Failure(s) and comfort zone

I wanted to cover some of the failures I have endured during the year. It’s not something you read a lot about from people and its important to talk about failure(s). I tend to mention my success’ but its also relevant to realise that there have been a number of failures in 2019.

I sat a number of Azure exams last year and failed on more than one occasion. I learned from this that no matter how much you study and put in you wont always have a successful outcome.

I wrote numerous blog posts which were sitting in my drafts folder for a long time which will never see the light of day.

I recorded umpteen videos which I never released and I still have them on my laptop, which again will never see the light of day.

I created PowerPoint presentations which yep you guessed it wont ever be used for talks.

I started numerous books and never finished a single book, was asked to review 3 or 4 books and again didn’t get the job done.

At times throughout the year I spread myself too thin and was trying to do too much, end result was the above.

Everyone has failure’s its part of becoming a better version of you.

As I reflect on this past 12 months its clear to me that failure is a good thing. Failure has taught me that each time I fail I learn something about myself which is key if you want to improve yourself.

Commitment
I have spent the last 2 years investing in myself, I commit myself to learning new skills and gain knowledge, with this comes failure, failure in my eyes means I am doing. It’s easy to say you want to do this or that but if your not actively doing something about it then it wont ever become a reality.

I have never given up after failing an exam or throwing away a presentation or a video, I use it to motivate myself to do better then next time, I keep the content as reminders.

The trick for me is to have goals, I write my goals on a piece of paper and have that pinned above my computer monitors on the wall. Last year I failed in only one goal and then this year I knocked it out the park, I kept the paper there until I had achieved that goal and now its been replaced with a new set of goals.

Stop holding yourself back
I stopped holding myself back, I used to think I’d love to do x or do y but I never truly thought I had anything to offer.
I spoke to some people at conferences who weren’t blogging but were right into tech and I suggested they should start, I wanted to say stop holding yourself back and just do it, they know they’re stuff and weren’t sure why they hadn’t been blogging.

I watched people speak at user groups and conferences and I thought wow I’d love to do that, I did nothing about it, I was holding myself back, scared I would make a fool of myself, I might still, but I am going to be going after it and see where it takes me.

Everyone has failures, you don’t hear about them, stop holding yourself back if that’s you, if your not failing regularly then perhaps your still in your comfort zone.


Tags:


How I had a successful 2019

This year has been an amazing year for me, too many good things to recall if I’m honest and I’ll keep it short, below are some of the highlights for me (in no particular order)

  • Invited to meet Scott Guthrie at an ask me anything session in London
  • Awarded MVP in Azure in August
  • Helping run the Glasgow Azure User Group
  • Ran the Azure Global Boot Camp, Glasgow Edition
  • Attended my first ever Microsoft Ignite in Florida
  • Attended my first ever Experts Live Europe in Prague
  • Microsoft Certified: Azure Solutions Architect Expert
  • Microsoft Certified: Azure DevOps Engineer Expert
  • Microsoft Certified: Azure Developer Associate
  • Microsoft Certified: Azure Security Engineer Associate
  • Microsoft Certified: Azure Fundamentals
  • Helped work become Gold Certified in a few more competences
  • Blog has had over 200,000 hits this year (50 posts this year)
  • The Azure Advent Calendar has been a huge success, more info on that later this month.
  • Joined TechSnips.Io
  • Started a YouTube channel
  • Named in Nigel Frank International in the Top 20 Azure influencers on Twitter
  • 3 podcast appearances

Looking forward to 2020 which will bring the following :-

  • Ignite the Tour London
  • Ignite the Tour Zurich
  • Scottish Summit (doing a talk and helping out)
  • Azure Global Boot camp (organising & more on that next week)
  • MVP Summit 2020
  • Ignite 2020
  • Hopefully lots more travelling
  • Hopefully attending conferences
  • Reach 5000 twitter followers
  • Recording some training material

It has been a huge amount of fun, learned more a lot about myself, visited a number of places.

