429 (“Too Many Requests”) messages, 76
AAD (Azure Active Directory)
acceptability, psychological, 45
accepting risk, PCI DSS, 218
access
accounts, break-glass accounts, 298
Active Directory Authentication Library (ADAL), 131
AD (Active Directory)
ADAL (Active Directory Authentication Library), 131
adding audit logs with Azure Policy, 189
Addiscott, Richard, threat modeling, 89
ADO SHA (Azure DevOps Self-Hosted Agents), 456
Agile development, characteristics of, 23
Agile SDL (Security Development Lifecycle)
Alexander, Christopher, design patterns, 51
allLogs, 175
allowed communications, VNets, 448
analysis phase, threat modeling, 82
analyzing
API (Application Programming Interface)
Application Programming Interface (API)
Application Security Groups (ASG), 447
applications
AppServiceAppLogs, 173
AppServiceAuditLogs, 173
AppServiceConsoleLogs, 173
AppServiceHTTPLogs, 173
AppServicePlatformLogs, 174
Arm TrustZone, 363
ASG (Application Security Groups), 447
asset management, 204
assigning
assume-breach, 29
assumptions, mitigations, 113
ATT&CK, 231
attack surfaces
attacks. See also threat modeling
auditing
allLogs, 175
AppServiceAppLogs, 173
AppServiceAuditLogs, 173
AppServiceConsoleLogs, 173
AppServiceHTTPLogs, 173
AppServicePlatformLogs, 174
Azure Monitor
Azure Policy, adding audit logs, 189
Azure Sentinel, 186
category groups, 175
crypto-shredding, 186
data plane, 404
intentional security monitoring/auditing, 190
logging for auditing, defined, 172
SQL Server and database security, 395
automation
Azure
App Services, 47
App Services Web App Containers, 377
ASB, 202
Blueprints, 167
confidential containers, 380
Container Apps, 378
cryptographic services (overview), 329
Dedicated Hosts, 41
dedicated hosts, 27
Disk Encryption, 336
Function Cointainers, 377
Initiatives, 210
FIPS 140 and managed HSM, 224
Policy, 209
rules of engagement, 275
secure design, 32
Sentinel, 186
storage, redundancy levels, 47
Storage, Azure Monitor, 174
Storage Keys, 107
VM
Well-Architected Framework, 53
Azure Application Proxy, 451
Azure DevOps Self-Hosted Agents (ADO SHA), 456
Azure Firewall Premium SKU, 450
Azure Key Vault, 66–69, 76, 288
break-glass accounts, 298
“bring your own key” strategy, 301
certificates, 288
compound identities, 299
contributor permissions, 297
customer-managed keys, 306
elliptic-curve keys, 301
encrypting operations, 290
FIPS 140 and managed HSM, 224
honey keys, 303
HSM
Microsoft Defender, 306
permission models
RSA, 301
secrets, 288
secure keys, 312
templates, 300
verifying operations, 290
wrapping operations, 290
Azure Monitor
Azure Policy, adding audit logs, 189
Azure SQL Managed Instance, 395
CAE (Continuous Access Elevation), 131
CAPEC (Common Attack Pattern Enumeration and Classification), 231
Carielli, Sandy, threat modeling, 89
Carmack, John, static analysis tools, 14
certificates, keys, 288
Chambers, John T., hacks, 172
CI/CD (Continuous Integration/Continuous Deployment)
CIS (Center of Internet Security), benchmarks, 80–81, 226–227
classification, data discovery, 409
clients
cloud computing
clusters
code security
attackers
hashes in coding, 341
insecure coding, 237
revocation checking, 266
verifying data, 242
code verifiers, 135
Coles, Matthew J., threat modeling, 81
column encryption, 408
Common Attack Pattern Enumeration and Classification (CAPEC), 231
Common Vulnerabilities and Exposures (CVE), 230
Common Weakness Enumeration (CWE), 231
communications (allowed), VNets, 448
compensating controls, 286
components
compound identities, 299
compromises
confidential computing
connection strings, SQL, 402
consent
Content-Security-Policy (CSP), 260
Continuous Access Elevation (CAE), 131
Continuous Integration/Continuous Deployment (CI/CD)
