Index

Numbers

  • 429 (“Too Many Requests”) messages, 76

A

  • AAD (Azure Active Directory)

    • AAD Data Plane RBAC, 416419

    • identity management, 203

  • ABAC (Attribute-Based Access Control), 168170

  • acceptability, psychological, 45

  • accepting risk, PCI DSS, 218

  • access

  • accounts, break-glass accounts, 298

  • ACI (Azure Container Instances), 377378

  • ACR (Azure Container Registry), 385386

  • action groups, 185186

  • Active Directory Authentication Library (ADAL), 131

  • AD (Active Directory)

  • ADAL (Active Directory Authentication Library), 131

  • adding audit logs with Azure Policy, 189

  • Addiscott, Richard, threat modeling, 89

  • administration, just-in-time, 5658

  • ADO SHA (Azure DevOps Self-Hosted Agents), 456

  • Agile development, characteristics of, 23

  • Agile SDL (Security Development Lifecycle)

    • attack surface analysis, 10

    • banned functionality, avoiding, 1213

    • bug bars, defining, 710

    • CVSS, 7

    • DTD bomb attacks, 13

    • dynamic analysis tools, 1617

    • flow analysis, 17

      • control-flow analysis, 1718

      • data-flow analysis, 18

    • incident response plans, 18

    • overview, 2021

    • penetration testing (pentests), 19

    • security training, 6

    • static analysis tools, 1316, 17

    • tasks by sprint, 2021

    • technical security debt, 19

    • threat modeling, 10

    • toolchains, defining, 11

  • agility, cryptographic, 312313

  • AKS (Azure Kubernetes Services), 107, 378380, 457

  • alerts, 197199, 303

  • Alexander, Christopher, design patterns, 51

  • all input is evil, 238239

  • allLogs, 175

  • allowed communications, VNets, 448

  • Always Encrypted, 422426, 429433

  • AMD, SEV-SNP, 362363

  • analysis phase, threat modeling, 82

  • analyzing

    • attack surfaces, 10

    • dynamic analysis tools, 1617

    • flow analysis, 17

      • control-flow analysis, 1718

      • data-flow analysis, 18

    • SCA tools, CI/CD, 436

    • static analysis tools, 1316, 17

    • use analysis tools, 271273

  • API (Application Programming Interface)

    • fuzz testing, 280283

    • Management Gateways, 451

    • REST API security, 282283

  • App Services, 47, 377

  • Application Programming Interface (API)

