429 (“Too Many Requests”) messages, 76

AAD (Azure Active Directory)

• AAD Data Plane RBAC, 416–419

• identity management, 203

ABAC (Attribute-Based Access Control), 168–170

acceptability, psychological, 45

accepting risk, PCI DSS, 218

access

• ABAC, 168–170

• AD Access Reviews, 42

• Azure Key Vault, 288–290, 301

• broken access control, 257

• CAE, 131

• Entra, 130

• managing, modern identity, 125

• PAM tool, 56–57

• PAW, 42

• privileged access, 203

• RBAC, 61–62, 206, 210–211, 291–299

• rights, limiting duration of, 28–29

• SAS tokens, 158

• tokens, 138

• without authentication, 151–159

accounts, break-glass accounts, 298

ACI (Azure Container Instances), 377–378

ACR (Azure Container Registry), 385–386

action groups, 185–186

Active Directory Authentication Library (ADAL), 131

AD (Active Directory)

• AAD, identity management, 203

• Access Reviews, 42

• ADAL, 131

• PIM, 46, 168

• roles, 162–164

• scopes, 162

• SecOps, 125

ADAL (Active Directory Authentication Library), 131

adding audit logs with Azure Policy, 189

Addiscott, Richard, threat modeling, 89

administration, just-in-time, 56–58

ADO SHA (Azure DevOps Self-Hosted Agents), 456

Agile development, characteristics of, 23

Agile SDL (Security Development Lifecycle)

• attack surface analysis, 10

• banned functionality, avoiding, 12–13

• bug bars, defining, 7–10

• CVSS, 7

• DTD bomb attacks, 13

• dynamic analysis tools, 16–17

• flow analysis, 17

  • control-flow analysis, 17–18

  • data-flow analysis, 18

• incident response plans, 18

• overview, 20–21

• penetration testing (pentests), 19

• security training, 6

• static analysis tools, 13–16, 17

• tasks by sprint, 20–21

• technical security debt, 19

• threat modeling, 10

• toolchains, defining, 11

agility, cryptographic, 312–313

• CredScan, 313–314

• delimiters, 323

• implementing, 315–323

• metadata, 316–317

• nonclass factory cryptographic algorithms, 317–320

• Office (MS) documents, 317

• process of, 314–315

• real-world experience, 322–323

• summary, 323–324

• TLS, 343

• version numbers, 320–322

AKS (Azure Kubernetes Services), 107, 378–380, 457

alerts, 197–199, 303

Alexander, Christopher, design patterns, 51

all input is evil, 238–239

allLogs, 175

allowed communications, VNets, 448

Always Encrypted, 422–426, 429–433

AMD, SEV-SNP, 362–363

analysis phase, threat modeling, 82

analyzing

• attack surfaces, 10

• dynamic analysis tools, 16–17

• flow analysis, 17

  • control-flow analysis, 17–18

  • data-flow analysis, 18

• SCA tools, CI/CD, 436

• static analysis tools, 13–16, 17

• use analysis tools, 271–273

API (Application Programming Interface)

• fuzz testing, 280–283

• Management Gateways, 451

• REST API security, 282–283

App Services, 47, 377

Application Programming Interface (API)