contributor permissions, 297
correctness (verifying data), determining, 243
crypto shredding, 407
cryptography, 391
Azure Disk Encryption, 336
Azure Key Vault, 288
break-glass accounts, 298
“bring your own key” strategy, 301
certificates, 288
compound identities, 299
contributor permissions, 297
customer-managed keys, 306
Dedicated HSM, 309
elliptic-curve keys, 301
encrypting operations, 290
honey keys, 303
Microsoft Defender, 306
Payment HSM, 309
RSA, 301
secrets, 288
secure keys, 312
selecting permission models, 295
switching permission models, 292
templates, 300
verifying operations, 290
wrapping operations, 290
Azure services (overview), 329
client-side cryptography, 331
compensating controls, 286
DEK, 329
delimiters, 323
ECDSA, 353
hashes in coding, 341
KEK, 329
keys
Office (MS) documents, 317
RSA, 353
SSL, 342
unsecured SSH, 357
crypto-shredding, 186
CSP (Content-Security-Policy), 260
custom events
CVE (Coimmon Vulnerabilities and Exposures), 230
CWE (Common Weakness Enumeration), 231
data discovery/classification, 409
data encryption
data protection
data recovery, governance, 205
data verification, 242
database security
Azure Security Baseline, 411
Azure SQL Managed Instance, 395
crypto shredding, 407
cryptographic controls, 393
data discovery/classification, 409
dynamic data masking, 408
golden rules, 394
importance of, 391
remote attestation, 431
secure enclaves, 431
SQL Server family (overview), 394
SQL Server IaaS Agent, 411
supported products, 392
techniques (overview), 392
data-flow analysis, 18
date and time validation, data verification, 247
debt, technical security, 19
debugging
Dedicated HSM, Azure Key Vault, 309
dedicated PaaS instances, 456
Defender, Microsoft, Azure Key Vault, 306
Defender for Containers, Microsoft, 386
defining
delegated permissions, 138
delimiters, cryptographic agility, 323
denying role assignments, 167
deployments
design patterns, 51. See also security patterns
design security
AD Access Reviews, 42
AD PIM, 46
assume-breach, 29
Azure security design principles, 32
Dedicated Hosts, 41
dedicated hosts, 27
encrypting data in transit, 29
firewalls, 27
insecure design, 259
micro-segmenting networks, 29
monitoring, 29
PAW, 42
PIM, 28
policy-based authorization, 28
prioritizing mitigations, 48
psychological acceptability, 45
residual risk, 37
scanning, 29
shifting left, 31
SQLMap, 30
WAF, 30
determining correctness, verifying data, 243
deterministic encryption, 73
DEV environments, 448
developers
development, logging for, 172
device code flows, 136
DEVINT environments, 448
DevOps
disclosure attacks, information, 391
discovery/classification, data, 409
Disk Encryption, Azure, 336
documentation
DTD bomb attacks, 13
dynamic data masking, 408
ECDSA (Elliptic Curve Digital Signature Algorithm), 353
education (security), governance, 206
elevation of privileges attacks, 391
elliptic-curve keys, 301
enclaves, secure, 431
encoding data, verifying data, 256
encryption
endpoints, 205
Entra, 130
EPAC (Enterprise Policy as Code), 212
error handling, determining correctness by verifying data, 253
Event Hub, Azure Monitor, 174
events
Fahmy, Sonia, firewalls, 27
Fair Institute, 32
FedRAMP (Federal Risk and Authorization Management Program), 218–219, 221
FIPS 140 (Federal Information Processing Standard 140), 221–222
firewalls, 27
flexibility, threat modeling, 91
flows
formatting data, manipulating by format, 280
Forrester and Gartner, threat modeling, 89
fragmentation, containers, 383
frameworks, Azure Well-Architected Framework, 53
Frantzen, Michael, firewalls, 27
Function Cointainers, Azure, 377
Gamma, Erich, design patterns, 51
gate tools, quality, 20
Geo-Redundant Storage (GRS), 47