  • Application Security Groups (ASG), 447

  • applications

    • AppServiceAppLogs, 173

    • ASG, 447

    • authentication, 159161

    • Azure Application Proxy, 451

    • Azure Container Apps, 378

    • DAST, 1617

    • hosting, 133

    • OAuth2

    • permissions, 138

    • roles, 6264

    • shared app service plans, 455

  • AppServiceAppLogs, 173

  • AppServiceAuditLogs, 173

  • AppServiceConsoleLogs, 173

  • AppServiceHTTPLogs, 173

  • AppServiceIPSecAuditLogs, 173174

  • AppServicePlatformLogs, 174

  • Arm TrustZone, 363

  • ASB (Azure Security Benchmark), 202, 227228

  • ASG (Application Security Groups), 447

  • assessing risk, bug bars, 710

  • asset management, 204

  • assigning

    • Azure Policies, 211212

    • roles

      • best practices, 167168

      • Blueprints, 167

      • denying assignments, 167

      • managing assignments, 164165

      • to groups, 5859

  • assume-breach, 29

  • assumptions, mitigations, 113

  • ATT&CK, 231

  • attack surfaces

    • analysis, 10

    • reduction, 3233

  • attacks. See also threat modeling

    • brute-force attacks, 350351

    • DoS attacks, 7577, 391

    • DTD bomb attacks, 13

    • elevation of privileges attacks, 391

    • honeypots, 171

    • reconnaissance attacks, 171

    • repudiation attacks, 391

    • spoofing attacks, 391

    • supply chain attacks, 436

    • tampering attacks, 391

  • attestation, remote, 360, 364366, 431

  • Attribute-Based Access Control (ABAC), 168170

  • audit logs, 175, 186188

  • auditing

    • allLogs, 175

    • AppServiceAppLogs, 173

    • AppServiceAuditLogs, 173

    • AppServiceConsoleLogs, 173

    • AppServiceHTTPLogs, 173

    • AppServiceIPSecAuditLogs, 173174

    • AppServicePlatformLogs, 174

    • audit logs, 175, 186188

    • Azure Key Vault, 301303

    • Azure Monitor

      • Azure Storage, 174, 187188

      • diagnostic settings, 172175

      • Event Hub, 174

      • Log Analytics workspaces, 174, 176

      • Log Analytics workspaces, action groups, 185186

      • Log Analytics workspaces, KQL queries, 176180

      • Log Analytics workspaces, protecting audit logs, 186188

      • Log Analytics workspaces, raising alerts, 181185

      • Partner Solution, 174

    • Azure Policy, adding audit logs, 189

    • Azure Sentinel, 186

    • category groups, 175

    • CMK, 186187

    • control (management) plane, 399400

    • Cosmos DB Security, 414, 419420

    • costs, 189190

    • crypto-shredding, 186

    • data plane, 404

    • intentional security monitoring/auditing, 190

    • KQL queries, 176180

    • logging for auditing, defined, 172

    • SQL Server and database security, 395

    • threat modeling events, 190199

  • authentication (authN), 123124, 150151, 154

    • access without authentication, 151159

    • ADAL, 131

    • applications, 159161

    • control (management) plane, 396398

    • Cosmos DB Security, 411412

    • data plane, 402403, 414415

    • defined, 124

    • failures, 264266

    • importance to developers, 155

    • keys, 338

    • MFA, 152153

    • MSAL, 130132

    • passwordless authentication, 152

    • personal solutions, creating, 155156

    • SAML, 129

    • SAS tokens, 158

    • security patterns, 5355

      • Azure AD, 5455

      • centralized identity providers, 5455

    • server authentication, 154

    • SMS-based authentication, 151152

    • SQL Server, 395

    • SSO authentication, 156157

    • threat modeling, 107

    • zero trust, 28

    • ZKPP, 151

  • authorization (AuthZ), 123124, 161162, 395, 403404

  • automation

    • container development/deployment, 384

    • deployments, governance, 206

    • threat identification, 113115

    • threat modeling, 91

  • availability patterns, 7475

  • Azure

    • AD, 5455

    • AKS, 107, 378380

    • App Services, 47

    • App Services Web App Containers, 377

    • ASB, 202

    • Blueprints, 167

    • confidential containers, 380

    • Confidential ledger, 368370

    • Container Apps, 378

    • container services, 375376

    • cryptographic services (overview), 329

    • Customer Lockbox, 2526, 46

    • Dedicated Hosts, 41

    • dedicated hosts, 27

    • Disk Encryption, 336

    • Function Cointainers, 377

    • Initiatives, 210

    • IPv4 addresses, 445446

    • Key Vault, 6669, 76

      • FIPS 140 and managed HSM, 224

    • PaaS, TLS, 345346

    • Policy, 209

      • assigning policies, 211212

      • effects, 210

      • effects, enforcing by environment, 210211

      • policy as code, 212

    • Portal, compliance state, governance, 208209

    • RBAC, 6162, 291299

    • rules of engagement, 275

    • secure design, 32

    • Security Benchmark, 80, 81

    • security patterns, 5152

    • Sentinel, 186

      • alerts for custom events, 197199

    • Shared Responsibility Model, 2425

    • Storage, cryptography, 331335

    • storage, redundancy levels, 47

    • Storage, Azure Monitor, 174

      • protecting audit logs, 187188

    • Storage Keys, 107

    • VM

    • Well-Architected Framework, 53

  • Azure Active Directory (AAD), AAD Data Plane RBAC, 416419

  • Azure Application Proxy, 451

  • Azure Container Instances (ACI), 377378

  • Azure Container Registry (ACR), 385386

  • Azure DevOps Self-Hosted Agents (ADO SHA), 456

  • Azure Firewall, 449450

  • Azure Firewall Premium SKU, 450

  • Azure Key Vault, 6669, 76, 288

    • access control, 288290, 301

    • auditing, 301303

    • backups, 306307

    • break-glass accounts, 298

    • “bring your own key” strategy, 301

    • certificates, 288

    • compound identities, 299

    • contributor permissions, 297

    • customer-managed keys, 306

    • elliptic-curve keys, 301

    • encrypting operations, 290

    • FIPS 140 and managed HSM, 224

    • get operations, 291299

    • honey keys, 303

    • HSM

    • keys, 288, 301

    • logging, 301303

    • Microsoft Defender, 306

    • network isolation, 304305

    • permission models

      • selecting, 295

      • switching, 292

    • Premium edition, 299301

    • RBAC, 291299

    • restoring key versions, 307308

    • rotating keys, 339341

    • RSA, 301

    • secrets, 288

    • secure keys, 312

    • Standard edition, 299300

    • templates, 300

    • verifying operations, 290

    • wrapping operations, 290

  • Azure Kubernetes Services (AKS), 378380, 457

  • Azure Monitor

  • Azure Policy, adding audit logs, 189

  • Azure Security Baseline, 411, 421422

  • Azure Security Benchmark (ASB), 227228

  • Azure SQL Database, 394395

  • Azure SQL Ledger, 409410

  • Azure SQL Managed Instance, 395

  • Azure WAF (Web Application Firewalls), 450451

B

  • backlogging, mitigations, 119122

  • backups

    • Azure Key Vault assets, 306307

    • governance, 205

  • bad data (known), rejecting, 253255

  • banned functionality

    • avoiding, 1213

    • examples of, 12

  • benchmarks

  • binaries, signing, 268269

  • Blueprints, 167

  • bomb attacks, DTD, 13

  • bounty programs, Hyper-V, 4041

  • break-glass accounts, 298

  • breaking keys/passwords, cost of, 350351

  • Britt, Jim, Azure Policy, 189

  • broken access control, 257

  • brute-force attacks, 350351

  • bug bars, defining, 710

  • BYOK (Bring Your Own Key), 7374

C

  • C programming language, 270271

  • C++ programming language, secure coding, 270271

  • CAE (Continuous Access Elevation), 131

  • CAIRIS, threat modeling, 9394

  • CAPEC (Common Attack Pattern Enumeration and Classification), 231

  • Carielli, Sandy, threat modeling, 89

  • Carmack, John, static analysis tools, 14

  • Center of Internet Security (CIS), benchmarks, 8081

  • centralized identity providers, authentication, 5455

  • certificates, keys, 288

  • Chambers, John T., hacks, 172

  • channels, secure, 6970

  • CI/CD (Continuous Integration/Continuous Deployment)

    • defined, 435

    • deployment agents, 440441

    • developers, specialized security, 436437

    • main branch (trunk) security, 438439

    • PR approvals, 437

    • PROD deployments, 439440

    • SCA tools, 436

    • secrets and service connections, 438

    • separation of duties, 437438

    • source control systems, 436

    • supply chain attacks, 436

    • tools (overview), 435436

    • trunk (main branch) security, 438439

  • CIDR, IPv4 addresses, 445446

  • ciphersuites, 286, 343344, 345, 346349, 356

  • CIS (Center of Internet Security), benchmarks, 8081, 226227

  • classification, data discovery, 409

  • clients

    • confidential clients, 135

    • credential flows, 135

    • cryptography, 331

    • data encryption, 7173

    • OAuth2, 134, 137

      • confidential clients, 137138

      • public clients, 137

  • cloud computing

  • clusters

  • CMK (Customer-Managed Keys), 186187, 204, 330

  • CNAME (Canonical Names), 459460

  • code security

    • all input is evil, 238239

    • attackers

    • C programming language, 270271

    • C++ programming language, 270271

    • fuzz testing, 274, 275276

      • API, 280283

      • Azure rules of engagement, 275

      • generating random data, 276277

      • manipulating data by format, 280

      • mutating existing data, 277280

    • hashes in coding, 341

    • insecure coding, 237

    • reviewing, 273274

    • revocation checking, 266

    • threat modeling, 239242

    • use analysis tools, 271273

    • verifying data, 242

      • determining correctness, 243253

      • encoding data, 256

      • rejecting known bad data, 253255

    • vulnerabilities, 256257

      • authentication failures, 264266

      • broken access control, 257

      • checking signatures, 268

      • cryptography failures, 257258

      • data integrity failures, 266269

      • debugging security headers, 264

      • identification failures, 264266

      • injection, 258

      • inline scripts/styles, 260263

      • insecure design, 259

      • logging failures, 269

      • misconfigured security, 259260

      • monitoring failures, 269

      • signing binaries, 268269

      • software failures, 266269

      • SSRF, 269270

      • vulnerable/outdated components, 264

  • code verifiers, 135

  • Coles, Matthew J., threat modeling, 81

  • column encryption, 408

  • comment fields, validating, 249250

  • Common Attack Pattern Enumeration and Classification (CAPEC), 231

  • common vulnerabilities, 256257

    • authentication failures, 264266

    • binaries, signing, 268269

    • broken access control, 257

    • cryptography failures, 257258

    • data integrity failures, 266269

    • debugging security headers, 264

    • identification failures, 264266

    • injection, 258

    • inline scripts/styles, 260263

    • insecure design, 259

    • logging failures, 269

    • misconfigured security, 259260

    • monitoring failures, 269

    • signatures, checking, 268

    • software failures, 266269

    • SSRF, 269270

    • vulnerable/outdated components, 264

  • Common Vulnerabilities and Exposures (CVE), 230

  • Common Vulnerability Scoring System (CVSS), 7, 230

  • Common Weakness Enumeration (CWE), 231

  • communications (allowed), VNets, 448

  • compensating controls, 286

  • complete mediation, 3334

  • complexity, containers, 381382

  • compliance, 232233

  • compliance state, reviewing, 208209

  • components

    • leveraging existing components, 4243

    • vulnerable/outdated, 264

  • compound identities, 299

  • compromises

    • developers, 34

    • reasons for, 171172

    • sources of, 34

  • confidential clients, 135, 137138, 359

  • confidential computing

  • confidential containers, 370371, 380

  • Confidential ledger, 368370

  • connection strings, SQL, 402

  • consent

  • containers, 375, 388

    • ACI, 377378

    • ACR, 385386

    • AKS, 378380

    • Azure App Services Web App Containers, 377

    • Azure confidential containers, 380

    • Azure Container Apps, 378

    • Azure container services, 375376

    • Azure Function Containers, 377

    • clusters, 386

    • complexity, 381382

  • confidential containers, 370371, 380

  • Content-Security-Policy (CSP), 260

  • Continuous Access Elevation (CAE), 131

  • Continuous Integration/Continuous Deployment (CI/CD)