My number one highlight might sound corny but meeting the people who make up the community has been incredible, Ignite and at Experts Live I met so many awesome people that I have chatted to on Twitter. I’ve met people I’ve looked up to and asked for advice from and the people who inspire me.

If you need help or have questions about anything please reach out to me on twitter or LinkedIn, always happy to help with anything I can.

I could never thank everyone but trust me I’m thankful for meeting each and every one of you.

This #azureadventcalendar has been a fantastic way to end the year and soon I’ll be at Ignite the Tour London and then the Scottish Summit here in Glasgow at the end of February.

Huge waves and thanks to everyone who I chatted to throughout 2019 and lets do it again next year.

Happy Holidays! – Gregor.



Azure Advent Calendar – Week 1 recap

Week 1 of the Azure Advent Calendar has come and gone and we have seen some incredible content.

Content covered includes: –

An Azure Poem, Azure Governance, Azure Logic Apps, Azure Service Health, Azure Container Instance, Azure Devops Pipelines, Azure NetApp Files, Azure Certification Paths, Azure AKS, Azure API Manangement, Azure Lighthouse, Azure Site Recovery, Azure Functions, Azure WebApps, Azure MFA, Azure Role Based Certification,  Being Successful in Azure, Azure Migrate, Azure Key Vault, AKS monitoring with Prometheus and Terraform for Azure.

Phew that’s a lot to learn about in just 1 week, there is a lot more to come so please subscribe to our dedicated YouTube Channel 

So far we have over 700 subscribers, and there has been over 350 hours of videos watched which is absolutely awesome.

The Azure Advent Calendar website has been view in over 120 countries around the globe and had almost 6 thousand hits in the last 90 days.

We wanna take this time to thank everyone for taking part and hope that everyone is enjoying the #azureadventcalendar so far, we appreciate all of the tweets, LinkedIn coverage etc its been a blast so far, loving all the Christmas jumpers on show etc.

Thanks all from Gregor and Richard aka @Pixel_Robots



Azure Resource Graph Dashboards

I attended a session at Experts Live EU 2019 which was about Azure initialization from zero to hero: on-boarding, governance & resources deployment and one of the subject was Azure Resource Graph.

Azure Resource Graph  is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

With Azure Resource Graph you can write queries against your Azure resource so you can gain some very insightful information into your resources., before it wasn’t possible to see all of your resources if you had more than 2000. Queries that you write can be kept private or shared, shared queries are stored within a Resource Group for other users to run.

Resource Graph Explorer allows you to open existing queries, create new queries and run them within the portal and see the results.

An example of a query would be like so: –

I wont show the results for obvious reasons 👀

The really nice benefit I see from Azure Resource Graph is that you can save these to a dashboard and share the dashboard with members of your team/company.

At Experts Live EU @ExchangeGoddess shared an example dashboard which is a simple json file.

The beautiful thing is that the json can be exported and imported into your subscription(s), it doesn’t store subscription id’s etc as it only contains the queries. I was able to take this file and import it into a brand new dashboard and instantly see a very useful dashboard which looks like the following: –

 

 

 

Clicking on the charts take you to the actual query which produces the dashboard, the queries are written in a language called Kusto. You can learn more about Kusto on Pluralsight.

You can grab the json file which @ExchangeGoddess kindly shared from my github repo and then within dashboards insode the Azure portal simply use the upload capability to upload the json file and bingo you’ll have a nice new dashboard where you can learn about your resources and learn more from the existing Kusto queries within the dashboard you now have.

Big thanks to @ExchangeGoddess for sharing this, enjoy!

 



ExpertsLiveEU 2019 – first time attendee

The ExpertsLiveEU 2019 conference in Prague, Czech Republic, has just finished and I am back in the hotel writing this blog post and wanted to write this before I travel back home to Scotland.

You can read about the 3 day conference at ExpertsLive EU.

The conference has about 400 attendees, with attendees from around 30 countries, the content was fantastic as were all of the speakers. There were a lot of people there who were very smart people, the caliber of speakers was very high indeed.