• fuzz testing, 280–283

• REST API security, 282–283

Application Security Groups (ASG), 447

applications

• AppServiceAppLogs, 173

• ASG, 447

• authentication, 159–161

• Azure Application Proxy, 451

• Azure Container Apps, 378

• DAST, 16–17

• hosting, 133

• OAuth2

  • flows, 136–137

  • registration, 129

• permissions, 138

• roles, 62–64

• shared app service plans, 455

AppServiceAppLogs, 173

AppServiceAuditLogs, 173

AppServiceConsoleLogs, 173

AppServiceHTTPLogs, 173

AppServiceIPSecAuditLogs, 173–174

AppServicePlatformLogs, 174

Arm TrustZone, 363

ASB (Azure Security Benchmark), 202, 227–228

ASG (Application Security Groups), 447

assessing risk, bug bars, 7–10

asset management, 204

assigning

• Azure Policies, 211–212

• roles

  • best practices, 167–168

  • Blueprints, 167

  • denying assignments, 167

  • managing assignments, 164–165

  • to groups, 58–59

assume-breach, 29

assumptions, mitigations, 113

ATT&CK, 231

attack surfaces

• analysis, 10

• reduction, 32–33

attacks. See also threat modeling

• brute-force attacks, 350–351

• DoS attacks, 75–77, 391

• DTD bomb attacks, 13

• elevation of privileges attacks, 391

• honeypots, 171

• reconnaissance attacks, 171

• repudiation attacks, 391

• spoofing attacks, 391

• supply chain attacks, 436

• tampering attacks, 391

attestation, remote, 360, 364–366, 431

Attribute-Based Access Control (ABAC), 168–170

audit logs, 175, 186–188

auditing

• allLogs, 175

• AppServiceAppLogs, 173

• AppServiceAuditLogs, 173

• AppServiceConsoleLogs, 173

• AppServiceHTTPLogs, 173

• AppServiceIPSecAuditLogs, 173–174

• AppServicePlatformLogs, 174

• audit logs, 175, 186–188

• Azure Key Vault, 301–303

• Azure Monitor

  • Azure Storage, 174, 187–188

  • diagnostic settings, 172–175

  • Event Hub, 174

  • Log Analytics workspaces, 174, 176

  • Log Analytics workspaces, action groups, 185–186

  • Log Analytics workspaces, KQL queries, 176–180

  • Log Analytics workspaces, protecting audit logs, 186–188

  • Log Analytics workspaces, raising alerts, 181–185

  • Partner Solution, 174

• Azure Policy, adding audit logs, 189

• Azure Sentinel, 186

• category groups, 175

• CMK, 186–187

• control (management) plane, 399–400

• Cosmos DB Security, 414, 419–420

• costs, 189–190

• crypto-shredding, 186

• data plane, 404

• intentional security monitoring/auditing, 190

• KQL queries, 176–180

• logging for auditing, defined, 172

• SQL Server and database security, 395

• threat modeling events, 190–199

authentication (authN), 123–124, 150–151, 154

• access without authentication, 151–159

• ADAL, 131

• applications, 159–161

• control (management) plane, 396–398

• Cosmos DB Security, 411–412

• data plane, 402–403, 414–415

• defined, 124

• failures, 264–266

• importance to developers, 155

• keys, 338

• MFA, 152–153

• MSAL, 130–132

  • ADAL, 131

  • CAE, 131

  • debugging tools, 132–133

• passwordless authentication, 152

• personal solutions, creating, 155–156

• SAML, 129

• SAS tokens, 158

• security patterns, 53–55

  • Azure AD, 54–55

  • centralized identity providers, 54–55

• server authentication, 154

• SMS-based authentication, 151–152

• SQL Server, 395

• SSO authentication, 156–157

• threat modeling, 107

• zero trust, 28

• ZKPP, 151

authorization (AuthZ), 123–124, 161–162, 395, 403–404

• code flows, 134–135

• control (management) plane, 398–399

• Cosmos DB Security, 413, 415–418

• defined, 124

• FedRAMP, 218–219, 221

• policy-based authorization, 28

• security patterns, 53–55

• servers, OAuth2, 134

automation

• container development/deployment, 384

• deployments, governance, 206

• threat identification, 113–115

• threat modeling, 91

availability patterns, 74–75

Azure

• AD, 54–55

  • Access Reviews, 42

  • ADAL, 131

  • PIM, 46, 57, 168

  • roles, 162–168

  • scopes, 162

  • SecOps, 125

• AKS, 107, 378–380

• App Services, 47

• App Services Web App Containers, 377

• ASB, 202

• Blueprints, 167

• confidential containers, 380

• Confidential ledger, 368–370

• Container Apps, 378

• container services, 375–376

• cryptographic services (overview), 329

• Customer Lockbox, 25–26, 46

• Dedicated Hosts, 41

• dedicated hosts, 27

• Disk Encryption, 336

• Function Cointainers, 377

• Initiatives, 210

• IPv4 addresses, 445–446

• Key Vault, 66–69, 76

  • FIPS 140 and managed HSM, 224

• PaaS, TLS, 345–346

• Policy, 209

  • assigning policies, 211–212

  • effects, 210

  • effects, enforcing by environment, 210–211

  • policy as code, 212

• Portal, compliance state, governance, 208–209

• RBAC, 61–62, 291–299

• rules of engagement, 275

• secure design, 32

• Security Benchmark, 80, 81

• security patterns, 51–52

• Sentinel, 186

  • alerts for custom events, 197–199

• Shared Responsibility Model, 24–25

• Storage, cryptography, 331–335

• storage, redundancy levels, 47

• Storage, Azure Monitor, 174

  • protecting audit logs, 187–188

• Storage Keys, 107

• VM

  • cryptography, 335–337

  • Intel SGX, 361–362, 363–364

  • Intel SGX, keys, 364

  • SEV-SNP, 362–363

  • trusted launches, 366–367

• Well-Architected Framework, 53

Azure Active Directory (AAD), AAD Data Plane RBAC, 416–419

Azure Application Proxy, 451

Azure Container Instances (ACI), 377–378

Azure Container Registry (ACR), 385–386

Azure DevOps Self-Hosted Agents (ADO SHA), 456

Azure Firewall, 449–450

Azure Firewall Premium SKU, 450

Azure Key Vault, 66–69, 76, 288

• access control, 288–290, 301

• auditing, 301–303

• backups, 306–307

• break-glass accounts, 298

• “bring your own key” strategy, 301

• certificates, 288

• compound identities, 299

• contributor permissions, 297

• customer-managed keys, 306

• elliptic-curve keys, 301

• encrypting operations, 290

• FIPS 140 and managed HSM, 224

• get operations, 291–299

• honey keys, 303

• HSM

  • Dedicated HSM, 309

  • Managed HSM, 308–311

  • Payment HSM, 309

• keys, 288, 301

• logging, 301–303

• Microsoft Defender, 306

• network isolation, 304–305

• permission models

  • selecting, 295

  • switching, 292

• Premium edition, 299–301

• RBAC, 291–299

• restoring key versions, 307–308

• rotating keys, 339–341

• RSA, 301

• secrets, 288

• secure keys, 312

• Standard edition, 299–300

• templates, 300

• verifying operations, 290

• wrapping operations, 290

Azure Kubernetes Services (AKS), 378–380, 457

Azure Monitor

• Azure Storage, 174, 187–188

• diagnostic settings, 172–175

• Event Hub, 174

• Log Analytics workspaces, 174, 176

  • action groups, 185–186

  • KQL queries, 176–180

  • protecting audit logs, 186–188

  • raising alerts, 181–185

• Partner Solution, 174

Azure Policy, adding audit logs, 189

Azure Security Baseline, 411, 421–422

Azure Security Benchmark (ASB), 227–228

Azure SQL Database, 394–395

Azure SQL Ledger, 409–410

Azure SQL Managed Instance, 395

Azure WAF (Web Application Firewalls), 450–451

backlogging, mitigations, 119–122

backups

• Azure Key Vault assets, 306–307

• governance, 205

bad data (known), rejecting, 253–255

banned functionality

• avoiding, 12–13

• examples of, 12

benchmarks

• ASB, 202, 227–228

• Azure Security Benchmark, 80, 81

• CIS Benchmarks, 80–81, 226–227

binaries, signing, 268–269

Blueprints, 167

bomb attacks, DTD, 13

bounty programs, Hyper-V, 40–41

break-glass accounts, 298

breaking keys/passwords, cost of, 350–351

Britt, Jim, Azure Policy, 189

broken access control, 257

brute-force attacks, 350–351

bug bars, defining, 7–10

BYOK (Bring Your Own Key), 73–74

C programming language, 270–271

C++ programming language, secure coding, 270–271

CAE (Continuous Access Elevation), 131

CAIRIS, threat modeling, 93–94

CAPEC (Common Attack Pattern Enumeration and Classification), 231

Carielli, Sandy, threat modeling, 89

Carmack, John, static analysis tools, 14

Center of Internet Security (CIS), benchmarks, 80–81

centralized identity providers, authentication, 54–55

certificates, keys, 288

Chambers, John T., hacks, 172

channels, secure, 69–70

CI/CD (Continuous Integration/Continuous Deployment)