    • defined, 435

    • deployment agents, 440441

    • developers, specialized security, 436437

    • main branch (trunk) security, 438439

    • PR approvals, 437

    • PROD deployments, 439440

    • SCA tools, 436

    • secrets and service connections, 438

    • separation of duties, 437438

    • source control systems, 436

    • supply chain attacks, 436

    • tools (overview), 435436

    • trunk (main branch) security, 438439

  • contributor permissions, 297

  • control (management) plane, 392, 393

  • control-flow analysis, 1718

  • correctness (verifying data), determining, 243

    • error handling, 253

    • Greek question mark, 251252

    • HTML, 251

    • names, security decisions based on, 253

    • namespace std, 245246

    • real-world experience, 243245

    • validating

      • comment fields, 249250

      • date and time, 247

      • high-level validation tools, 252

      • open spots, 248249

      • vaccination center ID, 246

      • vaccination type, 248

  • Cosmos DB Security, 411412

    • Always Encrypted, 431433

    • auditing, 414

    • authentication, 412413

    • authorization, 413

    • Azure Security Baseline, 422

    • cryptography, 414, 421

    • data plane

    • data plane authentication, 414415

    • Microsoft Defender for Cosmos DB, 421422

    • network isolation, 414

  • CredScan, 313314

  • Cross-Site Scripting (XSS), 30, 258

  • crypto shredding, 407

  • cryptography, 391

  • crypto-shredding, 186

  • CSP (Content-Security-Policy), 260

  • custom events

  • custom role definitions, 165166

  • Customer Lockbox, 2526, 46

  • Customer-Managed Keys (CMK), 186187, 204, 330

  • CVE (Coimmon Vulnerabilities and Exposures), 230

  • CVSS (Common Vulnerability Scoring System), 7, 230

  • CWE (Common Weakness Enumeration), 231

  • Cybersecurity Framework, NIST, 220221

D

  • dashboard, Threats Manager Studio, 118119

  • DAST (Dynamic Application Security Testing), 1617

  • data at rest, cryptography, 406407

  • data discovery/classification, 409

  • data encryption

    • Azure Disk Encryption, 336

    • client-side data encryption, 7173

    • data in transit, 341343

    • E@H, 336337

    • Microsoft Data Encryption SDK, 324329

    • SSE, 335336

  • Data Encryption SDK (MS), 324329

  • Data Flow Diagrams (DFD), threat modeling, 8285

  • data in transit, encryption, 29, 341343

  • data integrity failures, 266269

  • data plane, 392, 393

  • data protection

  • data recovery, governance, 205

  • data verification, 242

    • determining correctness, 243

      • error handling, 253

      • Greek question mark, 251252

      • high-level validation tools, 252

      • HTML, 251

      • namespace std, 245246

      • real-world experience, 243245

      • security decisions based on names, 253

      • validating comment fields, 249250

      • validating date and time, 247

      • validating open spots, 248249

      • validating vaccination center ID, 246

      • validating vaccination type, 248

    • encoding data, 256

    • rejecting known bad data, determining correctness, 253255

  • database security

    • Always Encrypted, 429433

    • auditing, Cosmos DB Security, 419420

    • Azure Security Baseline, 411

    • Azure SQL Database, 394395

    • Azure SQL Ledger, 409410

    • Azure SQL Managed Instance, 395

    • control (management) plane, 392, 393

    • Cosmos DB Security, 411412

    • crypto shredding, 407

    • cryptographic controls, 393

    • data at rest, cryptography, 406407

    • data discovery/classification, 409

    • data plane, 392, 393

    • dynamic data masking, 408

    • encryption, Always Encrypted, 422426

    • golden rules, 394

    • immutable storage, 410411

    • importance of, 391

    • managed identities, 407408

    • Microsoft Defender for Cosmos DB, 421422

    • NIN, 426429

    • remote attestation, 431

    • secure enclaves, 431

    • security services, 393394

    • SQL Injection, 433434

    • SQL Server, 394, 395

      • auditing, 395

      • authentication, 395

      • authorization, 395

      • cryptography, 395396

      • network isolation, 396

    • SQL Server family (overview), 394

    • SQL Server IaaS Agent, 411

    • SSN, 426429

    • supported products, 392

    • TDE, 406407

    • techniques (overview), 392

  • data-flow analysis, 18

  • date and time validation, data verification, 247

  • DCsv3 VM (Virtual Machines), 363364

  • debt, technical security, 19

  • debugging

  • dedicated hosts, 27, 41

  • Dedicated HSM, Azure Key Vault, 309

  • dedicated PaaS instances, 456

  • Defender, Microsoft, Azure Key Vault, 306

  • Defender for Cloud (DFC), Microsoft, 207, 208

  • Defender for Containers, Microsoft, 386

  • Defender for Cosmos DB, Microsoft, 421422

  • Defender for SQL, Microsoft, 410411

  • defense in depth, 3437

  • defining

    • bug bars, 710

    • firewall rules, 59

    • mitigations, 110112

    • private endpoints, 60

    • roles, custom definitions, 165166

    • toolchains, 11

  • DEK, 329, 338

  • delegated permissions, 138

  • delimiters, cryptographic agility, 323

  • Demilitarized Zones (DMZ), 3435

  • Denial-of-Service (DOS) attacks, 7577, 391

  • denying role assignments, 167

  • deployments

    • agents, 440441

    • CI/CD

      • defined, 435

      • deployment agents, 440441

      • developers, specialized security, 436437

      • main branch (trunk) security, 438439

      • PR approvals, 437

      • PROD deployments, 439440

      • SCA tools, 436

      • secrets and service connections, 438

      • separation of duties, 437438

      • source control systems, 436

      • supply chain attacks, 436

      • tools (overview), 435436

      • trunk (main branch) security, 438439

    • PROD, 439440

  • design patterns, 51. See also security patterns

  • design security

    • access rights, 2829

    • AD Access Reviews, 42

    • AD PIM, 46

    • assume-breach, 29

    • attack surface reduction, 3233

    • Azure security design principles, 32

    • cloud computing, 2324, 2829

    • complete mediation, 3334

    • Customer Lockbox, 2526

    • Dedicated Hosts, 41

    • dedicated hosts, 27

    • defense in depth, 3437

    • DevOps, 2324

    • DMZ, 3435

    • economy of mechanisms, 3738

    • encrypting data in transit, 29

    • fail-safe defaults, 3840

    • FAIR, 3132

    • firewalls, 27

    • IaaS, 2427

    • insecure design, 259

    • least common mechanism, 4041

    • leveraging existing components, 4243

    • micro-segmenting networks, 29

    • monitoring, 29

    • open design, 4345

    • open source, 4445

    • PaaS, 2427

    • PAW, 42

    • PIM, 28

    • policy-based authorization, 28

    • principle of least privilege, 28, 4142

    • prioritizing mitigations, 48

    • psychological acceptability, 45

    • residual risk, 37

    • SaaS, 2427

    • scanning, 29

    • separation of duties, 4546

    • Shared Responsibility Model, 2425

    • shifting left, 31

    • single point of failure, 4647

    • SQLMap, 30

    • thoughts on, 3132

    • WAF, 30

    • weakest link, 4748

    • zero trust, 2731

  • determining correctness, verifying data, 243

    • error handling, 253

    • Greek question mark, 251252

    • HTML, 251

    • names, security decisions based on, 253

    • namespace std, 245246

    • real-world experience, 243245

    • validating

      • comment fields, 249250

      • date and time, 247

      • high-level validation tools, 252

      • open spots, 248249

      • vaccination center ID, 246

      • vaccination type, 248

  • deterministic encryption, 73

  • DEV environments, 448

  • developers

    • authentication, importance of, 155