Geo-Zone-Redundant Storage (GZRS), 47
GitHub
golden rules, 394
governance
ASB, 202
asset management, 204
automating deployments, 206
Azure Initiatives, 210
Azure Policy, 209
backups, 205
data recovery, 205
developers, 201
DevOps, 205
documentation, 206
endpoint security, 205
enforcement, 206
identity management, 203
incident response plans, 204
logging, 204
network security, 202
privileged access, 203
security education, 206
strategies, 205
grant flows. See flows
Greek question mark, determining correctness by verifying data, 251–252
GRS (Geo-Redundant Storage), 47
GUID, version numbers, 324
guidance, threat modeling, 91
GZRS (Geo-Zone-Redundant Storage), 47
hardware root of trust, 359
hashes in coding, 341
Health Information Trust (HITRUST), 216
Health Insurance Portability and Accountability Act (HIPPA), 215–216
Helm, Richard, design patterns, 51
HIPPA (Health Insurance Portability and Accountability Act), 215–216
HITRUST (Health Information Trust), 216
honey keys, 303
HoneyPi, 171
honeypots, 171
hosting, applications, 133
hosts
HSM (Hierarchical Storage Management)
HTML (Hypertext Markup Language), determining correctness, verifying data, 251
HTTP (Hypertext Transfer Protocol), AppServiceHTTPLogs, 173
hubs, 447
IaC (Infrastructure as Code), 443
ID tokens, 138
compound identities, 299
defined, 124
DevOps, 438
Entra, 130
managing
modern identity, access management, 125
providers, 134
images, containers, 385
immaturity, containers, 383
implicit flows, 136
incremental consent, 140
information
Infrastructure as a Service (IaaS)
Infrastructure as Code (IaC), 443
Initiatives, Azure, 210
injection, 258
insecure coding, 237
insecure design, 259
integration
Intel
intentional security monitoring/auditing, 190
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)
Internet
Internet Protocol version 6 (IPv6), 445
Investment (ROI), Return on, threat modeling, 88
IPv4 (Internet Protocol version 4), 445
IPv6 (Internet Protocol version 6), 445
ISO/IEC (International Organization for Standardization/International Electrotechnical Commission)
isolating
Kamara, Seny, firewalls, 27
Kerckhoff’s Principle, 44
Kerschbaum, Florian, firewalls, 27
Key Vault, Azure, 66–69, 76, 288
break-glass accounts, 298
“bring your own key” strategy, 301
certificates, 288
compound identities, 299
contributor permissions, 297
customer-managed keys, 306
elliptic-curve keys, 301
encrypting operations, 290
FIPS 140 and managed HSM, 224
honey keys, 303
HSM
Microsoft Defender, 306
permission models
RSA, 301
secrets, 288
secure keys, 312
templates, 300
verifying operations, 290
wrapping operations, 290
keys
agreements, 344
authentication keys, 338
Azure Key Vault. See separate entry
Azure Storage Keys, 107
“bring your own key” strategy, 301
certificates, 288
cryptography, defined, 287
customer-managed keys, 306
elliptic-curve keys, 301
exchanges, 344
honey keys, 303
Intel SGX, 364
PKCE, 135
secrets, 288
signing keys, 338
Kubernetes
Kuriel, Maor, Kubernetes (AKS), 107
landing zones, 447
LeBlanc, David, Writing Secure Code, 6
Litchfield, David, determining correctness, 243
Local Redundant Storage (LRS), 47
Log Analytics workspaces, Azure Monitor, 176
logging
allLogs, 175
AppServiceAppLogs, 173
AppServiceAuditLogs, 173
AppServiceConsoleLogs, 173
AppServiceHTTPLogs, 173
AppServicePlatformLogs, 174
for auditing, defined, 172
Azure Monitor
Azure Policy, adding audit logs, 189
Azure Sentinel, 186
category groups, 175
crypto-shredding, 186
defined, 172
for development, defined, 172
failures, 269
governance, 204
intentional security monitoring/auditing, 190
monitoring, defined, 172
threat detection, 204
login credentials, storage, SQL Server, 398
