#SecureDevelopment: Security for Developers

Even if software security isn’t your full-time job, people are going to expect you, as a developer, to know what is going on. The good news is there are amazing security innovations happening right now, like using machine learning to analyze security threats with Azure Sentinel and Semmle’s semantic understanding engine to defend against cybersecurity vulnerabilities in open source code on GitHub. But we will touch more on this later!

At a more basic level, when you use Microsoft Azure or Office 365, you have the ability to add automated defenses against common threats like Denial of Service (DDoS) attacks and investigate suspicious activity in your enterprise infrastructure. These defenses include:

• Azure DDoS Protection: Available in both Basic (free) and Standard versions, DDoS protection will mitigate some of the most common malicious threats against your websites and services. While Basic DDoS Protection gives you active traffic monitoring and automatic attack mitigations, Standard additionally provides mitigation against:
  • Volumetric attacks, including UDP floods, amplification floods, and other spoofed-packet floods.
  • Protocol attacks, including SYN flood attacks, reflection attacks, and other protocol attacks.
  • Resource layer attacks, including HTTP protocol violations, SQL injection, cross-site scripting, and other layer-7 attacks.

If you need a refresher on what DDoS attacks are, Anupam Vij and Scott Hanselman created a great video explaining why it is critical for every business running in Azure to use these services to enhance their security profile.

• Azure Advanced Threat Protection:  ATP is an enterprise solution that protects your on-premises Active Directory and/or users synced to your Azure Active Directory. It is a cloud-based service that monitors and profiles user behavior, identifies suspicious activity, and investigates alerts and user actions.

• Microsoft Cloud App Security:  MCAS is an add-on for Office 365 that alerts you to suspicious activity on your Office 365 subscription, Azure, and other cloud apps.

• Azure Security Center:  ASC helps you protect your Azure infrastructure, Windows VMs, and Linux VMs. As we move into a world with more devices and sensors being managed over Azure, we are fortunate to have a special version of ASC known as Azure Security Center for IoT, which helps you make sure your edge computing infrastructure, cameras, and other IoT devices are not compromised.

• Microsoft Security Code Analysis.  MSCA plugs into your Azure DevOps continuous integration and delivery (CI/CD) pipeline. If you aren’t already doing continuous integration as part of your development routine, then MSCA is the tool that will get you to start. On every automated build, Security Code Analysis will perform the following checks for you:
  • An anti-malware scanner will run Windows Defender against your app.
  • BinSkim will validate compiler settings, linker settings, and other security-relevant characteristics of binary files. 
  • A credential scanner will make sure you are not exposing any passwords or secrets.
  • Microsoft Security Risk Detection (MSRD) will perform fuzz testing, identifying exploitable security bugs in your software. 
  • If you are using a Microsoft-managed language, Roslyn-based Analyzers will perform a static analysis of your managed C# and Visual Basic code.
  • If you are using TypeScript, TSLint will perform static analysis on your code.

When we look to the future of code and app security, we all hope for even greater automation beyond what these tools and services provide today. This is where machine learning comes in. Azure Sentinel is an AI-based solution that connects to your resources and intelligently looks for new threats and suspicious activity. It uses data connectors to integrate with Azure AD, Azure Security Center, Azure Advanced Threat Protection, and Microsoft Cloud App Security. If you happen to have resources on AWS, you can even use Azure Sentinel to analyze your AWS CloudTrail data. Impressed?

Another jaw-dropping use of machine learning is happening with GitHub’s acquisition of Semmle, which has a semantic-understanding engine for open source code. If you work in GitHub, you may occasionally have qualms about finding the perfect code to solve your problem but being uncertain of its provenance. Semmle provides a declarative query language to search for insecure code patterns. More ambitiously, Semmle is cataloging open source queries for common vulnerabilities, which can then be run against any open source code you are consuming in your own code base. This is the first step in making all the open source code on GitHub fully reliable, removing a major barrier that has been hampering the spread of open source software. It has the potential to change the future of the open source movement.

If you would like to learn more about these security topics, Microsoft Learn has several courses available to help you become an expert on software and cloud security:

In addition to all of these great resources, the RSA Conference will be held in San Francisco from February 24-28, giving you an opportunity for an up to date, deep dive into the world of software security!