    • CI/CD, 436437

    • compromises, 34

    • fuzz testing, 274

    • governance, 201

    • specialized security, 436437

    • zero trust, 2731

  • development, logging for, 172

  • device code flows, 136

  • DEVINT environments, 448

  • DevOps

    • ADO SHA, 456

    • deployment agents, 440441

    • governance, 205

    • identity, 438

    • intentional security monitoring/auditing, 190

    • main branch (trunk) security, 438439

    • PROD deployments, 439440

    • secure design, 2324

    • service connections, 438

    • trunk (main branch) security, 438439

  • DFC (Defender for Cloud), Microsoft, 207, 208

  • DFD (Data Flow Diagrams), threat modeling, 8285

  • disclosure attacks, information, 391

  • discovery/classification, data, 409

  • Disk Encryption, Azure, 336

  • DMZ (Demilitarized Zones), 3435

  • DNS (Domain Name Systems), 454455

  • Docker, containers, 373374

  • documentation

    • governance, 206

    • Office (MS) documents, defined, 317

  • Domain Name Systems (DNS), 454455

  • domain security, 309311

  • DoS (Denial-of-Service) attacks, 7577, 391

  • DTD bomb attacks, 13

  • duties, separation of, 4546, 437438

  • dynamic analysis tools, 1617

  • dynamic data masking, 408

E

  • E@H (Encryption at Host), 336337

  • ECDSA (Elliptic Curve Digital Signature Algorithm), 353

  • economy of mechanisms, 3738

  • education (security), governance, 206

  • egress/ingress controls, 449, 457

  • elevation of privileges attacks, 391

  • elliptic-curve keys, 301

  • enclaves, secure, 431

  • encoding data, verifying data, 256

  • encryption

  • Encryption at Host (E@H), 336337

  • endpoints, 205

  • Entra, 130

  • EPAC (Enterprise Policy as Code), 212

  • error handling, determining correctness by verifying data, 253

  • Event Hub, Azure Monitor, 174

  • events

  • existing data, mutating, 277280

F

  • Fahmy, Sonia, firewalls, 27

  • fail-safe defaults, 3840

  • failure, single point of failure, 4647

  • FAIR, 3132

  • Fair Institute, 32

  • FedRAMP (Federal Risk and Authorization Management Program), 218219, 221

  • FIPS 140 (Federal Information Processing Standard 140), 221222

    • Azure Key Vault and managed HSM, 224

    • SHA-2 in .NET, 222223

  • firewalls, 27

    • Azure Firewall, 449450

    • Azure Firewall Premium SKU, 450

    • rules, defining, 59

    • WAF, 30

  • flexibility, threat modeling, 91

  • flows

    • analysis, 17

      • control-flow analysis, 1718

      • data-flow analysis, 18

    • OAuth2, 127, 134

      • authorization code flows, 134135

      • client credential flows, 135

      • device code flows, 136

      • implicit flows, 136

      • OBO flows, 135

      • ROPC flows, 136

      • supported applications, 136137

  • formatting data, manipulating by format, 280

  • Forrester and Gartner, threat modeling, 89

  • fragmentation, containers, 383

  • frameworks, Azure Well-Architected Framework, 53

  • Frantzen, Michael, firewalls, 27

  • Function Cointainers, Azure, 377

  • functionality, banned, 1213

  • fuzz testing, 274, 275276

    • API, 280283

    • Azure rules of engagement, 275

    • generating random data, 276277

    • manipulating data by format, 280

    • mutating existing data, 277280

G

  • Gamma, Erich, design patterns, 51

  • gate tools, quality, 20

  • GDPR (General Data Protection Regulation), 216217

  • Geo-Redundant Storage (GRS), 47

  • Geo-Zone-Redundant Storage (GZRS), 47

  • get operations, 291299

  • GitHub

    • Azure Policy, 189

    • deployment agents, 441

    • main branch (trunk) security, 438439

    • PROD deployments, 439440

    • public repos, 441

    • service principal secrets, 438

    • trunk (main branch) security, 438439

  • golden rules, 394

  • governance

    • ASB, 202

    • asset management, 204

    • automating deployments, 206

    • Azure Initiatives, 210

    • Azure Policy, 209

      • assigning policies, 211212

      • effects, 210

      • effects, enforcing by environment, 210211

      • policy as code, 212

    • Azure Portal, 208209

    • backups, 205

    • compliance state, reviewing, 208209

    • data protection, 203204

    • data recovery, 205

    • developers, 201

    • DevOps, 205

    • documentation, 206

    • endpoint security, 205

    • enforcement, 206

    • identity management, 203

    • incident response plans, 204

    • logging, 204

    • Microsoft DFC, 207, 208

    • network security, 202

    • posture management, 204205

    • privileged access, 203

    • RBAC, 206, 210211

    • Secure Score, 207208

    • security education, 206

    • strategies, 205

    • vulnerability management, 204205

  • grant flows. See flows

  • Greek question mark, determining correctness by verifying data, 251252

  • grouping actions, Log Analytics workspaces, 185186

  • groups, role assignments, 5859

  • GRS (Geo-Redundant Storage), 47

  • GUID, version numbers, 324

  • guidance, threat modeling, 91

  • GZRS (Geo-Zone-Redundant Storage), 47

H

  • hacks, reasons for, 171172

  • hardware root of trust, 359

  • hashes in coding, 341

  • Health Information Trust (HITRUST), 216

  • Health Insurance Portability and Accountability Act (HIPPA), 215216

  • Helm, Richard, design patterns, 51

  • HIPPA (Health Insurance Portability and Accountability Act), 215216

  • HITRUST (Health Information Trust), 216

  • honey keys, 303

  • HoneyPi, 171

  • honeypots, 171

  • hosting, applications, 133

  • hosts

  • HSM (Hierarchical Storage Management)

  • HTML (Hypertext Markup Language), determining correctness, verifying data, 251

  • HTTP (Hypertext Transfer Protocol), AppServiceHTTPLogs, 173

  • hubs, 447

  • Hyper-V, bounty programs, 4041

I

  • IaaS (Infrastructure as a Service), 2427

    • containers, 376

    • SQL Server IaaS Agent, 411

    • TLS, 350

  • IaC (Infrastructure as Code), 443

  • ID tokens, 138

  • identification failures, 264266

  • identifying threats, 108109, 113115

  • identity, 123124

  • images, containers, 385

  • immaturity, containers, 383

  • immutable storage, 410411

  • implicit flows, 136

  • incident response plans, 18, 204

  • incremental consent, 140

  • information

    • disclosure attacks, 391

    • sensitive information, management patterns, 69

  • Infrastructure as a Service (IaaS)

    • containers, 376

    • SQL Server IaaS Agent, 411

    • TLS, 350

  • Infrastructure as Code (IaC), 443

  • ingress/egress controls, 449, 457

  • Initiatives, Azure, 210

  • injection, 258

  • inline scripts/styles, 260263

  • input, all input is evil, 238239

  • insecure coding, 237

  • insecure design, 259

  • integration

    • CI/CD

      • defined, 435

      • deployment agents, 440441

      • developers, specialized security, 436437

      • main branch (trunk) security, 438439

      • PR approvals, 437

      • PROD deployments, 439440

      • SCA tools, 436

      • secrets and service connections, 438

      • separation of duties, 437438

      • source control systems, 436

      • supply chain attacks, 436

      • tools (overview), 435436

      • trunk (main branch) security, 438439

    • threat modeling, 91

  • Intel

  • intentional security monitoring/auditing, 190

  • interception, likelihood of, 7071

  • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)

  • Internet

    • CIS Benchmarks, 8081

    • isolating networks, 5960

  • Internet Protocol version 6 (IPv6), 445

  • Investment (ROI), Return on, threat modeling, 88

  • IPv4 (Internet Protocol version 4), 445

  • IPv6 (Internet Protocol version 6), 445

  • ISO/IEC (International Organization for Standardization/International Electrotechnical Commission)

