I knew better, I tried to push some changes which in hindsight could easy have broken the site and by running it locally I thought its all good, the site has no tests as its content only.

By upgrading the site and attempting to add in Azure Application configuration I ran into some nuget package issues which I though I had resolved.

Get to the point of the blog post already Gregor!

Azure has a thing called Azure Deployment Slots for Web apps and with this feature we can have the following: –

  • Have 2 copies of the site running at the same time (one prod, one staging)
  • Deploy new features to Staging ad then test (however you test)
  • If all is good you switch slots so that the new version is now the prod version and the old prod version is switched into the staging version – if anything is borked then switch back and your back to good.

That’s the short version of what deployment slots are used for, I encourage you to take a look at them and I have this now setup for the azure advent calendar and wont be so careless next time.

 



Microsoft Security Code Analysis for Azure Devops – Part 3 BinSkim

Microsoft has recently released a new set of security tooling for Azure Devops which is called Microsoft Security Code Analysis.

The Microsoft Security Code Analysis Extension is a collection of tasks for the Azure DevOps Services platform. These tasks automatically download and run secure development tools in the build pipeline.

In this post I’ll cover BinSkim and how to use it.


BinSkim
BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. The build task provides a command line wrapper around the BinSkim.exe application. BinSkim is an open source tool.

Setup:

  1. Open your team project from your Azure DevOps Account.
  2. Navigate to the Build tab under Build and Release
  3. Select the Build Definition into which you wish to add the BinSkim build task.
    New – Click New and follow the steps detailed to create a new Build Definition.
    Edit – Select the Build Definition. On the subsequent page, click Edit to begin editing the Build Definition.
  4. Click + to navigate to the Add Tasks pane.
  5. Find the BinSkim build task either from the list or using the search box and then click Add.
  6. The BinSkim build task should now be a part of the Build Definition. Add it after the publishing steps for your build artifacts.

Customizing the BinSkim Build Task:

  1. Click the BinSkim task to see the different options available within.
  2. Set the build configuration to Debug to produce *.pdb debug files. They are used by BinSkim to map issues found in the output binary back to source code.
  3. Choose Type = Basic & Function = Analyze to avoid researching and creating your own commandline.
  4. Target – One or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze.
    • Multiple targets should be separated by a semicolon(;).
    • Can be a single file or contain wildcards.
    • Directories should always end with \*
    • Examples:
      • *.dll;*.exe
      • $(BUILD_STAGINGDIRECTORY)\*
      • $(BUILD_STAGINGDIRECTORY)\*.dll;$(BUILD_STAGINGDIRECTORY)\*.exe;
    • Make sure the first argument to BinSkim.exe is the verb analyze using full paths, or paths relative to the source directory.
    • For Command Line input, multiple targets should be separated by a space.
    • You can omit the /o or /output file parameter; it will be added for you or replaced.
    • Standard Command Line Configuration
      • analyze $(Build.StagingDirectory)\* –recurse –verbose
      • analyze *.dll *.exe –recurse –verbose
      • Note that the trailing \* is very important when specifying a directory or directories for the target.

    BinSkim User Guide

    For more details on BinSkim whether command line arguments or rules by ID or exit codes, visit the BinSkim User Guide



Microsoft Security Code Analysis for Azure Devops – Part 2 Credential Scanner

Microsoft has recently released a new set of security tooling for Azure Devops which is called Microsoft Security Code Analysis.

The Microsoft Security Code Analysis Extension is a collection of tasks for the Azure DevOps Services platform. These tasks automatically download and run secure development tools in the build pipeline.

In this post I’ll show you how to get the new extension and how to go about using it.

Credential Scanner (aka CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files. Some of the commonly found types of credentials are default passwords, SQL connection strings and Certificates with private keys.
The CredScan build task is included in the Microsoft Security Code Analysis Extension. This page has the steps needed to configure & run the build task as part of your build definition.

Lets start by adding Cred Scan to a build for an existing project – I’ll use the AzureAdventCalendar project which I already have setup within my Azure Devops project at https://dev.azure.com.

Setup:

  1. Open your team project from your Azure DevOps Account.
  2. Navigate to the Build tab under Build and Release
  3. Select the Build Definition into which you wish to add the CredScan build task.
    New – Click New and follow the steps detailed to create a new Build Definition.
    Edit – Select the Build Definition. On the subsequent page, click Edit to begin editing the Build Definition.
  4. Click + to navigate to the Add Tasks pane.
  5. Find the CredScan build task either from the list or using the search box and then click Add.
  6. The Run CredScan build task should now be a part of the Build Definition.