• defined, 435

• deployment agents, 440–441

• developers, specialized security, 436–437

• main branch (trunk) security, 438–439

• PR approvals, 437

• PROD deployments, 439–440

• SCA tools, 436

• secrets and service connections, 438

• separation of duties, 437–438

• source control systems, 436

• supply chain attacks, 436

• tools (overview), 435–436

• trunk (main branch) security, 438–439

CIDR, IPv4 addresses, 445–446

ciphersuites, 286, 343–344, 345, 346–349, 356

CIS (Center of Internet Security), benchmarks, 80–81, 226–227

classification, data discovery, 409

clients

• confidential clients, 135

• credential flows, 135

• cryptography, 331

• data encryption, 71–73

• OAuth2, 134, 137

  • confidential clients, 137–138

  • public clients, 137

cloud computing

• Microsoft DFC, 207, 208

• secure design, 23–24, 28–29

clusters

• containers, 386

• network policies, 457–458

CMK (Customer-Managed Keys), 186–187, 204, 330

CNAME (Canonical Names), 459–460

code security

• all input is evil, 238–239

• attackers

  • identity of, 240–241

  • what attackers control, 241–242

• C programming language, 270–271

• C++ programming language, 270–271

• fuzz testing, 274, 275–276

  • API, 280–283

  • Azure rules of engagement, 275

  • generating random data, 276–277

  • manipulating data by format, 280

  • mutating existing data, 277–280

• hashes in coding, 341

• insecure coding, 237

• reviewing, 273–274

• revocation checking, 266

• threat modeling, 239–242

• use analysis tools, 271–273

• verifying data, 242

  • determining correctness, 243–253

  • encoding data, 256

  • rejecting known bad data, 253–255

• vulnerabilities, 256–257

  • authentication failures, 264–266

  • broken access control, 257

  • checking signatures, 268

  • cryptography failures, 257–258

  • data integrity failures, 266–269

  • debugging security headers, 264

  • identification failures, 264–266

  • injection, 258

  • inline scripts/styles, 260–263

  • insecure design, 259

  • logging failures, 269

  • misconfigured security, 259–260

  • monitoring failures, 269

  • signing binaries, 268–269

  • software failures, 266–269

  • SSRF, 269–270

  • vulnerable/outdated components, 264

code verifiers, 135

Coles, Matthew J., threat modeling, 81

column encryption, 408

comment fields, validating, 249–250

Common Attack Pattern Enumeration and Classification (CAPEC), 231

common vulnerabilities, 256–257

• authentication failures, 264–266

• binaries, signing, 268–269

• broken access control, 257

• cryptography failures, 257–258

• data integrity failures, 266–269

• debugging security headers, 264

• identification failures, 264–266

• injection, 258

• inline scripts/styles, 260–263

• insecure design, 259

• logging failures, 269

• misconfigured security, 259–260

• monitoring failures, 269

• signatures, checking, 268

• software failures, 266–269

• SSRF, 269–270

• vulnerable/outdated components, 264

Common Vulnerabilities and Exposures (CVE), 230

Common Vulnerability Scoring System (CVSS), 7, 230

Common Weakness Enumeration (CWE), 231

communications (allowed), VNets, 448

compensating controls, 286

complete mediation, 33–34

complexity, containers, 381–382

compliance, 232–233

• ASB, 227–228

• ATT&CK, 231

• CAPEC, 231

• CIS benchmarks, 226–227

• CVE, 230

• CWE, 231

• defined, 213–215

• FedRAMP, 218–219, 221

• FIPS 140, 221–222

  • Azure Key Vault and managed HSM, 224

  • SHA-2 in .NET, 222–223

• GDPR, 216–217

• HIPPA, 215–216

• HITRUST, 216

• ISO/IEC 27001, 225–226

• ISO/IEC 27034, 226

• MITRE, 229–230

• NIST Cybersecurity Framework, 220–221

• NIST SP 800–53, 219–220, 221

• NVD, 230

• OWASP, 229

• PCI DSS, 217–218

• SOC, 224–225

• threat modeling, 233–234

compliance state, reviewing, 208–209

components

• leveraging existing components, 42–43

• vulnerable/outdated, 264

compound identities, 299

compromises

• developers, 3–4

• reasons for, 171–172

• sources of, 3–4

confidential clients, 135, 137–138, 359

confidential computing

• adopting, 360

• Arm TrustZone, 363

• Confidential containers, 370–371

• Confidential ledger, 368–370

• DCsv3 VM, 363–364

• defined, 359–360

• Intel SGX, 361–362, 363–364

• Intel TME-MK, 363–364

• memory isolation/encryption, 360

• processors, 361

• remote attestation, 360, 364–366

• resources, 360

• secure key management, 360

• SEV-SNP, 362–363

• TEE code, 361–362

• trusted launches, 360, 366–367

• VBS, 368

confidential containers, 370–371, 380

Confidential ledger, 368–370

connection strings, SQL, 402

consent

• incremental consent, 140

• OAuth2, 139–140

containers, 375, 388

• ACI, 377–378

• ACR, 385–386

• AKS, 378–380

• Azure App Services Web App Containers, 377

• Azure confidential containers, 380

• Azure Container Apps, 378

• Azure container services, 375–376

• Azure Function Containers, 377

• clusters, 386

• complexity, 381–382

confidential containers, 370–371, 380

• defined, 373–374

• Docker, 373–374

• fragmentation, 383

• IaaS, 376

• images, 385

• immaturity, 383

• K8s, 373–375

• Managed OpenShift, 381

• Microsoft Defender for Containers, 386

• pods, 387–388

• problems with, 381–383

• resources, 375

• service security

  • deployments, 384–385

  • development, 384–385

  • overview, 383–384

Content-Security-Policy (CSP), 260

Continuous Access Elevation (CAE), 131

Continuous Integration/Continuous Deployment (CI/CD)