  • isolating

J

  • Johnson, Ralph, design patterns, 51

  • just-in-time administration, 5658

  • JWT (JSON Web Tokens), 142146

K

  • K8s (Kubernetes), 373375

  • Kamara, Seny, firewalls, 27

  • KEK (Key Encryption Keys), 329, 338

  • Kerckhoff’s Principle, 44

  • Kerschbaum, Florian, firewalls, 27

  • Key Vault, Azure, 6669, 76, 288

    • access control, 288290, 301

    • auditing, 301303

    • backups, 306307

    • break-glass accounts, 298

    • “bring your own key” strategy, 301

    • certificates, 288

    • compound identities, 299

    • contributor permissions, 297

    • customer-managed keys, 306

    • elliptic-curve keys, 301

    • encrypting operations, 290

    • FIPS 140 and managed HSM, 224

    • get operations, 291299

    • honey keys, 303

    • HSM

    • keys, 288, 301

    • logging, 301303

    • Microsoft Defender, 306

    • network isolation, 304305

    • permission models

      • selecting, 295

      • switching, 292

    • Premium edition, 299301

    • RBAC, 291299

    • restoring key versions, 307308

    • rotating keys, 339341

    • RSA, 301

    • secrets, 288

    • secure keys, 312

    • Standard edition, 299300

    • templates, 300

    • verifying operations, 290

    • wrapping operations, 290

  • keys

    • agreements, 344

    • authentication keys, 338

    • Azure Key Vault. See separate entry

    • Azure Storage Keys, 107

    • breaking, cost of, 350351

    • “bring your own key” strategy, 301

    • BYOK, 7374

    • certificates, 288

    • CMK, 186187, 204, 330

    • cryptography, defined, 287

    • customer-managed keys, 306

    • DEK, 329, 338

    • elliptic-curve keys, 301

    • exchanges, 344

    • honey keys, 303

    • Intel SGX, 364

    • Intel TME-MK, 363364

    • KEK, 329, 338

    • PKCE, 135

    • PMK, SSE, 329330

    • restoring key versions, 307308

    • rotating, 337341

    • secrets, 288

    • secure keys, 287, 312, 360

    • signing keys, 338

    • storage account keys, misuse of, 158159

  • known bad data, rejecting, 253255

  • KQL (Kusto Query Language) queries, 176180

  • Kubernetes

  • Kuriel, Maor, Kubernetes (AKS), 107

  • Kusto Query Language (KQL) queries, 176180

L

  • landing zones, 447

  • launches, trusted, 360, 366367

  • least common mechanism, 4041

  • least privilege, principle of, 28, 4142

  • LeBlanc, David, Writing Secure Code, 6

  • leveraging existing components, 4243

  • likelihood of interception, 7071

  • limiting access rights, 2829

  • links, private, 454455

  • Linux VM (Virtual Machines), TLS, 350351

  • Litchfield, David, determining correctness, 243

  • Local Redundant Storage (LRS), 47

  • Log Analytics workspaces, Azure Monitor, 176

  • logging

    • allLogs, 175

    • AppServiceAppLogs, 173

    • AppServiceAuditLogs, 173

    • AppServiceConsoleLogs, 173

    • AppServiceHTTPLogs, 173

    • AppServiceIPSecAuditLogs, 173174

    • AppServicePlatformLogs, 174

    • audit logs, 175, 186188

    • for auditing, defined, 172

    • Azure Key Vault, 301303

    • Azure Monitor

      • Azure Storage, 174, 187188

      • diagnostic settings, 172175

      • Event Hub, 174

      • Log Analytics workspaces, 174, 176

      • Log Analytics workspaces, action groups, 185186

      • Log Analytics workspaces, KQL queries, 176180

      • Log Analytics workspaces, protecting audit logs, 186188

      • Log Analytics workspaces, raising alerts, 181185

      • Partner Solution, 174

    • Azure Policy, adding audit logs, 189

    • Azure Sentinel, 186

    • category groups, 175

    • CMK, 186187

    • costs, 189190

    • crypto-shredding, 186

    • defined, 172

    • for development, defined, 172

    • failures, 269

    • governance, 204

    • intentional security monitoring/auditing, 190

    • KQL queries, 176180

    • monitoring, defined, 172

    • threat detection, 204

    • threat modeling events, 190199

  • login credentials, storage, SQL Server, 398

  • LRS (Local Redundant Storage), 47

M

  • main branch (trunk) security, 438439

  • malware, TEE code, 362

  • Managed HSM

  • managed identities, 6466, 403, 407408

  • Managed OpenShift, 381

  • management (control) plane, 392, 393

  • managing

    • access, modern identity, 125

    • assets, 204

    • identities, 6466

    • PIM, 28, 168

    • posture, 204205

    • resource management private links, 401402

    • risk, threat modeling, 101

    • role assignments, 164165

    • secrets management patterns, 64

    • secure key management, 360

    • sensitive information, 69

    • Threats Manager Studio, 99101

    • VNets, 456

    • vulnerabilities, 204205

  • manipulating data by format, 280

  • masking dynamic data, 408

  • mechanisms

    • economy of mechanisms, 3738

    • least common mechanism, 4041

  • mediation, complete, 3334

  • memory

    • Intel TME-MK, 363364

    • isolation/encryption, 360

  • metadata, cryptographic, 316317

  • MFA (Multifactor Authentication), 152153

  • micro-segmenting networks, 29

  • microservices, Key Vault, 6869

  • Microsoft

    • Data Encryption SDK, 324329

    • Defender, Azure Key Vault, 306

    • Defender for Containers, 386

    • Defender for Cosmos DB, 421422

    • Defender for SQL, 410411

    • DfrC, 207, 208

    • Entra, 130

    • MSAL, 130132

    • Office (MS) documents, defined, 317

    • SDL

      • attack surface analysis, 10

      • banned functionality, avoiding, 1213

      • bug bars, defining, 710

      • components, 56

      • CVSS, 7

      • defined, 4

      • DTD bomb attacks, 13

      • dynamic analysis tools, 1617

      • features, 5

      • flow analysis, 1718

      • goals, 4

      • incident response plans, 18

      • overview, 2021

      • penetration testing (pentests), 19

      • requirements, 4, 56

      • security training, 6

      • static analysis tools, 1316, 17

      • tasks, 56

      • tasks by sprint, 2021

      • technical security debt, 19

      • threat modeling, 10

      • toolchains, defining, 11

    • Threat Modeling Tool, 9495

  • misconfigured security, 259260

  • mitigation

    • assumptions, 113

    • backlogging, 119122

    • creating, 111

    • defining, 110112

    • mitigation identification phase, threat modeling, 82

    • Mitigations Kanbnan, 122

    • prioritizing, 48

    • threat modeling, 91

  • MITRE, 229230

  • modeling threats, 10, 32, 79. See also attacks

    • analysis phase, 82

    • authentication, 107

    • automation, 91

    • benchmarks

      • Azure Security Benchmark, 80, 81

      • CIS Benchmarks, 8081

    • CAIRIS, 9394

    • compliance, 233234

    • defined, 8081

    • development vs. security, 9091

    • DFD, 8285

    • events, 190199

    • example of, 101102

    • factors of, 9293

    • flexibility, 91

    • guidance, 91

    • identifying threats, 108109

      • automation, 113115

      • severity of threats, 110

    • integration, 91

    • Microsoft Threat Modeling Tool, 9495

    • mitigation, 91

      • assumptions, 113

      • backlogging, 119122

      • defining, 110112

      • mitigation identification phase, 82

    • OWASP Threat Dragon, 9697

    • phases of, 8184

    • pytm, 9798

    • risk management, 101

    • roadmaps, 115118

    • ROI, 88

    • searching for better processes, 8889

    • secure coding, 239242

    • security champions, 8889

    • STRIDE threat-classification, 8586

    • Threagile, 9293, 9899

    • threat identification phase, 82

    • Threat Modeling Manifesto, 80

    • Threats Manager Studio, 99101

    • tools (overview), 9192

    • trouble with, 8688

    • validation phase, 82

  • modern identity, access management, 125

  • monitoring

    • allLogs, 175

    • AppServiceAppLogs, 173

    • AppServiceAuditLogs, 173

    • AppServiceConsoleLogs, 173

    • AppServiceHTTPLogs, 173

    • AppServiceIPSecAuditLogs, 173174

    • AppServicePlatformLogs, 174

    • audit logs, 175, 186188

    • Azure Monitor

      • Azure Storage, 174, 187188

      • diagnostic settings, 172175

      • Event Hub, 174

      • Log Analytics workspaces, 174, 176

      • Log Analytics workspaces, action groups, 185186

      • Log Analytics workspaces, KQL queries, 176180

      • Log Analytics workspaces, protecting audit logs, 186188

      • Log Analytics workspaces, raising alerts, 181185

      • Partner Solution, 174

    • Azure Policy, adding audit logs, 189

    • Azure Sentinel, 186

    • category groups, 175

    • CMK, 186187

    • costs, 189190

    • crypto-shredding, 186

    • defined, 172

    • failures, 269

    • intentional security monitoring/auditing, 190

    • KQL queries, 176180

    • secure design, 29

    • threat modeling events, 190199

  • MSAL (Microsoft Authentication Library), 130132

  • Mueller III, Robert S., hacks, 172

  • Multifactor Authentication (MFA), 152153

  • mutating existing data, 277280

N

  • names, security decisions based on, 253

  • namespace std, 245246

  • National Identity Numbers (NIN), 426429

  • National Institute of Standards and Technology (NIST)

  • National Vulnerability Database (NVD), 230

  • .NET code, TLS, common mistakes, 354

  • .NET SHA-2 and FIPS 140, 222223

  • Network Security Groups (NSG), 446447

  • networks

    • ADO SHA, 456

    • agents, 456458

    • AKS, 457

    • Azure networking primer, 443445

    • cluster network policies, 457458

    • control (management) plane isolation, 401402, 414

    • data plane isolation, 405406

    • firewalls, Azure Firewall, 449450

    • isolation, 5960, 396

    • micro-segmenting networks, 29

    • private networking, PaaS, 451452

    • security, governance, 202

    • segmenting

    • VNets, 443445

      • ADO SHA, 456

      • agents, 456458

      • AKS, 457

      • allowed communications, 448

      • API Management Gateways, 451

      • ASG, 447

      • Azure Application Proxy, 451

      • Azure Firewall, 449450

      • Azure Firewall Premium SKU, 450

      • Azure WAF, 450451

      • cluster network policies, 457458

      • CNAME, 459460

      • dedicated PaaS instances, 456

      • DEV environments, 448

      • DEVINT environments, 448

      • DNS, 454455

      • hubs, 447

      • ingress/egress controls, 449, 457

      • IPv4, 445446

      • IPv6, 445

      • landing zones, 447

      • managing, 456

      • NONPROD environments, 448

      • NSG, 446447

      • NVA, 449

      • PaaS and private networking, 451452

      • private endpoints, 454455, 457

      • private shared PaaS, 452455

      • PROD environments, 448

      • SANDBOX environments, 448

      • segmenting, 447448

      • shared app service plans, 455

      • spokes, 447

  • NIN (National Identity Numbers), 426429

  • NIST (National Institute of Standards and Technology)