 


 

 

 


 

 

 


Customizing the CredScan Build Task:

Available options include: –

  • Output Format – TSV/ CSV/ SARIF/ PREfast
  • Tool Version (Recommended: Latest)
  • Scan Folder – The folder in your repository to scan
  • Searchers File Type – Options to locate the searchers file used for scanning.
  • Suppressions File – A JSON file can be used for suppressing issues in the output log (more details in the Resources section).
  • (New) Verbose Output – self explanatory
  • Batch Size – The number of concurrent threads used to run Credential Scanners in parallel. Defaults to 20 (Value must be in the range of 1 to 2147483647).
  • (New) Match Timeout – The amount of time to spend attempting a searcher match before abandoning the check.
  • (New) File Scan Read Buffer Size – Buffer size while reading content in bytes. (Defaults to 524288)
  • (New) Maximum File Scan Read Bytes – Maximum number of bytes to read from a given file during content analysis. (Defaults to 104857600)
  • Run this task (under Control Options) – Specifies when the task should run. Choose “Custom conditions” to specify more complex conditions.

*Version – Build task version within Azure DevOps. Not frequently used.


Resources

Local suppressions scenarios and examples

Two of the most common suppression scenarios are detailed below: –

1. Suppress all occurrences of a given secret within the specified path

The hash key of the secret from the CredScan output file is required as shown in the sample below

{
“tool”: “Credential Scanner”,
“suppressions”: [
{
“hash”: “CLgYxl2FcQE8XZgha9/UbKLTkJkUh3Vakkxh2CAdhtY=”,
“_justification”: “Secret used by MSDN sample, it is fake.”
}
]
}

Warning: The hash key is generated by a portion of the matching value or file content. Any source code revision could change the hash key and disable the suppression rule.

2. To suppress all secrets in a specified file (or to suppress the secrets file itself)
The file expression could be a file name or any postfix portion of the full file path/name. Wildcards are not supported.

Example
File to be suppressed: [InputPath]\src\JS\lib\angular.js
Valid Suppression Rules:[InputPath]\src\JS\lib\angular.js — suppress the file in the specified path
\src\JS\lib\angular.js
\JS\lib\angular.js
\lib\angular.js
angular.js — suppress any file with the same name
        {
“tool”: “Credential Scanner”,
“suppressions”: [
{
“file”: “\\files\\AdditonalSearcher.xml”,
“_justification”: “Additional CredScan searcher specific to my team”
},
{
“file”: “\\files\\unittest.pfx”,
“_justification”: “Legitimate UT certificate file with private key”
}
]
}

Warning: All future secrets added to the file will also get suppressed automatically.


Secrets management guidelines
While detecting hard coded secrets in a timely manner and mitigating the risks is helpful, it is even better if one could prevent secrets from getting checked in altogether. In this regard, Microsoft has released CredScan Code Analyzer as part of Microsoft DevLabs extension for Visual Studio. While in early preview, it provides developers an inline experience for detecting potential secrets in their code, giving them the opportunity to fix those issues in real-time. For more information, please refer to this blog on Managing Secrets Securely in the Cloud.
Below are few additional resources to help you manage secrets and access sensitive information from within your applications in a secure manner:


Extending search capabilities
CredScan relies on a set of content searchers commonly defined in the buildsearchers.xml file. The file contains an array of XML serialized objects that represent a ContentSearcher object. The program is distributed with a set of searchers that have been well tested but it does allow you to implement your own custom searchers too.

A content searcher is defined as follows:

  • Name – The descriptive searcher name to be used in CredScan output file. It is recommended to use camel case naming convention for searcher names.
  • RuleId – The stable opaque id of the searcher.
    • CredScan default searchers are assigned with RuleIds like CSCAN0010, CSCAN0020, CSCAN0030, etc. The last digit is reserved for potential searcher regex group merging or division.
    • RuleId for customized searchers should have its own namespace in the format of: CSCAN-{Namespace}0010, CSCAN-{Namespace}0020, CSCAN-{Namespace}0030, etc.
    • The fully qualified searcher name is the combination of the RuleId and the searcher name, e.g. CSCAN0010.KeyStoreFiles, CSCAN0020.Base64EncodedCertificate, etc.
  • ResourceMatchPattern – Regex of file extensions to check against searcher
  • ContentSearchPatterns – Array of strings containing Regex statements to match. If no search patterns are defined, all files matching the resource match pattern will be returned.
  • ContentSearchFilters – Array of strings containing Regex statements to filter searcher specific false positives.
  • Matchdetails – A descriptive message and/or mitigation instructions to be added for each match of the searcher.
  • Recommendation – Provides the suggestions field content for a match using PREfast report format.
  • Severity – An integer to reflect the severity of the issue (Highest = 1).

 

 

Join me in part 3 where I cover off BinSkim



Microsoft Security Code Analysis for Azure Devops – Part 1

Microsoft has recently released a new set of security tooling for Azure Devops which is called Microsoft Security Code Analysis.

The Microsoft Security Code Analysis Extension is a collection of tasks for the Azure DevOps Services platform. These tasks automatically download and run secure development tools in the build pipeline.

In this post I’ll show you what they cover below, in part 2, I’ll show you them in action in Azure Devops.


Credential Scanner
Passwords and other secrets stored in source code is currently a big problem. Credential Scanner is a static analysis tool that detects credentials, secrets, certificates, and other sensitive content in your source code and your build output.