I learned a lot from most of the sessions and now have a list of things I either need to start learning or ares which I need to learn more about and do a deep dive into that area further.

The speakers referred to being T-Shaped

I believe I am pretty well versed in a number of areas of Azure with a breadth of topics I know a decent amount about, I plan to choose a couple of ares next year to dive deeper into.

I love coming to conferences as you spend the day learning and asking questions, and then you socialize afterwards or during and that’s the real value for me. Making connections and networking are my favorite part and you learn so much more longer term as well.

Being able to speak to product owners and product managers at Microsoft has given me the most value. I speak to these types of people, make a connection, get their contact details and can ask the questions any time.

With Ignite 2 weeks ago, and now this conference I’ve learned the value in attending, meeting strangers, asking them about what they do, and so on and its been an absolute blast, I’m also getting less shy which can only be a good thing.

I will definitely be back at Ignite and at ExpertsLiveEU next year all going well.



Azure Web App Staging Slots

With this years Azure Advent Calendar I made some site improvements and also upgraded the site from .Net 2.2 to 3.0, the code built and ran locally just fine, I push it to production and boom! – sites down, not good for a number of reasons.

The take away from this is I knew better, I tried to push some changes which in hindsight could easy have broken the site and by running it locally I thought its all good, the site has no tests as its content only.

By upgrading the site and attempting to add in Azure Application configuration I ran into some nuget package issues which I though I had resolved.

Get to the point of the blog post already Gregor!

Azure has a thing called Azure Deployment Slots for Web apps and with this feature we can have the following: –

  • Have 2 copies of the site running at the same time (one prod, one staging)
  • Deploy new features to Staging ad then test (however you test)
  • If all is good you switch slots so that the new version is now the prod version and the old prod version is switched into the staging version – if anything is borked then switch back and your back to good.

That’s the short version of what deployment slots are used for, I encourage you to take a look at them and I have this now setup for the azure advent calendar and wont be so careless next time.

 



Microsoft Ignite 2019 – My Review

I have just returned from Microsoft Ignite 2019 which was held in Orlando Florida, here is my take on the experience of attending the event.

I was staying at the Best Western Orlando Convention Centre hotel which was pretty handy for the event and meant I could walk to the venue each day (I’d recommend staying close by if you’re planning to attend next year)

Friday
I started by arriving on the Friday (which was great) I managed to get used to the location and find my way around where I was staying and figure out where everything was which I would also recommend. I managed to meet up with other people who were attending and we went out for food and drinks that night which meant chatting with a group from Germany who were mostly MVP’s, a great start to the my time in Florida.

Saturday
I did more of the same on Saturday and spent a good deal of the day around the Hyatt Regency hotel which is a great area to hang out as this is where a number of the Microsoft speakers were staying. We had drinks and food at the hotel bar and again I spent a good deal of time meeting attendee’s from all around the globe.

Sunday
Sunday allows you to attend a Pre-day which is where you can attend a day of learning the day before the conference starts, this is normally $500 but you get this free as an MVP. This was awesome as I managed to meet a good number of Azure MVP’s from around the world and chat to them during the day.

Mon-Friday was going to some sessions hanging out in the Hub and the Microsoft booth’s where I asked a lot of questions with product team members (which is invaluable).

Thursday night we got to go Universal Studios and Islands of Adventure from 7:30pm until midnight and this is for the Ignite celebration, the parks are open for attendees only and there is free food and drink and all of the rides are free which was incredible.

Overall the experience of attending Ignite was just wow, the size of the venue, the number of attendees and number of sessions was hard to comprehend. I will be going next year without a doubt and highly recommend it to anyone. The networking opportunities are endless, meeting both Microsoft staff and people I know from twitter etc.

Tips for next year: –

  • Arrive early and acclimatise
  • Don’t over do it,  there is a lot of walking and the fear of missing out will always be there.
  • The parties at night are amazing so pace yourself throughout each day.
  • If your an MVP try and be there on the Sunday.
  • Attend sessions if you have questions, otherwise watch them at the HUB or when you get home.
  • Be prepared for not a lot of sleep, you can sleep when you get home.
  • Enjoy the Microsoft store and endless freebies from the vendors.
  • Attend – honestly its off the charts good fun and the opportunities to learn and meet people are endless.