  • nodes, AKS, 387

  • nonclass factory cryptographic algorithms, 317320

  • NONPROD environments, 448

  • NSG (Network Security Groups), 446447

  • NVA (Network Virtual Appliances), 449

  • NVD (National Vulnerability Database), 230

O

  • OAuth2, 125129, 146150

    • applications, registration, 129

    • authorization servers, 134

    • clients, 134, 137

      • confidential clients, 137138

      • public clients, 137

    • consent, 139140

    • debugging, 132133

    • flows, 127, 134

      • authorization code flows, 134135

      • client credential flows, 135

      • device code flows, 136

      • implicit flows, 136

      • OBO flows, 135

      • ROPC flows, 136

      • supported applications, 136137

    • permissions, 138140

      • application permissions, 138

      • delegated permissions, 138

    • resource owners, 127, 134

    • resource servers, 134

    • roles, 134

    • scopes, 141

    • tokens

    • users vs. clients, 131

  • OBO (On-Behalf-Of) flows, 135

  • Office (MS) documents, defined, 317

  • On-Behalf-Of (OBO) flows, 135

  • open design, 4345

  • open source, 4445

  • Open Web Application Security Project (OWASP), 229

  • OpenID Connect, 125129, 132133

  • OpenShift, Managed, 381

  • outdated components, 264

  • OWASP (Open Web Application Security Project), 229

    • static analysis tools, 16

    • Threat Dragon, 9697

    • XSS, 30

  • owners, resource, 127, 134

P

  • PaaS (Platform as a Service), 2427

    • dedicated PaaS instances, 456

    • private networking, 451452

    • private shared PaaS, 452455

    • TLS, 345346

  • PAM (Privileged Access Management) tool, 5657

  • Partner Solution, Azure Monitor, 174

  • passwordless authentication, 152

  • passwords

  • patterns

    • availability patterns, 7475

    • design patterns, 51

    • security patterns

      • application roles, 6264

      • authentication patterns, 5355

      • authorization patterns, 56

      • availability patterns, 7475

      • Azure, 5152

      • Azure AD PIM, 57

      • Azure Well-Architected Framework, 53

      • BYOK, 7374

      • client-side data encryption, 7173

      • DoS attacks, 7577

      • isolating identity perimeters, 6061

      • isolating networks, 5960

      • just-in-time administration, 5658

      • Key Vault, 6669, 76

      • likelihood of interception, 7071

      • list of, 52

      • managed identities, 6466

      • PAM tool, 5657

      • RBAC, 6162

      • role assignments, 5859

      • secrets management patterns, 64

      • secure channels, 6970

      • sensitive information management patterns, 69

  • Patterns and Practices Initiative, 4243

  • PAW (Privileged Access Workstations), 42

  • Payment Card Industry Data Security Standard (PCI DSS), 217218

  • Payment HSM, 309

  • PCI DSS (Payment Card Industry Data Security Standard), 217218

  • penetration testing (pentests), 19

  • Perfect Forward Secrecy (PFS), 344345

  • perimeter defenses, firewalls, 27

  • permissions

    • contributor permissions, 297

    • control plane permissions, 161

    • data plane permissions, 161

    • OAuth2, 138140

      • application permissions, 138

      • delegated permissions, 138

    • permission models

      • selecting, 295

      • switching, 292

  • PFS (Perfect Forward Secrecy), 344345

  • PIM (Privileged Identity Management), 28, 168

  • PKCE (Proof of Key for Code Exchange), 135

  • planning, incident response plans, 18

  • Platform as a Service (PaaS), 2427

    • dedicated PaaS instances, 456

    • private networking, 451452

    • private shared PaaS, 452455

    • TLS, 345346

  • PMK (Platform-Managed Keys), SSE, 329330

  • pods, containers, 387388

  • Policy, Azure, 209

    • assigning policies, 211212

    • audit logs, adding, 189

    • effects, 210211

    • policy as code, 212

  • policy-based authorization, 28

  • Ponemon Institute, 27, 31

  • Portal, Azure, compliance state governance, 208209

  • posture management, 204205

  • PR (Pull Requests), approvals, 437

  • primary keys, data plane authorization, 415416

  • principle of least privilege, 28, 4142

  • prioritizing mitigations, 48

  • private endpoints, 60, 454455, 457

  • private links, 454455

  • private networking, PaaS, 451452

  • private shared PaaS, 452455

  • privileged access, 203

  • Privileged Access Management (PAM) tool, 5657

  • Privileged Access Workstations (PAW), 42

  • Privileged Identity Management (PIM), 28, 168

  • privileges

    • elevation of privileges attacks, 391

    • principle of least privilege, 28

  • processors, confidential computing, 361

  • PROD

  • Proof of Key for Code Exchange (PKCE), 135

  • psychological acceptability, 45

  • public clients, 137

  • public repos, GitHub, 441

  • Pull Requests (PR), approvals, 437

  • pytm, threat modeling, 9798

Q

  • quality gate tools, 20

  • quality versus security, 45

  • queries, KQL, 176180

  • question mark (Greek), determining correctness by verifying data, 251252

R

  • random data, fuzz testing, 276277

  • RBAC (Role-Based Access Control), 6162, 163164, 206, 210211, 291299, 416419

  • Reagan, U.S. President Ronald, verifying data, 242

  • reconnaissance attacks, 171

  • recovery, governance, 205

  • reducing attack surfaces, 3233

  • redundancy levels, Azure storage, 47

  • Reed, Brian, threat modeling, 89

  • refresh tokens, 138

  • registration, OAuth2 applications, 129

  • rejecting known bad data, 253255

  • remote attestation, 360, 364366, 431

  • repudiation attacks, 391

  • requests, SSRF, 269270

  • residual risk, 37

  • resource management private links, 401402

  • Resource Owner Password Credentials (ROPC) flows, 136

  • resource owners, 127, 134

  • resource servers, 134

  • resource tokens, data plane authorization, Cosmos DB Security, 416

  • rest, data at, 406407

  • REST API security, 282283

  • restoring, key versions, 307308

  • Return on Investment (ROI), threat modeling, 88

  • reviewing compliance state, governance, 208209

  • revocation checking, 266

  • Richer, Justin, OAuth2, 129

  • risk

  • RiskLens, 32

  • roadmaps, 115118

  • ROI (Return on Investment), threat modeling, 88

  • Role-Based Access Control (RBAC), 6162, 163164, 206, 210211, 291299, 416419

  • roles

    • AD roles, 162164

    • applications, 6264

    • assigning

      • best practices, 167168

      • Blueprints, 167

      • denying assignments, 167

      • managing assignments, 164165

    • Blueprints, 167

    • custom definitions, 165166

    • group assignments, 5859

    • OAuth2, 134

  • root of trust, hardware, 359

  • ROPC (Resource Owner Password Credentials) flows, 136

  • rotating keys, 337341

  • routing

  • RSA algorithm, 301, 353

  • rules

    • Azure rules of engagement, 275

    • firewalls, defining, 59

S

  • SaaS (Software as a Service), 2427

  • SAFECode, threat modeling, 89

  • Saltzer, Jerome

    • Azure security design principles, 32

    • complete mediation, 3334

    • economy of mechanisms, 3738

    • fail-safe defaults, 3840

    • leveraging existing components, 4243

    • open design, 4344

    • psychological acceptability, 45

  • SAML (Security Assertion Markup Language), 129

  • SANDBOX environments, 448

  • Sanso, Antonio, OAuth2, 129

  • SAS (Shared Access Signature) tokens, 158

  • saving KQL queries, 180

  • SCA (Software Component Analysis) tools, CI/CD, 436

  • scanning, secure design, 29

  • Schoenfeld, Brook S. E., threat modeling, 81

  • Schroeder, Michael

    • Azure security design principles, 32

    • complete mediation, 3334

    • economy of mechanisms, 3738

    • fail-safe defaults, 3840

    • leveraging existing components, 4243

    • open design, 4344

    • psychological acceptability, 45

  • Schultz, Eugene, firewalls, 27

  • scopes

  • scoring vulnerabilities (CVSS), 7

  • scripting

    • inline scripts/styles, 260263

    • XSS, 30

  • SDL (Security Development Lifestyle)