More Information


BinSkim
BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. The build task provides a command line wrapper around the BinSkim.exe application. BinSkim is an open source tool.

More Information (BinSkim on GitHub)


TSLint
TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors and build systems and can be customized with your own lint rules, configurations, and formatters. TSLint is an open source tool.

More Information on Github


Roslyn Analyzers
Microsoft’s compiler-integrated static analysis tool for analyzing managed code (C# and VB).

More Information (Roslyn Analyzers on docs.microsoft.com)


Microsoft Security Risk Detection
Security Risk Detection is Microsoft’s unique cloud-based fuzz testing service for identifying exploitable security bugs in software.

More Information (MSRD on docs.microsoft.com)


Anti-Malware Scanner
The Anti-Malware Scanner build task is now included in the Microsoft Security Code Analysis Extension. It must be run on a build agent which has Windows Defender already installed.

More Information


Analysis and Post-Processing of Results

The Microsoft Security Code Analysis extension has three build tasks to help you process and analyze the results found by the security tools tasks.

  • The Publish Security Analysis Logs build task preserves logs files from the build for investgiation and follow-up.
  • The Security Report build task collects all issues reported by all tools and adds them to a single summary report file.
  • The Post-Analysis build task allows customers to inject build breaks and fail the build should an anlysis tool report security issues found in the code that was scanned.

Publish Security Analysis Logs
The Publish Security Analysis Logs build task preserves the log files of the security tools run during the build. They can be published to the Azure DevOps Server artifacts (as a zip file), or copies to an accessible file share from your private build agent.

More Information


Security Report
The Security Report build task parses the log files created by the security tools run during the build and creates a summary report file with all issues found by the analysis tools.
The task can be configured to report findings for specific tools or for all tools, and you can also choose what level of issues (errors or errors and warnings) should be reported.

More Information


Post-Analysis (Build Break)
The Post-analysis build task enables the customer to inject a build break and fail the build in case one ore more analysis tools reports findings or issues in the code.
Individual build tasks will succeed, by design, as long as the tool completes successfully, whether there are findings or not. This is so that the build can run to completion allowing all tools to run.
To fail the build based on security issues found by one of the tools run in the build, then you can add and configure this build task.
The task can be configured to break the build for issues found by specific tools or for all tools, and also based on the severity of issues found (errors or errors and warnings).

More Information



Azure DevOps Generator – New Content

Recently Microsoft open sourced the Azure Devops Generator and recently its had some new content added which I wanted to highlight. You can use this tool to learn all sorts of Azure Devops tips and tricks from building code, seeing how it hangs together, deploying and even checking your code for vulnerabilities with arm templates and GitHub resources etc.

 

I can’t stress how useful this resource has been for me to spinning up test Azure Devops Projects for blog posts, testing security add-ons, etc. (more blogs to follow very soon). Please play with this and learn, the demo generator has a lot more in it than the lat time I checked and was pleasantly surprised, its an awesome tool.

The following is a quick tour of what is there at present: –

General Tab
The general tab is for creating projects in Azure DevOps from existing project templates, this will give you full source code, build and release pipelines, wikis, example kanban boards with issues etc and more
Note: There are different types of project if you scroll down the list.


Devops Labs Tab

On this tab we have more sample projects, but this time they cover the concepts of things like using Terraform, Ansible, Docker, Azure Key Vault and more, if you want to learn more about these then here is a great way to give them a spin.


Microsoft Learn Tab
Using Microsoft Learn we can learn how to do things like: –

  • Create a build pipeline with Azure Pipelines
  • Scan code for vulnerabilities in Azure Pipelines
  • Manage database changes in Azure Pipelines
  • Run non-functional tests in Azure Pipelines

Microsoft Cloud Adoption Framework Tab

The Cloud Adoption Plan template creates a backlog for managing cloud adoption efforts based on the guidance in the Microsoft Cloud Adoption Framework.


Private Tab

Azure DevOps Demo Generator enables users to create their own templates using existing projects and provision new projects using extracted template. The capacity to have custom templates can be helpful in many situations, such as constructing custom training content, providing only certain artifacts, etc.


You can even create a template from an existing project you have within Azure DevOps by selecting ‘Create New Template’ – this is super nice, I’ll leave you to explore this further.

Enjoy!



Azure Advent Calendar Participant Information

The Azure Advent Calendar kicks off on December 1st through to December 25th this year.

For people taking part (entry is now closed – apologies) we have setup a YouTube Channel to host your entries on your behalf, we will send you back the YouTube link once we have uploaded and scheduled the video.

For participants, please send us the video via a file share such as OneDrive etc. If you do not have one message @pixel_robots and he will send you a link where you can send us your video.

On the day of your entry please publish your blog post live to the world and just add a link back to the website which is https://azureadventcalendar.com/

On each individual day we will tweet out the content for each of the 3 entries and use the hashtag #azureadventcalendar

If your needing to add any artwork then please use the following image: –

Any questions please reach out to @Gregor_Suttie or @Pixel_Robots via twitter.