If you can’t afford to attend or don’t fancy travelling to Florida then try to attend an Ignite Tour venue near you (they have already began and more coming soon)



Microsoft Security Code Analysis for Azure Devops – Part 3 BinSkim

Microsoft has recently released a new set of security tooling for Azure Devops which is called Microsoft Security Code Analysis.

The Microsoft Security Code Analysis Extension is a collection of tasks for the Azure DevOps Services platform. These tasks automatically download and run secure development tools in the build pipeline.

In this post I’ll cover BinSkim and how to use it.


BinSkim
BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. The build task provides a command line wrapper around the BinSkim.exe application. BinSkim is an open source tool.

Setup:

  1. Open your team project from your Azure DevOps Account.
  2. Navigate to the Build tab under Build and Release
  3. Select the Build Definition into which you wish to add the BinSkim build task.
    New – Click New and follow the steps detailed to create a new Build Definition.
    Edit – Select the Build Definition. On the subsequent page, click Edit to begin editing the Build Definition.
  4. Click + to navigate to the Add Tasks pane.
  5. Find the BinSkim build task either from the list or using the search box and then click Add.
  6. The BinSkim build task should now be a part of the Build Definition. Add it after the publishing steps for your build artifacts.

Customizing the BinSkim Build Task:

  1. Click the BinSkim task to see the different options available within.
  2. Set the build configuration to Debug to produce *.pdb debug files. They are used by BinSkim to map issues found in the output binary back to source code.
  3. Choose Type = Basic & Function = Analyze to avoid researching and creating your own commandline.
  4. Target – One or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze.
    • Multiple targets should be separated by a semicolon(;).
    • Can be a single file or contain wildcards.
    • Directories should always end with \*
    • Examples:
      • *.dll;*.exe
      • $(BUILD_STAGINGDIRECTORY)\*
      • $(BUILD_STAGINGDIRECTORY)\*.dll;$(BUILD_STAGINGDIRECTORY)\*.exe;
    • Make sure the first argument to BinSkim.exe is the verb analyze using full paths, or paths relative to the source directory.
    • For Command Line input, multiple targets should be separated by a space.
    • You can omit the /o or /output file parameter; it will be added for you or replaced.
    • Standard Command Line Configuration
      • analyze $(Build.StagingDirectory)\* –recurse –verbose
      • analyze *.dll *.exe –recurse –verbose
      • Note that the trailing \* is very important when specifying a directory or directories for the target.

    BinSkim User Guide

    For more details on BinSkim whether command line arguments or rules by ID or exit codes, visit the BinSkim User Guide



Microsoft Security Code Analysis for Azure Devops – Part 2 Credential Scanner

Microsoft has recently released a new set of security tooling for Azure Devops which is called Microsoft Security Code Analysis.

The Microsoft Security Code Analysis Extension is a collection of tasks for the Azure DevOps Services platform. These tasks automatically download and run secure development tools in the build pipeline.

In this post I’ll show you how to get the new extension and how to go about using it.

Credential Scanner (aka CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files. Some of the commonly found types of credentials are default passwords, SQL connection strings and Certificates with private keys.
The CredScan build task is included in the Microsoft Security Code Analysis Extension. This page has the steps needed to configure & run the build task as part of your build definition.

Lets start by adding Cred Scan to a build for an existing project – I’ll use the AzureAdventCalendar project which I already have setup within my Azure Devops project at https://dev.azure.com.

Setup:

  1. Open your team project from your Azure DevOps Account.
  2. Navigate to the Build tab under Build and Release
  3. Select the Build Definition into which you wish to add the CredScan build task.
    New – Click New and follow the steps detailed to create a new Build Definition.
    Edit – Select the Build Definition. On the subsequent page, click Edit to begin editing the Build Definition.
  4. Click + to navigate to the Add Tasks pane.
  5. Find the CredScan build task either from the list or using the search box and then click Add.
  6. The Run CredScan build task should now be a part of the Build Definition.