    • attack surface analysis, 10

    • banned functionality, avoiding, 1213

    • bug bars, defining, 710

    • components, 56

    • CVSS, 7

    • defined, 4

    • DTD bomb attacks, 13

    • dynamic analysis tools, 1617

    • features, 5

    • flow analysis, 17

      • control-flow analysis, 1718

      • data-flow analysis, 18

    • goals, 4

    • incident response plans, 18

    • overview, 2021

    • penetration testing (pentests), 19

    • requirements, 4, 56

    • security training, 6

    • static analysis tools, 1316, 17

    • tasks, 56

    • tasks by sprint, 2021

    • technical security debt, 19

    • threat modeling, 10

    • toolchains, defining, 11

  • SecOps (Security Ops), 125

  • secrets, keys, cryptography, 288

  • secrets and service connections, CI/CD, 438

  • secrets management patterns, 64

  • secure channels, 6970

  • secure coding

    • all input is evil, 238239

    • attackers

    • C programming language, 270271

    • C++ programming language, 270271

    • fuzz testing, 274, 275276

      • API, 280283

      • Azure rules of engagement, 275

      • generating random data, 276277

      • manipulating data by format, 280

      • mutating existing data, 277280

    • hashes in coding, 341

    • insecure coding, 237

    • reviewing, 273274

    • revocation checking, 266

    • threat modeling, 239242

    • use analysis tools, 271273

    • verifying data, 242

      • determining correctness, 243253

      • encoding data, 256

      • rejecting known bad data, 253255

    • vulnerabilities, 256257

      • authentication failures, 264266

      • broken access control, 257

      • checking signatures, 268

      • cryptography failures, 257258

      • data integrity failures, 266269

      • debugging security headers, 264

      • identification failures, 264266

      • injection, 258

      • inline scripts/styles, 260263

      • insecure design, 259

      • logging failures, 269

      • misconfigured security, 259260

      • monitoring failures, 269

      • signing binaries, 268269

      • software failures, 266269

      • SSRF, 269270

      • vulnerable/outdated components, 264

  • secure design

    • access rights, 2829

    • AD Access Reviews, 42

    • AD PIM, 46

    • assume-breach, 29

    • attack surface reduction, 3233

    • Azure security design principles, 32

    • cloud computing, 2324, 2829

    • complete mediation, 3334

    • Customer Lockbox, 2526

    • Dedicated Hosts, 41

    • dedicated hosts, 27

    • defense in depth, 3437

    • DevOps, 2324

    • DMZ, 3435

    • economy of mechanisms, 3738

    • encrypting data in transit, 29

    • fail-safe defaults, 3840

    • FAIR, 3132

    • firewalls, 27

    • IaaS, 2427

    • least common mechanism, 4041

    • leveraging existing components, 4243

    • micro-segmenting networks, 29

    • monitoring, 29

    • open design, 4345

    • open source, 4445

    • PaaS, 2427

    • PAW, 42

    • PIM, 28

    • policy-based authorization, 28

    • principle of least privilege, 28, 4142

    • prioritizing mitigations, 48

    • psychological acceptability, 45

    • residual risk, 37

    • SaaS, 2427

    • scanning, 29

    • separation of duties, 4546

    • Shared Responsibility Model, 2425

    • shifting left, 31

    • single point of failure, 4647

    • SQLMap, 30

    • thoughts on, 3132

    • WAF, 30

    • weakest link, 4748

    • zero trust, 2731

  • secure enclaves, 431

  • Secure Encrypted Visualization-Secure Nested Paging (SEV-SNP), AMD, 362363

  • secure keys, 287, 312, 360

  • Secure Score, 207208

  • Secure Sockets Layer (SSL), 342

  • security

    • champions, 21, 8889

    • quality versus, 45

    • technical security debt, 19

    • training, SDL, 6

  • Security Assertion Markup Language (SAML), 129

  • Security Baseline, Azure, 411

  • Security Benchmark, 80, 81

  • security champions, 21, 8889

  • security controls, types of, 36

  • security domains, 309311

  • security headers, debugging, 264

  • security misconfigurations, 259260

  • security patterns. See also design patterns

    • application roles, 6264

    • authentication patterns, 5355

      • Azure AD, 5455

      • centralized identity providers, 5455

    • authorization patterns, 56

    • availability patterns, 7475

    • Azure, 5152

    • Azure AD PIM, 57

    • Azure Well-Architected Framework, 53

    • BYOK, 7374

    • client-side data encryption, 7173

    • DoS attacks, 7577

    • isolating

      • identity perimeters, 6061

      • networks, 5960

    • just-in-time administration, 5658

    • Key Vault, 6669, 76

    • likelihood of interception, 7071

    • list of, 52

    • managed identities, 6466

    • PAM tool, 5657

    • RBAC, 6162

    • role assignments, 5859

    • secrets management patterns, 64

    • secure channels, 6970

    • sensitive information management patterns, 69

  • segmenting networks, 29, 447448

  • selecting permission models, 295

  • sensitive information, management patterns, 69

  • Sentinel, Azure, 186, 197199

  • separation of duties, 4546, 437438

  • servers

    • authentication, 154

    • authorization servers, OAuth2, 134

    • encryption

    • resource servers, 134

    • SQL Server

      • IaaS Agent, 411

      • SQL Server Always Encrypted, 73, 368

    • SSE, 335336

  • Server-Side Encryption (SSE), 335336

  • Server-Side Request Forgery (SSRF), 269270

  • service plans, shared app, 455

  • services

    • AKS, 107

    • App Services, 47

    • Azure container services, 375376

    • container service security

    • DoS attacks, security patterns, 7577

    • IaaS, 2427

    • microservices, Key Vault, 6869

    • PaaS, 2427, 345346

    • principal secrets, GitHub, 438

    • SaaS, 2427

    • secrets and service connections, CI/CD, 438

  • severity of threats, identifying, 110

  • SEV-SNP (Secure Encrypted Visualization-Secure Nested Paging), AMD, 362363

  • SGX (Software Guard Extensions), Intel, 361362, 363364

  • SHA-2, FIPS 140 and SHA-2 in .NET, 222223

  • Shared Access Signature (SAS) tokens, 158

  • shared app service plans, 455

  • Shared Responsibility Model, 2425

  • shifting left, 31

  • Shostack, Adam, threat modeling, 81

  • signatures, checking, 268

  • signing binaries, 268269

  • signing keys, 338

  • single point of failure, 4647

  • Single Sign-On (SSO) authentication, 156157

  • SMS-based authentication, 151152

  • SOC (System and Organization Controls), 224225

  • Social Security Numbers (SSN), 426429

  • software

  • Software Guard Extensions (SGX), Intel, 361362

  • source control systems, 436

  • specialized security, 436437

  • specifying, severity of threats, 110

  • spokes, 447

  • spoofing attacks, 391

  • SQL (Structured Query Language)