• defined, 435

• deployment agents, 440–441

• developers, specialized security, 436–437

• main branch (trunk) security, 438–439

• PR approvals, 437

• PROD deployments, 439–440

• SCA tools, 436

• secrets and service connections, 438

• separation of duties, 437–438

• source control systems, 436

• supply chain attacks, 436

• tools (overview), 435–436

• trunk (main branch) security, 438–439

contributor permissions, 297

control (management) plane, 392, 393

• auditing, 399–400, 414

• authentication, 396–398, 412–413

• authorization, 398–399, 413

• cryptography, 400–401

• network isolation, 401–402, 414

• permissions, 161

control-flow analysis, 17–18

correctness (verifying data), determining, 243

• error handling, 253

• Greek question mark, 251–252

• HTML, 251

• names, security decisions based on, 253

• namespace std, 245–246

• real-world experience, 243–245

• validating

  • comment fields, 249–250

  • date and time, 247

  • high-level validation tools, 252

  • open spots, 248–249

  • vaccination center ID, 246

  • vaccination type, 248

Cosmos DB Security, 411–412

• Always Encrypted, 431–433

• auditing, 414

• authentication, 412–413

• authorization, 413

• Azure Security Baseline, 422

• cryptography, 414, 421

• data plane

  • auditing, 419–420

  • cryptography, 420

  • network isolation, 420–421

• data plane authentication, 414–415

• Microsoft Defender for Cosmos DB, 421–422

• network isolation, 414

CredScan, 313–314

Cross-Site Scripting (XSS), 30, 258

crypto shredding, 407

cryptography, 391

• agility, 312–313

  • CredScan, 313–314

  • delimiters, 323

  • implementing, 315–323

  • metadata, 316–317

  • nonclass factory cryptographic algorithms, 317–320

  • Office (MS) documents, 317

  • process of, 314–315

  • real-world experience, 322–323

  • summary, 323–324

  • TLS, 343

  • version numbers, 320–322

• Azure Disk Encryption, 336

• Azure Key Vault, 288

  • access control, 288–290, 301

  • auditing, 301–303

  • backups, 306–307

  • break-glass accounts, 298

  • “bring your own key” strategy, 301

  • certificates, 288

  • compound identities, 299

  • contributor permissions, 297

  • customer-managed keys, 306

  • Dedicated HSM, 309

  • elliptic-curve keys, 301

  • encrypting operations, 290

  • get operations, 291–299

  • honey keys, 303

  • logging, 301–303

  • Managed HSM, 308–311

  • Microsoft Defender, 306

  • network isolation, 304–305

  • Payment HSM, 309

  • Premium edition, 299–301

  • RBAC, 291–299

  • restoring key versions, 307–308

  • RSA, 301

  • secrets, 288

  • secure keys, 312

  • selecting permission models, 295

  • Standard edition, 299–300

  • switching permission models, 292

  • templates, 300

  • verifying operations, 290

  • wrapping operations, 290

• Azure services (overview), 329

• Azure Storage, 331–335

• Azure VM, 335–337

• ciphersuites, 286, 343–344, 345, 346–349, 356

• client-side cryptography, 331

• compensating controls, 286

• complexity, 286–287

• control (management) plane, 400–401

• Cosmos DB Security, 414, 421

• CredScan, 313–314

• data at rest, 406–407

• data in transit, 341–343

• data plane, 405, 420

• database security, 393, 395–396

• defined, 285–286

• DEK, 329

• delimiters, 323

• E@H, 336–337

• ECDSA, 353

• failures, 257–258

• hashes in coding, 341

• KEK, 329

• keys

  • agreements, 344

  • certificates, 288

  • defined, 287

  • exchanges, 344

  • secrets, 288

  • security, 287

• metadata, 316–317

• Microsoft Data Encryption SDK, 324–329

• nonclass factory cryptographic algorithms, 317–320

• Office (MS) documents, 317

• PFS, 344–345

• rotating keys, 337–341

• RSA, 353

• SQL Server and database security, 395–396

• SSE, 335–336

  • CMK, 330

  • PMK, 329–330

• SSL, 342

• TLS, 342, 345

  • .NET code, common mistakes, 354

  • cryptographic agility, 343

  • debugging, 354–356

  • IaaS, 350

  • Linux VM, 350–351

  • PaaS, 345–346

  • testing, 354

  • versions of, 342–343

  • Windows VM, 352–353

• unsecured SSH, 357

• version numbers, 320–322

crypto-shredding, 186

CSP (Content-Security-Policy), 260

custom events

• alerts, 197–199

• threat modeling, 193–197

custom role definitions, 165–166

Customer Lockbox, 25–26, 46

Customer-Managed Keys (CMK), 186–187, 204, 330

CVE (Coimmon Vulnerabilities and Exposures), 230

CVSS (Common Vulnerability Scoring System), 7, 230

CWE (Common Weakness Enumeration), 231

Cybersecurity Framework, NIST, 220–221

dashboard, Threats Manager Studio, 118–119

DAST (Dynamic Application Security Testing), 16–17

data at rest, cryptography, 406–407

data discovery/classification, 409

data encryption

• Azure Disk Encryption, 336

• client-side data encryption, 71–73

• data in transit, 341–343

• E@H, 336–337

• Microsoft Data Encryption SDK, 324–329

• SSE, 335–336

Data Encryption SDK (MS), 324–329

Data Flow Diagrams (DFD), threat modeling, 82–85

data in transit, encryption, 29, 341–343

data integrity failures, 266–269

data plane, 392, 393

• auditing, 404, 419–420

• authentication, 402–403, 414

• authorization, 403–404, 415–418

• cryptography, 405, 420

• network isolation, 405–406, 420–421

• permissions, 161

data protection

• GDPR, 216–217

• governance, 203–204

data recovery, governance, 205

data verification, 242

• determining correctness, 243

  • error handling, 253

  • Greek question mark, 251–252

  • high-level validation tools, 252

  • HTML, 251

  • namespace std, 245–246

  • real-world experience, 243–245

  • security decisions based on names, 253

  • validating comment fields, 249–250

  • validating date and time, 247

  • validating open spots, 248–249

  • validating vaccination center ID, 246

  • validating vaccination type, 248

• encoding data, 256

• rejecting known bad data, determining correctness, 253–255

database security

• Always Encrypted, 429–433

• auditing, Cosmos DB Security, 419–420

• Azure Security Baseline, 411

• Azure SQL Database, 394–395

• Azure SQL Ledger, 409–410

• Azure SQL Managed Instance, 395

• control (management) plane, 392, 393

  • auditing, 399–400

  • authentication, 396–398

  • authorization, 398–399

  • cryptography, 400–401

  • network isolation, 401–402

• Cosmos DB Security, 411–412

  • auditing, 414

  • authentication, 412–413, 414–415

  • authorization, 413, 415–418

  • Azure Security Baseline, 422

  • cryptography, 414, 421

  • data plane authentication, 414–415

  • Microsoft Defender for Cosmos DB, 421–422

  • network isolation, 414, 420–421

• crypto shredding, 407

• cryptographic controls, 393

• data at rest, cryptography, 406–407

• data discovery/classification, 409

• data plane, 392, 393

  • auditing, 404

  • authentication, 402–403

  • authorization, 403–404

  • cryptography, 405, 421

  • network isolation, 405–406

• dynamic data masking, 408

• encryption, Always Encrypted, 422–426

• golden rules, 394

• immutable storage, 410–411

• importance of, 391

• managed identities, 407–408

• Microsoft Defender for Cosmos DB, 421–422

• NIN, 426–429

• remote attestation, 431

• secure enclaves, 431

• security services, 393–394

• SQL Injection, 433–434

• SQL Server, 394, 395

  • auditing, 395

  • authentication, 395

  • authorization, 395

  • cryptography, 395–396

  • network isolation, 396

• SQL Server family (overview), 394

• SQL Server IaaS Agent, 411

• SSN, 426–429

• supported products, 392

• TDE, 406–407

• techniques (overview), 392

data-flow analysis, 18

date and time validation, data verification, 247

DCsv3 VM (Virtual Machines), 363–364

debt, technical security, 19

debugging

• OAuth2, 132–133

• OpenID Connect, 132–133

• security headers, 264

• TLS, 354–356

dedicated hosts, 27, 41

Dedicated HSM, Azure Key Vault, 309

dedicated PaaS instances, 456

Defender, Microsoft, Azure Key Vault, 306

Defender for Cloud (DFC), Microsoft, 207, 208

Defender for Containers, Microsoft, 386

Defender for Cosmos DB, Microsoft, 421–422

Defender for SQL, Microsoft, 410–411

defense in depth, 34–37

defining

• bug bars, 7–10

• firewall rules, 59

• mitigations, 110–112

• private endpoints, 60

• roles, custom definitions, 165–166

• toolchains, 11

DEK, 329, 338

delegated permissions, 138

delimiters, cryptographic agility, 323

Demilitarized Zones (DMZ), 34–35

Denial-of-Service (DOS) attacks, 75–77, 391

denying role assignments, 167

deployments

• agents, 440–441

• CI/CD

  • defined, 435

  • deployment agents, 440–441

  • developers, specialized security, 436–437

  • main branch (trunk) security, 438–439

  • PR approvals, 437

  • PROD deployments, 439–440

  • SCA tools, 436

  • secrets and service connections, 438

  • separation of duties, 437–438

  • source control systems, 436

  • supply chain attacks, 436

  • tools (overview), 435–436

  • trunk (main branch) security, 438–439

• PROD, 439–440

design patterns, 51. See also security patterns

design security

• access rights, 28–29

• AD Access Reviews, 42

• AD PIM, 46

• assume-breach, 29

• attack surface reduction, 32–33

• Azure security design principles, 32

• cloud computing, 23–24, 28–29

• complete mediation, 33–34

• Customer Lockbox, 25–26

• Dedicated Hosts, 41

• dedicated hosts, 27

• defense in depth, 34–37

• DevOps, 23–24

• DMZ, 34–35

• economy of mechanisms, 37–38

• encrypting data in transit, 29

• fail-safe defaults, 38–40

• FAIR, 31–32

• firewalls, 27

• IaaS, 24–27

• insecure design, 259

• least common mechanism, 40–41

• leveraging existing components, 42–43

• micro-segmenting networks, 29

• monitoring, 29

• open design, 43–45

• open source, 44–45

• PaaS, 24–27

• PAW, 42

• PIM, 28

• policy-based authorization, 28