 


 

 

 


 

 

 


Customizing the CredScan Build Task:

Available options include: –

  • Output Format – TSV/ CSV/ SARIF/ PREfast
  • Tool Version (Recommended: Latest)
  • Scan Folder – The folder in your repository to scan
  • Searchers File Type – Options to locate the searchers file used for scanning.
  • Suppressions File – A JSON file can be used for suppressing issues in the output log (more details in the Resources section).
  • (New) Verbose Output – self explanatory
  • Batch Size – The number of concurrent threads used to run Credential Scanners in parallel. Defaults to 20 (Value must be in the range of 1 to 2147483647).
  • (New) Match Timeout – The amount of time to spend attempting a searcher match before abandoning the check.
  • (New) File Scan Read Buffer Size – Buffer size while reading content in bytes. (Defaults to 524288)
  • (New) Maximum File Scan Read Bytes – Maximum number of bytes to read from a given file during content analysis. (Defaults to 104857600)
  • Run this task (under Control Options) – Specifies when the task should run. Choose “Custom conditions” to specify more complex conditions.

*Version – Build task version within Azure DevOps. Not frequently used.


Resources

Local suppressions scenarios and examples

Two of the most common suppression scenarios are detailed below: –

1. Suppress all occurrences of a given secret within the specified path

The hash key of the secret from the CredScan output file is required as shown in the sample below

{
“tool”: “Credential Scanner”,
“suppressions”: [
{
“hash”: “CLgYxl2FcQE8XZgha9/UbKLTkJkUh3Vakkxh2CAdhtY=”,
“_justification”: “Secret used by MSDN sample, it is fake.”
}
] }

Warning: The hash key is generated by a portion of the matching value or file content. Any source code revision could change the hash key and disable the suppression rule.

2. To suppress all secrets in a specified file (or to suppress the secrets file itself)
The file expression could be a file name or any postfix portion of the full file path/name. Wildcards are not supported.

Example
File to be suppressed: [InputPath]\src\JS\lib\angular.js
Valid Suppression Rules:[InputPath]\src\JS\lib\angular.js — suppress the file in the specified path
\src\JS\lib\angular.js
\JS\lib\angular.js
\lib\angular.js
angular.js — suppress any file with the same name
        {
“tool”: “Credential Scanner”,
“suppressions”: [
{
“file”: “\\files\\AdditonalSearcher.xml”,
“_justification”: “Additional CredScan searcher specific to my team”
},
{
“file”: “\\files\\unittest.pfx”,
“_justification”: “Legitimate UT certificate file with private key”
}
] }

Warning: All future secrets added to the file will also get suppressed automatically.


Secrets management guidelines
While detecting hard coded secrets in a timely manner and mitigating the risks is helpful, it is even better if one could prevent secrets from getting checked in altogether. In this regard, Microsoft has released CredScan Code Analyzer as part of Microsoft DevLabs extension for Visual Studio. While in early preview, it provides developers an inline experience for detecting potential secrets in their code, giving them the opportunity to fix those issues in real-time. For more information, please refer to this blog on Managing Secrets Securely in the Cloud.
Below are few additional resources to help you manage secrets and access sensitive information from within your applications in a secure manner:


Extending search capabilities
CredScan relies on a set of content searchers commonly defined in the buildsearchers.xml file. The file contains an array of XML serialized objects that represent a ContentSearcher object. The program is distributed with a set of searchers that have been well tested but it does allow you to implement your own custom searchers too.

