Secure your Web App in Azure at DDD14

I had the great pleasure of giving an updated version of my “Secure your Web App in Azure” talk talk at Developer Developer Developer 14 in Reading on 12 October 2019.

A video of the whole talk is available below.

I touch on a whole range of Azure technologies, but mostly I introduce and expand on a simple framework to think about and manage your exposure.

Example of exposure and mitigation

External Actors Internal Actors
PREVENT
  • Secure your code – see Troy Hunt’s courses as a starting point.
  • Lock down your servers
  • Use Firewalls and Intrusion Detection/Prevention Systems
  • Encrypt everything in transit
  • Protect your passwords/secrets
  • Process for granting and removing access
  • Use Azure AD for all access, including SQL
  • Audit who has access on a regular basis and remove unnecessary access
DETECT
  • Log and alert on any unusual application activity
    • 403s and 404s
    • Failed logins
    • High CPU/memory, increased load
    • Etc
  • Use Advanced Threat Protection
  • Log and alert on all access to the backend by internal users
  • Log and alert on unusual access patterns by application users
  • Consider DLP tools
MITIGATE
  • Encrypt sensitive data at the application layer
  • Have ways of locking out certain users or IP addresses
  • For very sensitive systems, consider multi-layered architectures to contain breaches


Video of the whole talk


Slides

View the slides on Slide Share:

Secure your Azure Web App 2019 from Frans Lytzen

… or download from GitHub