• principle of least privilege, 28, 41–42

• prioritizing mitigations, 48

• psychological acceptability, 45

• residual risk, 37

• SaaS, 24–27

• scanning, 29

• separation of duties, 45–46

• Shared Responsibility Model, 24–25

• shifting left, 31

• single point of failure, 46–47

• SQLMap, 30

• thoughts on, 31–32

• WAF, 30

• weakest link, 47–48

• zero trust, 27–31

determining correctness, verifying data, 243

• error handling, 253

• Greek question mark, 251–252

• HTML, 251

• names, security decisions based on, 253

• namespace std, 245–246

• real-world experience, 243–245

• validating

  • comment fields, 249–250

  • date and time, 247

  • high-level validation tools, 252

  • open spots, 248–249

  • vaccination center ID, 246

  • vaccination type, 248

deterministic encryption, 73

DEV environments, 448

developers

• authentication, importance of, 155

• CI/CD, 436–437

• compromises, 3–4

• fuzz testing, 274

• governance, 201

• specialized security, 436–437

• zero trust, 27–31

development, logging for, 172

device code flows, 136

DEVINT environments, 448

DevOps

• ADO SHA, 456

• deployment agents, 440–441

• governance, 205

• identity, 438

• intentional security monitoring/auditing, 190

• main branch (trunk) security, 438–439

• PROD deployments, 439–440

• secure design, 23–24

• service connections, 438

• trunk (main branch) security, 438–439

DFC (Defender for Cloud), Microsoft, 207, 208

DFD (Data Flow Diagrams), threat modeling, 82–85

disclosure attacks, information, 391

discovery/classification, data, 409

Disk Encryption, Azure, 336

DMZ (Demilitarized Zones), 34–35

DNS (Domain Name Systems), 454–455

• CNAME, 459–460

• dangling DNS, 459–460

Docker, containers, 373–374

documentation

• governance, 206

• Office (MS) documents, defined, 317

Domain Name Systems (DNS), 454–455

• CNAME, 459–460

• dangling DNS, 459–460

domain security, 309–311

DoS (Denial-of-Service) attacks, 75–77, 391

DTD bomb attacks, 13

duties, separation of, 45–46, 437–438

dynamic analysis tools, 16–17

dynamic data masking, 408

E@H (Encryption at Host), 336–337

ECDSA (Elliptic Curve Digital Signature Algorithm), 353

economy of mechanisms, 37–38

education (security), governance, 206

egress/ingress controls, 449, 457

elevation of privileges attacks, 391

elliptic-curve keys, 301

enclaves, secure, 431

encoding data, verifying data, 256

encryption

• Always Encrypted, 422–426, 429–433

• client-side data encryption, 71–73

• column encryption, 408

• data encryption

  • Azure Disk Encryption, 336

  • data in transit, 29, 341–343

  • E@H, 336–337

  • Microsoft Data Encryption SDK, 324–329

  • SSE, 335–336

• database security, Always Encrypted, 422–426

• deterministic encryption, 73

• E@H, 336–337

• Intel TME-MK, 363–364

• KEK, 329, 338

• memory, 360

• operations, Azure Key Vault, 290–299

• SQL Server Always Encrypted, 73

• SSE

  • CMK, 330

  • PMK, 329–330

• TDE, 406–407

Encryption at Host (E@H), 336–337

endpoints, 205

• defining, 60

• private endpoints, 454–455, 457

Entra, 130

EPAC (Enterprise Policy as Code), 212

error handling, determining correctness by verifying data, 253

Event Hub, Azure Monitor, 174

events

• custom events, 193–199

• threat modeling, m 190–199

existing data, mutating, 277–280

Fahmy, Sonia, firewalls, 27

fail-safe defaults, 38–40

failure, single point of failure, 46–47

FAIR, 31–32

Fair Institute, 32

FedRAMP (Federal Risk and Authorization Management Program), 218–219, 221

FIPS 140 (Federal Information Processing Standard 140), 221–222

• Azure Key Vault and managed HSM, 224

• SHA-2 in .NET, 222–223

firewalls, 27

• Azure Firewall, 449–450

• Azure Firewall Premium SKU, 450

• rules, defining, 59

• WAF, 30

flexibility, threat modeling, 91

flows

• analysis, 17

  • control-flow analysis, 17–18

  • data-flow analysis, 18

• OAuth2, 127, 134

  • authorization code flows, 134–135

  • client credential flows, 135

  • device code flows, 136

  • implicit flows, 136

  • OBO flows, 135

  • ROPC flows, 136

  • supported applications, 136–137

formatting data, manipulating by format, 280

Forrester and Gartner, threat modeling, 89

fragmentation, containers, 383

frameworks, Azure Well-Architected Framework, 53

Frantzen, Michael, firewalls, 27

Function Cointainers, Azure, 377

functionality, banned, 12–13

fuzz testing, 274, 275–276

• API, 280–283

• Azure rules of engagement, 275

• generating random data, 276–277

• manipulating data by format, 280

• mutating existing data, 277–280

Gamma, Erich, design patterns, 51

gate tools, quality, 20

GDPR (General Data Protection Regulation), 216–217

Geo-Redundant Storage (GRS), 47

Geo-Zone-Redundant Storage (GZRS), 47

get operations, 291–299

GitHub

• Azure Policy, 189

• deployment agents, 441

• main branch (trunk) security, 438–439

• PROD deployments, 439–440

• public repos, 441

• service principal secrets, 438

• trunk (main branch) security, 438–439

golden rules, 394

governance

• ASB, 202

• asset management, 204

• automating deployments, 206

• Azure Initiatives, 210

• Azure Policy, 209

  • assigning policies, 211–212

  • effects, 210

  • effects, enforcing by environment, 210–211

  • policy as code, 212

• Azure Portal, 208–209

• backups, 205

• compliance state, reviewing, 208–209

• data protection, 203–204

• data recovery, 205

• developers, 201

• DevOps, 205

• documentation, 206

• endpoint security, 205

• enforcement, 206

• identity management, 203

• incident response plans, 204

• logging, 204

• Microsoft DFC, 207, 208

• network security, 202

• posture management, 204–205

• privileged access, 203

• RBAC, 206, 210–211

• Secure Score, 207–208

• security education, 206

• strategies, 205

• vulnerability management, 204–205

grant flows. See flows

Greek question mark, determining correctness by verifying data, 251–252

grouping actions, Log Analytics workspaces, 185–186

groups, role assignments, 58–59

GRS (Geo-Redundant Storage), 47

GUID, version numbers, 324

guidance, threat modeling, 91

GZRS (Geo-Zone-Redundant Storage), 47

hacks, reasons for, 171–172

hardware root of trust, 359

hashes in coding, 341

Health Information Trust (HITRUST), 216

Health Insurance Portability and Accountability Act (HIPPA), 215–216

Helm, Richard, design patterns, 51

HIPPA (Health Insurance Portability and Accountability Act), 215–216

HITRUST (Health Information Trust), 216

honey keys, 303

HoneyPi, 171

honeypots, 171

hosting, applications, 133

hosts

• dedicated hosts, 27

• E@H, 336–337

HSM (Hierarchical Storage Management)

• Azure Key Vault

  • Dedicated HSM, 309

  • FIPS 140, 224

  • Managed HSM, 308–311

  • Payment HSM, 309

• security domains, 309–311

HTML (Hypertext Markup Language), determining correctness, verifying data, 251

HTTP (Hypertext Transfer Protocol), AppServiceHTTPLogs, 173

hubs, 447

Hyper-V, bounty programs, 40–41

IaaS (Infrastructure as a Service), 24–27

• containers, 376

• SQL Server IaaS Agent, 411

• TLS, 350

IaC (Infrastructure as Code), 443

ID tokens, 138

identification failures, 264–266

identifying threats, 108–109, 113–115

identity, 123–124

• of attackers, secure coding, 240–241

• centralized identity providers, authentication, 54–55

• compound identities, 299

• defined, 124

• DevOps, 438

• Entra, 130

• isolating identity perimeters, 60–61

• managing

  • governance, 203

  • identities, 64–66, 403, 407–408

• modern identity, access management, 125

• NIN, 426–429

• OAuth2, 125–129, 134, 146–150

  • application registration, 129

  • authorization servers, 134

  • clients, 134, 137–138

  • consent, 139–140

  • debugging, 132–133

  • flows, 127, 134–137

  • JWT, 142–146

  • permissions, 138–140

  • resource owners, 127

  • resource servers, 134

  • roles, 134

  • scopes, 141

  • tokens, 138

  • tokens as credentials, 128

  • users vs. clients, 131

  • validation, 143–146

• OpenID Connect, 125–129, 132–133

• PIM, 28, 168

• providers, 134

• SSN, 426–429

images, containers, 385

immaturity, containers, 383

immutable storage, 410–411

implicit flows, 136

incident response plans, 18, 204

incremental consent, 140

information

• disclosure attacks, 391

• sensitive information, management patterns, 69

Infrastructure as a Service (IaaS)

• containers, 376

• SQL Server IaaS Agent, 411

• TLS, 350

Infrastructure as Code (IaC), 443

ingress/egress controls, 449, 457

Initiatives, Azure, 210

injection, 258

inline scripts/styles, 260–263

input, all input is evil, 238–239

insecure coding, 237

insecure design, 259

integration

• CI/CD

  • defined, 435

  • deployment agents, 440–441

  • developers, specialized security, 436–437

  • main branch (trunk) security, 438–439

  • PR approvals, 437

  • PROD deployments, 439–440

  • SCA tools, 436

  • secrets and service connections, 438

  • separation of duties, 437–438

  • source control systems, 436

  • supply chain attacks, 436

  • tools (overview), 435–436

  • trunk (main branch) security, 438–439

• threat modeling, 91

Intel

• SGX, 361–362, 363–364

• TME-MK, 363–364

intentional security monitoring/auditing, 190

interception, likelihood of, 70–71

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)

• ISO/IEC 27001, 225–226

• ISO/IEC 27034, 226

Internet

• CIS Benchmarks, 80–81

• isolating networks, 59–60

Internet Protocol version 6 (IPv6), 445

Investment (ROI), Return on, threat modeling, 88

IPv4 (Internet Protocol version 4), 445

• addresses, 445–446

• concepts, 445

• routing, 446

• UDR, 446

IPv6 (Internet Protocol version 6), 445

ISO/IEC (International Organization for Standardization/International Electrotechnical Commission)

