I had the great pleasure of giving an updated version of my “Secure your Web App in Azure” talk talk at Developer Developer Developer 14 in Reading on 12 October 2019.
A video of the whole talk is available below.
I touch on a whole range of Azure technologies, but mostly I introduce and expand on a simple framework to think about and manage your exposure.
Example of exposure and mitigation
| ||External Actors ||Internal Actors |
|PREVENT || |
- Secure your code – see Troy Hunt’s courses as a starting point.
- Lock down your servers
- Use Firewalls and Intrusion Detection/Prevention Systems
- Encrypt everything in transit
- Protect your passwords/secrets
- Process for granting and removing access
- Use Azure AD for all access, including SQL
- Audit who has access on a regular basis and remove unnecessary access
|DETECT || |
- Log and alert on any unusual application activity
- 403s and 404s
- Failed logins
- High CPU/memory, increased load
- Use Advanced Threat Protection
- Log and alert on all access to the backend by internal users
- Log and alert on unusual access patterns by application users
- Consider DLP tools
|MITIGATE || |
- Encrypt sensitive data at the application layer
- Have ways of locking out certain users or IP addresses
- For very sensitive systems, consider multi-layered architectures to contain breaches
Video of the whole talk
View the slides on Slide Share:
… or download from GitHub