Secure your Web App in Azure at DDD14

by Frans Lytzen | 16/10/2019

I had the great pleasure of giving an updated version of my "Secure your Web App in Azure" talk talk at Developer Developer Developer 14 in Reading on 12 October 2019.

A video of the whole talk is available below.

I touch on a whole range of Azure technologies, but mostly I introduce and expand on a simple framework to think about and manage your exposure.

Example of exposure and mitigation

	External Actors	Internal Actors
PREVENT	Secure your code – see Troy Hunt’s courses as a starting point. Lock down your servers Use Firewalls and Intrusion Detection/Prevention Systems Encrypt everything in transit	Protect your passwords/secrets Process for granting and removing access Use Azure AD for all access, including SQL Audit who has access on a regular basis and remove unnecessary access
DETECT	Log and alert on any unusual application activity 403s and 404s Failed logins High CPU/memory, increased load Etc Use Advanced Threat Protection	Log and alert on all access to the backend by internal users Log and alert on unusual access patterns by application users Consider DLP tools
MITIGATE	Encrypt sensitive data at the application layer Have ways of locking out certain users or IP addresses For very sensitive systems, consider multi-layered architectures to contain breaches