LRS (Local Redundant Storage), 47
malware, TEE code, 362
Managed HSM
Managed OpenShift, 381
managing
manipulating data by format, 280
masking dynamic data, 408
mechanisms
memory
micro-segmenting networks, 29
Microsoft
Defender, Azure Key Vault, 306
Defender for Containers, 386
Entra, 130
Office (MS) documents, defined, 317
SDL
mitigation
modern identity, access management, 125
monitoring
allLogs, 175
AppServiceAppLogs, 173
AppServiceAuditLogs, 173
AppServiceConsoleLogs, 173
AppServiceHTTPLogs, 173
AppServicePlatformLogs, 174
Azure Monitor
Azure Policy, adding audit logs, 189
Azure Sentinel, 186
category groups, 175
crypto-shredding, 186
defined, 172
failures, 269
intentional security monitoring/auditing, 190
secure design, 29
Mueller III, Robert S., hacks, 172
names, security decisions based on, 253
National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD), 230
.NET code, TLS, common mistakes, 354
networks
ADO SHA, 456
AKS, 457
micro-segmenting networks, 29
security, governance, 202
segmenting
ADO SHA, 456
AKS, 457
allowed communications, 448
API Management Gateways, 451
ASG, 447
Azure Application Proxy, 451
Azure Firewall Premium SKU, 450
dedicated PaaS instances, 456
DEV environments, 448
DEVINT environments, 448
hubs, 447
landing zones, 447
managing, 456
NONPROD environments, 448
NVA, 449
PROD environments, 448
SANDBOX environments, 448
shared app service plans, 455
spokes, 447
NIST (National Institute of Standards and Technology)
nodes, AKS, 387
NONPROD environments, 448
NVA (Network Virtual Appliances), 449
NVD (National Vulnerability Database), 230
OBO (On-Behalf-Of) flows, 135
Office (MS) documents, defined, 317
On-Behalf-Of (OBO) flows, 135
Open Web Application Security Project (OWASP), 229
OpenShift, Managed, 381
outdated components, 264
OWASP (Open Web Application Security Project), 229
Partner Solution, Azure Monitor, 174
passwordless authentication, 152
passwords
patterns
PAW (Privileged Access Workstations), 42
Payment Card Industry Data Security Standard (PCI DSS), 217–218
Payment HSM, 309
PCI DSS (Payment Card Industry Data Security Standard), 217–218
penetration testing (pentests), 19
perimeter defenses, firewalls, 27
permissions
PKCE (Proof of Key for Code Exchange), 135
planning, incident response plans, 18
Policy, Azure, 209
policy-based authorization, 28
PR (Pull Requests), approvals, 437
prioritizing mitigations, 48
privileged access, 203
Privileged Access Workstations (PAW), 42
privileges
processors, confidential computing, 361
PROD
Proof of Key for Code Exchange (PKCE), 135
psychological acceptability, 45
public clients, 137
public repos, GitHub, 441
Pull Requests (PR), approvals, 437
RBAC (Role-Based Access Control), 61–62, 163–164, 206, 210–211, 291–299, 416–419
Reagan, U.S. President Ronald, verifying data, 242
reconnaissance attacks, 171
recovery, governance, 205
redundancy levels, Azure storage, 47
Reed, Brian, threat modeling, 89
refresh tokens, 138
registration, OAuth2 applications, 129
repudiation attacks, 391
residual risk, 37
Resource Owner Password Credentials (ROPC) flows, 136
resource servers, 134
resource tokens, data plane authorization, Cosmos DB Security, 416
Return on Investment (ROI), threat modeling, 88
revocation checking, 266
risk
RiskLens, 32
ROI (Return on Investment), threat modeling, 88
Role-Based Access Control (RBAC), 61–62, 163–164, 206, 210–211, 291–299, 416–419
roles
root of trust, hardware, 359
ROPC (Resource Owner Password Credentials) flows, 136
routing
rules
SAFECode, threat modeling, 89
Saltzer, Jerome
SAML (Security Assertion Markup Language), 129
SANDBOX environments, 448
SAS (Shared Access Signature) tokens, 158
saving KQL queries, 180