A content searcher is defined as follows:

  • Name – The descriptive searcher name to be used in CredScan output file. It is recommended to use camel case naming convention for searcher names.
  • RuleId – The stable opaque id of the searcher.
    • CredScan default searchers are assigned with RuleIds like CSCAN0010, CSCAN0020, CSCAN0030, etc. The last digit is reserved for potential searcher regex group merging or division.
    • RuleId for customized searchers should have its own namespace in the format of: CSCAN-{Namespace}0010, CSCAN-{Namespace}0020, CSCAN-{Namespace}0030, etc.
    • The fully qualified searcher name is the combination of the RuleId and the searcher name, e.g. CSCAN0010.KeyStoreFiles, CSCAN0020.Base64EncodedCertificate, etc.
  • ResourceMatchPattern – Regex of file extensions to check against searcher
  • ContentSearchPatterns – Array of strings containing Regex statements to match. If no search patterns are defined, all files matching the resource match pattern will be returned.
  • ContentSearchFilters – Array of strings containing Regex statements to filter searcher specific false positives.
  • Matchdetails – A descriptive message and/or mitigation instructions to be added for each match of the searcher.
  • Recommendation – Provides the suggestions field content for a match using PREfast report format.
  • Severity – An integer to reflect the severity of the issue (Highest = 1).

 

 

Join me in part 3 where I cover off BinSkim



Microsoft Security Code Analysis for Azure Devops – Part 1

Microsoft has recently released a new set of security tooling for Azure Devops which is called Microsoft Security Code Analysis.

The Microsoft Security Code Analysis Extension is a collection of tasks for the Azure DevOps Services platform. These tasks automatically download and run secure development tools in the build pipeline.

In this post I’ll show you what they cover below, in part 2, I’ll show you them in action in Azure Devops.


Credential Scanner
Passwords and other secrets stored in source code is currently a big problem. Credential Scanner is a static analysis tool that detects credentials, secrets, certificates, and other sensitive content in your source code and your build output.

More Information


BinSkim
BinSkim is a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics. The build task provides a command line wrapper around the BinSkim.exe application. BinSkim is an open source tool.

More Information (BinSkim on GitHub)


TSLint
TSLint is an extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors and build systems and can be customized with your own lint rules, configurations, and formatters. TSLint is an open source tool.

More Information on Github


Roslyn Analyzers
Microsoft’s compiler-integrated static analysis tool for analyzing managed code (C# and VB).

More Information (Roslyn Analyzers on docs.microsoft.com)


Microsoft Security Risk Detection
Security Risk Detection is Microsoft’s unique cloud-based fuzz testing service for identifying exploitable security bugs in software.

More Information (MSRD on docs.microsoft.com)


Anti-Malware Scanner
The Anti-Malware Scanner build task is now included in the Microsoft Security Code Analysis Extension. It must be run on a build agent which has Windows Defender already installed.

More Information


Analysis and Post-Processing of Results

The Microsoft Security Code Analysis extension has three build tasks to help you process and analyze the results found by the security tools tasks.

  • The Publish Security Analysis Logs build task preserves logs files from the build for investgiation and follow-up.
  • The Security Report build task collects all issues reported by all tools and adds them to a single summary report file.
  • The Post-Analysis build task allows customers to inject build breaks and fail the build should an anlysis tool report security issues found in the code that was scanned.

Publish Security Analysis Logs
The Publish Security Analysis Logs build task preserves the log files of the security tools run during the build. They can be published to the Azure DevOps Server artifacts (as a zip file), or copies to an accessible file share from your private build agent.

More Information


Security Report
The Security Report build task parses the log files created by the security tools run during the build and creates a summary report file with all issues found by the analysis tools.
The task can be configured to report findings for specific tools or for all tools, and you can also choose what level of issues (errors or errors and warnings) should be reported.

More Information


Post-Analysis (Build Break)
The Post-analysis build task enables the customer to inject a build break and fail the build in case one ore more analysis tools reports findings or issues in the code.
Individual build tasks will succeed, by design, as long as the tool completes successfully, whether there are findings or not. This is so that the build can run to completion allowing all tools to run.
To fail the build based on security issues found by one of the tools run in the build, then you can add and configure this build task.
The task can be configured to break the build for issues found by specific tools or for all tools, and also based on the severity of issues found (errors or errors and warnings).

More Information