• ISO/IEC 27001, 225–226

• ISO/IEC 27034, 226

isolating

• identity perimeters, 60–61

• memory, 360

• networks, 59–60, 420–421

• networks

  • Azure Key Vault, 304–305

  • control (management) plane, 401–402, 414

  • data plane, 405–406

Johnson, Ralph, design patterns, 51

just-in-time administration, 56–58

JWT (JSON Web Tokens), 142–146

K8s (Kubernetes), 373–375

Kamara, Seny, firewalls, 27

KEK (Key Encryption Keys), 329, 338

Kerckhoff’s Principle, 44

Kerschbaum, Florian, firewalls, 27

Key Vault, Azure, 66–69, 76, 288

• access control, 288–290, 301

• auditing, 301–303

• backups, 306–307

• break-glass accounts, 298

• “bring your own key” strategy, 301

• certificates, 288

• compound identities, 299

• contributor permissions, 297

• customer-managed keys, 306

• elliptic-curve keys, 301

• encrypting operations, 290

• FIPS 140 and managed HSM, 224

• get operations, 291–299

• honey keys, 303

• HSM

  • Dedicated HSM, 309

  • Managed HSM, 308–311

  • Payment HSM, 309

• keys, 288, 301

• logging, 301–303

• Microsoft Defender, 306

• network isolation, 304–305

• permission models

  • selecting, 295

  • switching, 292

• Premium edition, 299–301

• RBAC, 291–299

• restoring key versions, 307–308

• rotating keys, 339–341

• RSA, 301

• secrets, 288

• secure keys, 312

• Standard edition, 299–300

• templates, 300

• verifying operations, 290

• wrapping operations, 290

keys

• agreements, 344

• authentication keys, 338

• Azure Key Vault. See separate entry

• Azure Storage Keys, 107

• breaking, cost of, 350–351

• “bring your own key” strategy, 301

• BYOK, 73–74

• certificates, 288

• CMK, 186–187, 204, 330

• cryptography, defined, 287

• customer-managed keys, 306

• DEK, 329, 338

• elliptic-curve keys, 301

• exchanges, 344

• honey keys, 303

• Intel SGX, 364

• Intel TME-MK, 363–364

• KEK, 329, 338

• PKCE, 135

• PMK, SSE, 329–330

• restoring key versions, 307–308

• rotating, 337–341

• secrets, 288

• secure keys, 287, 312, 360

• signing keys, 338

• storage account keys, misuse of, 158–159

known bad data, rejecting, 253–255

KQL (Kusto Query Language) queries, 176–180

Kubernetes

• AKS, 107, 378–380, 457

• K8s, 373–375

Kuriel, Maor, Kubernetes (AKS), 107

Kusto Query Language (KQL) queries, 176–180

landing zones, 447

launches, trusted, 360, 366–367

least common mechanism, 40–41

least privilege, principle of, 28, 41–42

LeBlanc, David, Writing Secure Code, 6

leveraging existing components, 42–43

likelihood of interception, 70–71

limiting access rights, 28–29

links, private, 454–455

Linux VM (Virtual Machines), TLS, 350–351

Litchfield, David, determining correctness, 243

Local Redundant Storage (LRS), 47

Log Analytics workspaces, Azure Monitor, 176

• action groups, 185–186

• alerts, raising, 181–185

• audit logs, protecting, 186–188

• KQL queries, 176–180

logging

• allLogs, 175

• AppServiceAppLogs, 173

• AppServiceAuditLogs, 173

• AppServiceConsoleLogs, 173

• AppServiceHTTPLogs, 173

• AppServiceIPSecAuditLogs, 173–174

• AppServicePlatformLogs, 174

• audit logs, 175, 186–188

• for auditing, defined, 172

• Azure Key Vault, 301–303

• Azure Monitor

  • Azure Storage, 174, 187–188

  • diagnostic settings, 172–175

  • Event Hub, 174

  • Log Analytics workspaces, 174, 176

  • Log Analytics workspaces, action groups, 185–186

  • Log Analytics workspaces, KQL queries, 176–180

  • Log Analytics workspaces, protecting audit logs, 186–188

  • Log Analytics workspaces, raising alerts, 181–185

  • Partner Solution, 174

• Azure Policy, adding audit logs, 189

• Azure Sentinel, 186

• category groups, 175

• CMK, 186–187

• costs, 189–190

• crypto-shredding, 186

• defined, 172

• for development, defined, 172

• failures, 269

• governance, 204

• intentional security monitoring/auditing, 190

• KQL queries, 176–180

• monitoring, defined, 172

• threat detection, 204

• threat modeling events, 190–199

login credentials, storage, SQL Server, 398

LRS (Local Redundant Storage), 47

main branch (trunk) security, 438–439

malware, TEE code, 362

Managed HSM

• Azure Key Vault, 308–311

• security domains, 309–311

managed identities, 64–66, 403, 407–408

Managed OpenShift, 381

management (control) plane, 392, 393

• auditing, 399–400, 414

• authentication, 396–398, 412–413

• authorization, 398–399, 413

• cryptography, 400–401

• network isolation, 401–402, 414

managing

• access, modern identity, 125

• assets, 204

• identities, 64–66

  • governance, 203

  • PIM, 28

• PIM, 28, 168

• posture, 204–205

• resource management private links, 401–402

• risk, threat modeling, 101

• role assignments, 164–165

• secrets management patterns, 64

• secure key management, 360

• sensitive information, 69

• Threats Manager Studio, 99–101

  • dashboard, 118–119

  • roadmaps, 115–118

• VNets, 456

• vulnerabilities, 204–205

manipulating data by format, 280

masking dynamic data, 408

mechanisms

• economy of mechanisms, 37–38

• least common mechanism, 40–41

mediation, complete, 33–34

memory

• Intel TME-MK, 363–364

• isolation/encryption, 360

metadata, cryptographic, 316–317

MFA (Multifactor Authentication), 152–153

micro-segmenting networks, 29

microservices, Key Vault, 68–69

Microsoft

• Data Encryption SDK, 324–329

• Defender, Azure Key Vault, 306

• Defender for Containers, 386

• Defender for Cosmos DB, 421–422

• Defender for SQL, 410–411

• DfrC, 207, 208

• Entra, 130

• MSAL, 130–132

  • ADAL, 131

  • CAE, 131

  • debugging tools, 132–133

• Office (MS) documents, defined, 317

• SDL

  • attack surface analysis, 10

  • banned functionality, avoiding, 12–13

  • bug bars, defining, 7–10

  • components, 5–6

  • CVSS, 7

  • defined, 4

  • DTD bomb attacks, 13

  • dynamic analysis tools, 16–17

  • features, 5

  • flow analysis, 17–18

  • goals, 4

  • incident response plans, 18

  • overview, 20–21

  • penetration testing (pentests), 19

  • requirements, 4, 5–6

  • security training, 6

  • static analysis tools, 13–16, 17

  • tasks, 5–6

  • tasks by sprint, 20–21

  • technical security debt, 19

  • threat modeling, 10

  • toolchains, defining, 11

• Threat Modeling Tool, 94–95

misconfigured security, 259–260

mitigation

• assumptions, 113

• backlogging, 119–122

• creating, 111

• defining, 110–112

• mitigation identification phase, threat modeling, 82

• Mitigations Kanbnan, 122

• prioritizing, 48

• threat modeling, 91

MITRE, 229–230

modeling threats, 10, 32, 79. See also attacks

• analysis phase, 82

• authentication, 107

• automation, 91

• benchmarks

  • Azure Security Benchmark, 80, 81

  • CIS Benchmarks, 80–81

• CAIRIS, 93–94

• compliance, 233–234

• defined, 80–81

• development vs. security, 90–91

• DFD, 82–85

• events, 190–199

• example of, 101–102

  • first meeting, 102–104

  • second meeting, 104–107

• factors of, 92–93

• flexibility, 91

• guidance, 91

• identifying threats, 108–109

  • automation, 113–115

  • severity of threats, 110

• integration, 91

• Microsoft Threat Modeling Tool, 94–95

• mitigation, 91

  • assumptions, 113

  • backlogging, 119–122

  • defining, 110–112

  • mitigation identification phase, 82

• OWASP Threat Dragon, 96–97

• phases of, 81–84

• pytm, 97–98

• risk management, 101

• roadmaps, 115–118

• ROI, 88

• searching for better processes, 88–89

• secure coding, 239–242

• security champions, 88–89

• STRIDE threat-classification, 85–86

• Threagile, 92–93, 98–99

• threat identification phase, 82

• Threat Modeling Manifesto, 80

• Threats Manager Studio, 99–101

  • dashboard, 118–119

  • roadmaps, 115–118

• tools (overview), 91–92

• trouble with, 86–88

• validation phase, 82

modern identity, access management, 125

monitoring

• allLogs, 175

• AppServiceAppLogs, 173

• AppServiceAuditLogs, 173

• AppServiceConsoleLogs, 173

• AppServiceHTTPLogs, 173

• AppServiceIPSecAuditLogs, 173–174

• AppServicePlatformLogs, 174

• audit logs, 175, 186–188

• Azure Monitor

  • Azure Storage, 174, 187–188

  • diagnostic settings, 172–175

  • Event Hub, 174

  • Log Analytics workspaces, 174, 176

  • Log Analytics workspaces, action groups, 185–186

  • Log Analytics workspaces, KQL queries, 176–180

  • Log Analytics workspaces, protecting audit logs, 186–188

  • Log Analytics workspaces, raising alerts, 181–185

  • Partner Solution, 174

• Azure Policy, adding audit logs, 189

• Azure Sentinel, 186

• category groups, 175

• CMK, 186–187

• costs, 189–190

• crypto-shredding, 186

• defined, 172

• failures, 269

• intentional security monitoring/auditing, 190

• KQL queries, 176–180

• secure design, 29

• threat modeling events, 190–199

MSAL (Microsoft Authentication Library), 130–132

• ADAL, 131

• CAE, 131

• debugging tools, 132–133

Mueller III, Robert S., hacks, 172

Multifactor Authentication (MFA), 152–153

mutating existing data, 277–280

names, security decisions based on, 253

namespace std, 245–246

National Identity Numbers (NIN), 426–429

National Institute of Standards and Technology (NIST)