SCA (Software Component Analysis) tools, CI/CD, 436
scanning, secure design, 29
Schoenfeld, Brook S. E., threat modeling, 81
Schroeder, Michael
Schultz, Eugene, firewalls, 27
scopes
scoring vulnerabilities (CVSS), 7
scripting
SDL (Security Development Lifestyle)
SecOps (Security Ops), 125
secrets, keys, cryptography, 288
secrets and service connections, CI/CD, 438
secrets management patterns, 64
secure coding
attackers
hashes in coding, 341
insecure coding, 237
revocation checking, 266
verifying data, 242
secure design
AD Access Reviews, 42
AD PIM, 46
assume-breach, 29
Azure security design principles, 32
Dedicated Hosts, 41
dedicated hosts, 27
encrypting data in transit, 29
firewalls, 27
micro-segmenting networks, 29
monitoring, 29
PAW, 42
PIM, 28
policy-based authorization, 28
prioritizing mitigations, 48
psychological acceptability, 45
residual risk, 37
scanning, 29
shifting left, 31
SQLMap, 30
WAF, 30
secure enclaves, 431
Secure Encrypted Visualization-Secure Nested Paging (SEV-SNP), AMD, 362–363
Secure Sockets Layer (SSL), 342
security
Security Assertion Markup Language (SAML), 129
Security Baseline, Azure, 411
security controls, types of, 36
security headers, debugging, 264
security patterns. See also design patterns
selecting permission models, 295
sensitive information, management patterns, 69
servers
service plans, shared app, 455
services
severity of threats, identifying, 110
SEV-SNP (Secure Encrypted Visualization-Secure Nested Paging), AMD, 362–363
Shared Access Signature (SAS) tokens, 158
shared app service plans, 455
shifting left, 31
Shostack, Adam, threat modeling, 81
signatures, checking, 268
signing keys, 338
software
source control systems, 436
specifying, severity of threats, 110
spokes, 447
spoofing attacks, 391
SQL (Structured Query Language)
SQL Managed Instance, Azure, 395
SQL Server
SQLi (SQL injection), 258
SQLMap, 30
SSH (Secure Shell), unsecured, 357
SSL (Secure Sockets Layer), 342
storage
Storage Keys, 107
Structured Query Language. See SQL
supply chain attacks, 436
switching, permission models, 292
tampering attacks, 391
Tarandach, Izar
technical security debt, 19
templates, Azure Key Vault, 300
testing
threat modeling, 10, 32, 79. See also threats (separate entry)
threats
time and date validation, data verification, 247
TLS (Transport Layer Security), 342
tokens
“Too Many Requests” messages, 76
toolchains, defining, 11
training, security, 6
Transport Layer Security (TLS), 342
trust
TrustZone, Arm, 363
validation
determining correctness, verifying data
validation phase, threat modeling, 82
variances, PCI DSS, 218
VBS (Virtualization-Based Security), 368
verifying data, 242
code verifiers, 135
determining correctness, 243
encoding data, 256
operations, Azure Key Vault, 290
version numbers
Virtual Machine Scale Set (VMSS) agents, 440
ADO SHA, 456
AKS, 457
allowed communications, 448
API Management Gateways, 451
ASG, 447
Azure Application Proxy, 451
Azure Firewall Premium SKU, 450
DEV environments, 448
DEVINT environments, 448
hubs, 447
landing zones, 447
managing, 456
NONPROD environments, 448
NVA, 449
PaaS
PROD environments, 448
SANDBOX environments, 448
shared app service plans, 455
spokes, 447
Virtualization-Based Security (VBS), 368
Vlisside, John, design patterns, 51
VM (Virtual Machines)
VMSS (Virtual Machine Scale Set) agents, 440
ADO SHA, 456
AKS, 457
allowed communications, 448
API Management Gateways, 451
ASG, 447
Azure Application Proxy, 451
Azure Firewall Premium SKU, 450
DEV environments, 448
DEVINT environments, 448
hubs, 447
landing zones, 447
managing, 456
NONPROD environments, 448
NVA, 449
PaaS
PROD environments, 448
SANDBOX environments, 448
shared app service plans, 455
spokes, 447
3.238.82.77