    • connection strings, 402

    • Microsoft Defender for SQL, 410411

  • SQL Database, Azure, 394395

  • SQL Injection, 433434

  • SQL Ledger, Azure, 409410

  • SQL Managed Instance, Azure, 395

  • SQL Server

    • database security, 394, 395

      • auditing, 395

      • authentication, 395

      • authorization, 395

      • Azure SQL Database, 394395

      • Azure SQL Managed Instance, 395

      • cryptography, 395396

      • network isolation, 396

    • IaaS Agent, 411

    • login credentials, storage, 398

  • SQL Server Always Encrypted, 73, 368

  • SQLi (SQL injection), 258

  • SQLMap, 30

  • SSE (Server-Side Encryption), 335336

  • SSH (Secure Shell), unsecured, 357

  • SSL (Secure Sockets Layer), 342

  • SSN (Social Security Numbers), 426429

  • SSO (Single Sign-On) authentication, 156157

  • SSRF (Server-Side Request Forgery), 269270

  • static analysis tools, 1316, 17

  • storage

    • Azure Storage, 174

      • cryptography, 331335

      • protecting audit logs, 187188

      • redundancy levels, 47

    • GRS, 47

    • GZRS, 47

    • HSM, Azure Key Vault

    • immutable storage, 410411

    • login credentials, SQL Server, 398

    • LRS, 47

    • ZRS, 47

  • storage account keys, misuse of, 158159

  • Storage Keys, 107

  • STRIDE threat-classification, 8586

  • Structured Query Language. See SQL

  • styles, inline, 260263

  • supply chain attacks, 436

  • switching, permission models, 292

  • System and Organization Controls (SOC), 224225

T

  • tampering attacks, 391

  • Tarandach, Izar

    • pytm, 97

    • threat modeling, 81

  • TDE (Transparent Data Encryption), 406407

  • technical security debt, 19

  • TEE code, 361362

  • templates, Azure Key Vault, 300

  • testing

    • DAST, 1617

    • fuzz testing, 274, 275276

      • API, 280283

      • Azure rules of engagement, 275

      • generating random data, 276277

      • manipulating data by format, 280

      • mutating existing data, 277280

    • penetration testing (pentests), 19

    • TLS, 354

  • Threagile, 9293, 9899

  • threat modeling, 10, 32, 79. See also threats (separate entry)

    • analysis phase, 82

    • authentication, 107

    • automation, 91

    • benchmarks

      • Azure Security Benchmark, 80, 81

      • CIS Benchmarks, 8081

    • CAIRIS, 9394

    • compliance, 233234

    • defined, 8081

    • development vs. security, 9091

    • DFD, 8285

    • events, 190199

    • example of, 101102

    • factors of, 9293

    • flexibility, 91

    • guidance, 91

    • identifying threats, 108109

      • automation, 113115

      • severity of threats, 110

    • integration, 91

    • Microsoft Threat Modeling Tool, 9495

    • mitigation, 82, 91

    • OWASP Threat Dragon, 9697

    • phases of, 8184

    • pytm, 9798

    • risk management, 101

    • roadmaps, 115118

    • ROI, 88

    • searching for better processes, 8889

    • secure coding, 239242

    • security champions, 8889

    • STRIDE threat-classification, 8586

    • Threagile, 9293, 9899

    • threat identification phase, 82

    • Threat Modeling Manifesto, 80

    • Threats Manager Studio, 99101, 115119

    • tools (overview), 9192

    • trouble with, 8688

    • validation phase, 82

  • threats

    • detection, logging, 204

    • DoS attacks, 391

    • elevation of privileges attacks, 391

    • identification, 82, 108109, 113115

    • information disclosure attacks, 391

    • monitoring. See separate threat monitoring entry

    • repudiation attacks, 391

    • spoofing attacks, 391

    • tampering attacks, 391

  • Threats Manager Studio, 99101

  • time and date validation, data verification, 247

  • TLS (Transport Layer Security), 342

  • TME-MK (Total Memory Encryption-Multi-Key), Intel, 363364

  • tokens

  • “Too Many Requests” messages, 76

  • toolchains, defining, 11

  • Total Memory Encryption-Multi-Key (TME-MK), Intel, 363364

  • training, security, 6

  • Transparent Data Encryption (TDE), 406407

  • Transport Layer Security (TLS), 342

  • trunk (main branch) security, 438439

  • trust

    • boundaries, DFD, 8485

    • hardware root of trust, 359

    • trusted launches, 360, 366367

  • TrustZone, Arm, 363

U

  • UDR (User-Defined Routing), 446

  • unsecured SSH, 357

  • use analysis tools, 271273

  • UUID, version numbers, 324

V

  • validation

    • determining correctness, verifying data

      • high-level validation tools, 252

      • security decisions based on names, 253

      • validating comment fields, 249250

      • validating date and time, 247

      • validating open spots, 248249

      • validating vaccination center ID, 246

      • validating vaccination type, 248

    • tokens, 143146

    • validation phase, threat modeling, 82

  • variances, PCI DSS, 218

  • VBS (Virtualization-Based Security), 368

  • verifying data, 242

    • code verifiers, 135

    • determining correctness, 243

      • error handling, 253

      • Greek question mark, 251252

      • high-level validation tools, 252

      • HTML, 251

      • namespace std, 245246

      • real-world experience, 243245

      • security decisions based on names, 253

      • validating comment fields, 249250

      • validating date and time, 247

      • validating open spots, 248249

      • validating vaccination center ID, 246

      • validating vaccination type, 248

    • encoding data, 256

    • operations, Azure Key Vault, 290

    • rejecting known bad data, determining correctness, 253255

  • version numbers

  • Virtual Machine Scale Set (VMSS) agents, 440

  • Virtual Nets (VNets), 443445

    • ADO SHA, 456

    • agents, 456458

    • AKS, 457

    • allowed communications, 448

    • API Management Gateways, 451

    • ASG, 447

    • Azure Application Proxy, 451

    • Azure Firewall, 449450

    • Azure Firewall Premium SKU, 450

    • Azure WAF, 450451

    • cluster network policies, 457458

    • CNAME, 459460

    • DEV environments, 448

    • DEVINT environments, 448

    • DNS, 454455

    • hubs, 447

    • ingress/egress controls, 449, 457

    • IPv4, 445

    • IPv6, 445

    • landing zones, 447

    • managing, 456

    • NONPROD environments, 448

    • NSG, 446447

    • NVA, 449

    • PaaS

      • dedicated PaaS instances, 456

      • private networking, 451452

      • private shared PaaS, 452455

    • private endpoints, 454455, 457

    • PROD environments, 448

    • SANDBOX environments, 448

    • segmenting, 447448

    • shared app service plans, 455

    • spokes, 447

  • Virtualization-Based Security (VBS), 368

  • Vlisside, John, design patterns, 51

  • VM (Virtual Machines)

  • VMSS (Virtual Machine Scale Set) agents, 440

  • VNets (Virtual Nets), 443445

    • ADO SHA, 456

    • agents, 456458

    • AKS, 457

    • allowed communications, 448

    • API Management Gateways, 451

    • ASG, 447

    • Azure Application Proxy, 451

    • Azure Firewall, 449450

    • Azure Firewall Premium SKU, 450

    • Azure WAF, 450451

    • cluster network policies, 457458

    • CNAME, 459460

    • DEV environments, 448

    • DEVINT environments, 448

    • DNS, 454455

    • hubs, 447

    • ingress/egress controls, 449, 457

    • IPv4, 445

    • IPv6, 445

    • landing zones, 447

    • managing, 456

    • NONPROD environments, 448

    • NSG, 446447

    • NVA, 449

    • PaaS

      • dedicated PaaS instances, 456

      • private networking, 451452

      • private shared PaaS, 452455

    • private endpoints, 454455, 457

    • PROD environments, 448

    • SANDBOX environments, 448

    • segmenting, 447448

    • shared app service plans, 455

    • spokes, 447

  • vulnerabilities, 256257

    • authentication failures, 264266

    • binaries, signing, 268269

    • broken access control, 257

    • components, 264

    • cryptography failures, 257258

    • CVE, 230

    • CVSS, 230

    • data integrity failures, 266269

    • debugging security headers, 264

    • identification failures, 264266

    • injection, 258

    • inline scripts/styles, 260263

    • insecure design, 259

    • logging failures, 269

    • managing, 204205

    • misconfigured security, 259260

    • monitoring failures, 269

    • NVD, 230

    • scoring (CVSS), 7

    • signatures, checking, 268

    • software failures, 266269

    • SSRF, 269270

    • vulnerable/outdated components, 264

W

  • WAF (Web Application Firewalls), 30, 450451

  • weakest link, 4748

  • Well-Architected Framework, Azure, 53

  • Wikipedia, DMZ, 34

  • Windows VM, TLS, 352353

  • Wireshark, debugging TLS, 355356

  • workstations, PAW, 42

  • wrapping operations, Azure Key Vault, 290

  • Writing Secure Code, 6

X - Y - Z

  • XSS (Cross-Site Scripting), 30, 258

  • zero trust, 2731

  • ZKPP (Zero-Knowledge Password Proof), 151

  • ZRS (Zone-Redundant Storage), 47

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.238.82.77