• Cybersecurity Framework, 220–221

• NIST SP 800–53, 219–220, 221

National Vulnerability Database (NVD), 230

.NET code, TLS, common mistakes, 354

.NET SHA-2 and FIPS 140, 222–223

Network Security Groups (NSG), 446–447

networks

• ADO SHA, 456

• agents, 456–458

• AKS, 457

• Azure networking primer, 443–445

• cluster network policies, 457–458

• control (management) plane isolation, 401–402, 414

• data plane isolation, 405–406

• firewalls, Azure Firewall, 449–450

• isolation, 59–60, 396

  • Azure Key Vault, 304–305

  • Cosmos DB Security, 420–421

• micro-segmenting networks, 29

• private networking, PaaS, 451–452

• security, governance, 202

• segmenting

  • networks, 29

  • VNets, 447–448

• VNets, 443–445

  • ADO SHA, 456

  • agents, 456–458

  • AKS, 457

  • allowed communications, 448

  • API Management Gateways, 451

  • ASG, 447

  • Azure Application Proxy, 451

  • Azure Firewall, 449–450

  • Azure Firewall Premium SKU, 450

  • Azure WAF, 450–451

  • cluster network policies, 457–458

  • CNAME, 459–460

  • dedicated PaaS instances, 456

  • DEV environments, 448

  • DEVINT environments, 448

  • DNS, 454–455

  • hubs, 447

  • ingress/egress controls, 449, 457

  • IPv4, 445–446

  • IPv6, 445

  • landing zones, 447

  • managing, 456

  • NONPROD environments, 448

  • NSG, 446–447

  • NVA, 449

  • PaaS and private networking, 451–452

  • private endpoints, 454–455, 457

  • private shared PaaS, 452–455

  • PROD environments, 448

  • SANDBOX environments, 448

  • segmenting, 447–448

  • shared app service plans, 455

  • spokes, 447

NIN (National Identity Numbers), 426–429

NIST (National Institute of Standards and Technology)

