Introduction
In mid-2021, during a recording of the Azure Security Podcast, Azure security expert and author Yuri Diogenes asked Michael if he planned to write an update to his book, The Security Development Lifecycle. Without hesitation, Michael responded, “No!”
But that wasn’t the end of the matter.
The question Yuri asked planted a seed. Over the next few weeks, the three of us—Michael, Heinrich, and Simone—assembled a plan to write this book. Between us, we have worked with hundreds of customers to help them deploy business-critical solutions on Azure with confidence. This book is the culmination of that real-world experience.
The reason we wrote this book was not only to help you understand how to design and develop secure solutions running on Azure but to offer you pragmatic advice. The Venn diagram shown in Figure I-1 reflects how we see this book.
FIGURE I-1 The Intersection of this book’s areas of coverage.
We do not cover some areas within Azure; otherwise, this book would be quite a tome. Most notably, we do not cover topics such as the following:
Privileged access workstations (PAWs) A PAW is a workstation designed for administrative tasks only. It does not have access to email, general web browsing, and other productivity tasks. PAWs are used by elevated accounts to perform actions in high-risk environments, such as production, account administration, and more. You can learn more about PAWs here: https://azsec.tech/irb.
Conditional access and multifactor authentication (MFA) These are often handled by an identity team, and the infrastructure should already be in place. With that said, conditional access and MFA are critical to securing an Azure-based solution. Learn more here: https://azsec.tech/59d.
Privacy This is a book on security. Although security and privacy do overlap, security is mainly about fortifying a system and its data against unauthorized use, while privacy is about handling personal data. You can have security without privacy, but you cannot have privacy without security.
We’ve kept things relatively brief by including lots of links to outside information rather than covering some topics in depth in this book.
Organization of this book
This book is not designed to be read from cover to cover. You can do that, of course, but we have tried to make the chapters as independent as possible so they can be read individually. With that said, there are cross-references between chapters, and you might sometimes need to read a section of a different chapter to get the big picture.
The book also covers multiple ways to achieve a task, such as the following:
Using the Azure Portal (although it’s not common to use the Azure Portal in production systems because deploying in the real world usually uses a pipeline to push resources)
Using the Azure command-line Interface (CLI)
Using PowerShell code
Using more complete code examples in different languages such as C#, Python, JavaScript, and more
Tip
We have uploaded code samples and snippets to our GitHub repository at https://github.com/AzureDevSecurityBook/, so please make a point of visiting regularly.
Who should read this book
Just who is this book for? It’s for anyone deploying solutions on Azure—whether they’re architects, developers, or testers—who might not know a great deal about security but who want to make sure their design and code are as secure as possible. We cover a lot of ground in the book, but we also cover many complex topics in depth.
One final point: if you use the NIST Cybersecurity Framework (NIST CSF), then you’re familiar with its core components: identify, protect, detect, respond, and recover. The material in this book focuses primarily on the protect component and some aspects of the detect component. Rolling out industry-grade solutions on Azure requires your organization to cover the other four components of the NIST CSF. You can read more about the NIST CSF in Chapter 8, “Compliance and risk programs,” and on the NIST website, at https://azsec.tech/81t.
Thanks for reading!
Conventions and features in this book
This book presents information using conventions designed to make the information readable and easy to follow:
Boxed elements with labels such as “Note” provide additional information
Text that you type (apart from code blocks) appears in bold
A plus sign (+) between two key names means that you must press those keys at the same time. For example, “Press Alt+Tab” means that you hold down the Alt key while you press the Tab key
A vertical bar between two or more menu items (e.g. File | Close), means that you should select the first menu or menu item, then the next, and so on
System requirements
Examples and scenarios in the book require access to a Microsoft Azure subscription and a computer that can connect to Azure. You can learn more about a trial subscription at this site:
azure.microsoft.com/en-us/free
GitHub Repo
The book's GitHub repository includes sample code and code snippets, and the authors will update this over time. The repo is github.com/AzureDevSecurityBook/.
The download content will also be available on the book's product page: MicrosoftPressStore.com/SecureAzureSolutions/downloads
Errata, updates, & book support
We’ve made every effort to ensure the accuracy of this book and its companion content. You can access updates to this book—in the form of a list of submitted errata and their related corrections—at:
MicrosoftPressStore.com/SecureAzureSolutions/errata
If you discover an error that is not already listed, please submit it to us at the same page.
For additional book support and information, please visit MicrosoftPressStore.com/Support.
Please note that product support for Microsoft software and hardware is not offered through the previous addresses. For help with Microsoft software or hardware, go to support.microsoft.com.
Stay in touch
Let’s keep the conversation going! We’re on Twitter: twitter.com/MicrosoftPress