• Cybersecurity Framework, 220–221

• NIST SP 800–53, 219–220, 221

nodes, AKS, 387

nonclass factory cryptographic algorithms, 317–320

NONPROD environments, 448

NSG (Network Security Groups), 446–447

NVA (Network Virtual Appliances), 449

NVD (National Vulnerability Database), 230

OAuth2, 125–129, 146–150

• applications, registration, 129

• authorization servers, 134

• clients, 134, 137

  • confidential clients, 137–138

  • public clients, 137

• consent, 139–140

• debugging, 132–133

• flows, 127, 134

  • authorization code flows, 134–135

  • client credential flows, 135

  • device code flows, 136

  • implicit flows, 136

  • OBO flows, 135

  • ROPC flows, 136

  • supported applications, 136–137

• permissions, 138–140

  • application permissions, 138

  • delegated permissions, 138

• resource owners, 127, 134

• resource servers, 134

• roles, 134

• scopes, 141

• tokens

  • access tokens, 138

  • as credentials, 128

  • ID tokens, 138

  • JWT, 142–146

  • validation, 143–146

• users vs. clients, 131

OBO (On-Behalf-Of) flows, 135

Office (MS) documents, defined, 317

On-Behalf-Of (OBO) flows, 135

open design, 43–45

open source, 44–45

Open Web Application Security Project (OWASP), 229

OpenID Connect, 125–129, 132–133

OpenShift, Managed, 381

outdated components, 264

OWASP (Open Web Application Security Project), 229

• static analysis tools, 16

• Threat Dragon, 96–97

• XSS, 30

owners, resource, 127, 134

PaaS (Platform as a Service), 24–27

• dedicated PaaS instances, 456

• private networking, 451–452

• private shared PaaS, 452–455

• TLS, 345–346

PAM (Privileged Access Management) tool, 56–57

Partner Solution, Azure Monitor, 174

passwordless authentication, 152

passwords

• breaking, cost of, 350–351

• ZKPP, 151

patterns

• availability patterns, 74–75

• design patterns, 51

• security patterns

  • application roles, 62–64

  • authentication patterns, 53–55

  • authorization patterns, 56

  • availability patterns, 74–75

  • Azure, 51–52

  • Azure AD PIM, 57

  • Azure Well-Architected Framework, 53

  • BYOK, 73–74

  • client-side data encryption, 71–73

  • DoS attacks, 75–77

  • isolating identity perimeters, 60–61

  • isolating networks, 59–60

  • just-in-time administration, 56–58

  • Key Vault, 66–69, 76

  • likelihood of interception, 70–71

  • list of, 52

  • managed identities, 64–66

  • PAM tool, 56–57

  • RBAC, 61–62

  • role assignments, 58–59

  • secrets management patterns, 64

  • secure channels, 69–70

  • sensitive information management patterns, 69

Patterns and Practices Initiative, 42–43

PAW (Privileged Access Workstations), 42

Payment Card Industry Data Security Standard (PCI DSS), 217–218

Payment HSM, 309

PCI DSS (Payment Card Industry Data Security Standard), 217–218

penetration testing (pentests), 19

Perfect Forward Secrecy (PFS), 344–345

perimeter defenses, firewalls, 27

permissions

• contributor permissions, 297

• control plane permissions, 161

• data plane permissions, 161

• OAuth2, 138–140

  • application permissions, 138

  • delegated permissions, 138

• permission models

  • selecting, 295

  • switching, 292

PFS (Perfect Forward Secrecy), 344–345

PIM (Privileged Identity Management), 28, 168

PKCE (Proof of Key for Code Exchange), 135

planning, incident response plans, 18

Platform as a Service (PaaS), 24–27

• dedicated PaaS instances, 456

• private networking, 451–452

• private shared PaaS, 452–455

• TLS, 345–346

PMK (Platform-Managed Keys), SSE, 329–330

pods, containers, 387–388

Policy, Azure, 209

• assigning policies, 211–212

• audit logs, adding, 189

• effects, 210–211

• policy as code, 212

policy-based authorization, 28

Ponemon Institute, 27, 31

Portal, Azure, compliance state governance, 208–209

posture management, 204–205

PR (Pull Requests), approvals, 437

primary keys, data plane authorization, 415–416

principle of least privilege, 28, 41–42

prioritizing mitigations, 48

private endpoints, 60, 454–455, 457

private links, 454–455

private networking, PaaS, 451–452

private shared PaaS, 452–455

privileged access, 203

Privileged Access Management (PAM) tool, 56–57

Privileged Access Workstations (PAW), 42

Privileged Identity Management (PIM), 28, 168

privileges

• elevation of privileges attacks, 391

• principle of least privilege, 28

processors, confidential computing, 361

PROD

• deployments, 439–440

• environments, 448

Proof of Key for Code Exchange (PKCE), 135

psychological acceptability, 45

public clients, 137

public repos, GitHub, 441

Pull Requests (PR), approvals, 437

pytm, threat modeling, 97–98

quality gate tools, 20

quality versus security, 4–5

queries, KQL, 176–180

question mark (Greek), determining correctness by verifying data, 251–252

random data, fuzz testing, 276–277

RBAC (Role-Based Access Control), 61–62, 163–164, 206, 210–211, 291–299, 416–419

Reagan, U.S. President Ronald, verifying data, 242

reconnaissance attacks, 171

recovery, governance, 205

reducing attack surfaces, 32–33

redundancy levels, Azure storage, 47

Reed, Brian, threat modeling, 89

refresh tokens, 138

registration, OAuth2 applications, 129

rejecting known bad data, 253–255

remote attestation, 360, 364–366, 431

repudiation attacks, 391

requests, SSRF, 269–270

residual risk, 37

resource management private links, 401–402

Resource Owner Password Credentials (ROPC) flows, 136

resource owners, 127, 134

resource servers, 134

resource tokens, data plane authorization, Cosmos DB Security, 416

rest, data at, 406–407

REST API security, 282–283

restoring, key versions, 307–308

Return on Investment (ROI), threat modeling, 88

reviewing compliance state, governance, 208–209

revocation checking, 266

Richer, Justin, OAuth2, 129

risk

• acceptance, PCI DSS, 218

• assessments, bug bars, defining, 7–10

• managing, threat modeling, 101

• programs/compliance, 232–233

  • ASB, 227–228

  • ATT&CK, 231

  • CAPEC, 231

  • CIS benchmarks, 226–227

  • CVE, 230

  • CWE, 231

  • defined, 213–215

  • FedRAMP, 218–219, 221

  • FIPS 140, 221–224

  • GDPR, 216–217

  • HIPPA, 215–216

  • HITRUST, 216

  • ISO/IEC 27001, 225–226

  • ISO/IEC 27034, 226

  • MITRE, 229–230

  • NIST Cybersecurity Framework, 220–221

  • NIST SP 800–53, 219–220, 221

  • NVD, 230

  • OWASP, 229

  • PCI DSS, 217–218

  • SOC, 224–225

  • threat modeling, 233–234

• residual risk, 37

RiskLens, 32

roadmaps, 115–118

ROI (Return on Investment), threat modeling, 88

Role-Based Access Control (RBAC), 61–62, 163–164, 206, 210–211, 291–299, 416–419

roles

• AD roles, 162–164

• applications, 62–64

• assigning

  • best practices, 167–168

  • Blueprints, 167

  • denying assignments, 167

  • managing assignments, 164–165

• Blueprints, 167

• custom definitions, 165–166

• group assignments, 58–59

• OAuth2, 134

root of trust, hardware, 359

ROPC (Resource Owner Password Credentials) flows, 136

rotating keys, 337–341

routing

• IPv4, 446

• UDR, 446

RSA algorithm, 301, 353

rules

• Azure rules of engagement, 275

• firewalls, defining, 59

SaaS (Software as a Service), 24–27

SAFECode, threat modeling, 89

Saltzer, Jerome

• Azure security design principles, 32

• complete mediation, 33–34

• economy of mechanisms, 37–38

• fail-safe defaults, 38–40

• leveraging existing components, 42–43

• open design, 43–44

• psychological acceptability, 45

SAML (Security Assertion Markup Language), 129

SANDBOX environments, 448

Sanso, Antonio, OAuth2, 129

SAS (Shared Access Signature) tokens, 158

saving KQL queries, 180

SCA (Software Component Analysis) tools, CI/CD, 436

scanning, secure design, 29

Schoenfeld, Brook S. E., threat modeling, 81

Schroeder, Michael

• Azure security design principles, 32

• complete mediation, 33–34

• economy of mechanisms, 37–38

• fail-safe defaults, 38–40

• leveraging existing components, 42–43

• open design, 43–44

• psychological acceptability, 45

Schultz, Eugene, firewalls, 27

scopes

• AD scopes, 162

• OAuth2, 141

scoring vulnerabilities (CVSS), 7

scripting

• inline scripts/styles, 260–263

• XSS, 30

SDL (Security Development Lifestyle)

• attack surface analysis, 10

• banned functionality, avoiding, 12–13

• bug bars, defining, 7–10

• components, 5–6

• CVSS, 7

• defined, 4

• DTD bomb attacks, 13

• dynamic analysis tools, 16–17

• features, 5

• flow analysis, 17

  • control-flow analysis, 17–18

  • data-flow analysis, 18

• goals, 4

• incident response plans, 18

• overview, 20–21

• penetration testing (pentests), 19

• requirements, 4, 5–6

• security training, 6

• static analysis tools, 13–16, 17

• tasks, 5–6

• tasks by sprint, 20–21

• technical security debt, 19

• threat modeling, 10

• toolchains, defining, 11

SecOps (Security Ops), 125

secrets, keys, cryptography, 288

secrets and service connections, CI/CD, 438

secrets management patterns, 64

secure channels, 69–70

secure coding

• all input is evil, 238–239

• attackers

  • identity of, 240–241

  • what attackers control, 241–242

• C programming language, 270–271

• C++ programming language, 270–271

• fuzz testing, 274, 275–276

  • API, 280–283

  • Azure rules of engagement, 275

  • generating random data, 276–277

  • manipulating data by format, 280

  • mutating existing data, 277–280

• hashes in coding, 341

• insecure coding, 237

• reviewing, 273–274

• revocation checking, 266

• threat modeling, 239–242

• use analysis tools, 271–273

• verifying data, 242

  • determining correctness, 243–253

  • encoding data, 256

  • rejecting known bad data, 253–255

• vulnerabilities, 256–257

  • authentication failures, 264–266

  • broken access control, 257

  • checking signatures, 268

  • cryptography failures, 257–258

  • data integrity failures, 266–269

  • debugging security headers, 264

  • identification failures, 264–266

  • injection, 258

  • inline scripts/styles, 260–263

  • insecure design, 259

  • logging failures, 269

  • misconfigured security, 259–260

  • monitoring failures, 269

  • signing binaries, 268–269

  • software failures, 266–269

  • SSRF, 269–270

  • vulnerable/outdated components, 264

secure design

• access rights, 28–29

• AD Access Reviews, 42

• AD PIM, 46

• assume-breach, 29

• attack surface reduction, 32–33

• Azure security design principles, 32

• cloud computing, 23–24, 28–29

• complete mediation, 33–34

• Customer Lockbox, 25–26

• Dedicated Hosts, 41

• dedicated hosts, 27

• defense in depth, 34–37

• DevOps, 23–24

• DMZ, 34–35

• economy of mechanisms, 37–38

• encrypting data in transit, 29

• fail-safe defaults, 38–40

• FAIR, 31–32

• firewalls, 27

• IaaS, 24–27

• least common mechanism, 40–41

• leveraging existing components, 42–43

• micro-segmenting networks, 29

• monitoring, 29

• open design, 43–45

• open source, 44–45

• PaaS, 24–27

• PAW, 42

• PIM, 28

• policy-based authorization, 28

• principle of least privilege, 28, 41–42

• prioritizing mitigations, 48

• psychological acceptability, 45

• residual risk, 37

• SaaS, 24–27

• scanning, 29

• separation of duties, 45–46

• Shared Responsibility Model, 24–25

• shifting left, 31

• single point of failure, 46–47

• SQLMap, 30

• thoughts on, 31–32

• WAF, 30

• weakest link, 47–48

• zero trust, 27–31

secure enclaves, 431

Secure Encrypted Visualization-Secure Nested Paging (SEV-SNP), AMD, 362–363

secure keys, 287, 312, 360

Secure Score, 207–208

Secure Sockets Layer (SSL), 342

security

• champions, 21, 88–89

• quality versus, 4–5

• technical security debt, 19

• training, SDL, 6

Security Assertion Markup Language (SAML), 129

Security Baseline, Azure, 411

Security Benchmark, 80, 81

security champions, 21, 88–89

security controls, types of, 36

security domains, 309–311

security headers, debugging, 264

security misconfigurations, 259–260

security patterns. See also design patterns

• application roles, 62–64

• authentication patterns, 53–55

  • Azure AD, 54–55

  • centralized identity providers, 54–55

• authorization patterns, 56

• availability patterns, 74–75

• Azure, 51–52

• Azure AD PIM, 57

• Azure Well-Architected Framework, 53

• BYOK, 73–74

• client-side data encryption, 71–73

• DoS attacks, 75–77

• isolating

  • identity perimeters, 60–61

  • networks, 59–60

• just-in-time administration, 56–58

• Key Vault, 66–69, 76

• likelihood of interception, 70–71

• list of, 52

• managed identities, 64–66

• PAM tool, 56–57

• RBAC, 61–62

• role assignments, 58–59

• secrets management patterns, 64

• secure channels, 69–70

• sensitive information management patterns, 69

segmenting networks, 29, 447–448

selecting permission models, 295

sensitive information, management patterns, 69

Sentinel, Azure, 186, 197–199

separation of duties, 45–46, 437–438

servers

• authentication, 154

• authorization servers, OAuth2, 134

• encryption

  • CMK, 330

  • PMK, 329–330

• resource servers, 134

• SQL Server

  • IaaS Agent, 411

  • SQL Server Always Encrypted, 73, 368

• SSE, 335–336

Server-Side Encryption (SSE), 335–336

Server-Side Request Forgery (SSRF), 269–270

service plans, shared app, 455

services

• AKS, 107

• App Services, 47

• Azure container services, 375–376

• container service security

  • deployments, 384–385

  • development, 384–385

  • overview, 383–384

• DoS attacks, security patterns, 75–77

• IaaS, 24–27

  • containers, 376

  • TLS, 350

• microservices, Key Vault, 68–69

• PaaS, 24–27, 345–346

• principal secrets, GitHub, 438

• SaaS, 24–27

• secrets and service connections, CI/CD, 438