Multi Cloud Solutions

Security aspects in code

There are different aspects which must be considered in source code for a better code quality and security. Some of them from the past time that we didn’t upload our source code in GitHub or other code repositories like:

Data injection
Database connection string

Some other aspects belong to nowadays that we upload code to repositories and using cloud:

Database connection string
Client Credentials such as Client Secrets
Access Keys to external APIs
Certificates
Encryption Keys

And of course there’s solution for each of the issues.

In the following link I’ll explain how we can solve the above issues via Azure Key Vault.

Azure Key Valut

Code Quality, KnowHow

Fluent Interface

In software engineering, a fluent interface is a method for designing object oriented APIs based extensively on method chaining with the goal of making the readability of the source code close to that of ordinary written prose, essentially creating a domain-specific language within the interface [Wiki].

For example for Stablishing a connection to a database and fetch orders data in a table with common developmment.

var connection = new SqlConnection(connectionString);

SqlCommand command = connection.CreateCommand();
command.CommandType = CommandType.Text;
command.CommandText = "SELECT * FROM Orders WHERE OrderId = @OrderId ";

SqlParameter parameter = command.CreateParameter();
parameter.DbType = DbType.Int32;
parameter.ParameterName = "@OrderId ";
parameter.Value = inputOrderId;

var adapter = new SqlDataAdapter();
adapter.SelectCommand = command;

var table = new DataTable();

connection.Open();
adapter.Fill(table);
connection.Close();
connection.Dispose();
command.Dispose();

var orders = new List<Order>();
foreach (DataRow row in table.Rows)
{
    var order = new Order
    {
        OrderId = (int)row["OrderId"],
        OrderedByName = (string)row["OrderedByName"],
        DeliveryAddress = (string)row["DeliveryAddress"]
    };

    orders.Add(order);
}

But of course it can be shorter with using of Fluen Interface

List<Order> Orders= new SqlQuery(connectionString)
    .SetCommandText("SELECT * FROM Orders WHERE OrderId = @OrderId")
    .AddParameter("@OrderId", OrderId, DbType.Int32)
    .GetDataTable()
    .GetList<Order>();

Follow on Instagram

Azure Cloud, Industry

Glossary

Data Protection

GDPR	General Data Protection Regulation

Azure Cloud

Resource	Word	Description
	API	Application Programming Interface
	API Management	Application Programming Interface Management
	API Gateway



	Azure Data Factory, Pipeline, Activity
	Azure Databricks
	Storage Account
	Container and Blob Storage
	Event Grid, Event Source, Event Handler

	Service Bus, Topic, Message Queue
Subscription Resource	RBAC	Role-Based Access Control. For specifiying the permissions and privilages on a user for a group at different levels. – Subscription Level – Resource level.
Virtual Network	VNET	Virtual Network
Virtual Network	Site-to-Site
Virtual Network	Point-to-Site
Virtual Network	ExpressRoute
	Azure Service Bus Relay Connection	It must be installed
–	Serverless Computing	The logics which doesn’t need resources, as long as they are executed.
Serverless Computing	Logic App
Serverless Computing	Azure Function	For developing Microservices
	Azure Service Fabric (ASF)	For developing Microservices
	Azure Kubernetes Service (AKS)	For developing Microservices

	RDP Connection
	IAM	Identity Access Management
	SSL	A Protocol for remote desktop.
	RDP	Remote Desktop Protocol
	ARM	Azure Resource Manager
Active Directory	SSPR	Self-Service Password Reset
Active Directory	Azure Active Directory (AAD)	For centralized identity management purposes.
Active Directory	MFA	Multi Factor Authentication
Key/Vault	MSI	Managed Service Identity

Authentications

OAuth 2.0	For Token-based API communication.
SAML 2.0	Srcurity Assertion Markup Language. Standard for exchanging authentication and authorization data between security domains for App Authentication (Single Sign in).
OpenID Connect	OpenID Connect is a simple identity layer on top of the OAuth2 protocol. It extends OAuth2
SAS	Shared Access Signature -> in this type of security we have the primary and secondary keys and connection strings.

Kubernetes

Ingress	Enabling Traffic: Opening the cluster to receive external client traffic. Traffic Routing: Define traffic routes to backend services. Traffic Reliability: Ensuring reliable, secure communication
Pod	The smallest deployable unit, which will be comprised of one or more containers.
Pause container	Establishes a network namespace which all containers in the pod will share. It’s the first container to be created when the pod is created, the last container to be removed when a pod is removed and simply executes a small program which does nothing until a signal is called instructing it to terminate. Network is Linux base. Plural Sight Training
Inter pod communication
Virtual ethernet bridge	Pods communicate to eachother because their virtual network namespace is attached to a virtual ethernet bridge in the host nodes network namespace. The bridge works at layer two of the OSI networking model.
Container Networking Interface (CNI)
Service Object	It can be defined in YAML.

The azure resources with SAS:

Service Bus
Storage Account

DevOps, KnowHow

DevOps Built-in Access Levels, Security Groups and AAD Groups

Scenario:

in large organizations it’s so important that not all the colleagues who are working together on a project to be able to release/ deploy the product in production environment.

There must be always a check list to get ready for deploying in production. Nowadays this check list is called continuous integration/deploy (CI/CD).

The check list before deploy the product on production environment

Therefore the project team try to grant permission according to the responsibilities and tasks or each colleagues to team. On of the tools which we can use to develop a project with the agile method is Azure DevOps.

There is also possible to assign built-in Access Level and Security Group to each member of team as explained in follows.

The users/ members in Azure DevOps always have an assigned DevOps Group and Access Level.

DevOps Built-in Access Level

Access Level defines the Azure DevOps Features that a user or group can use.

Access Levels	Description
Basic	Basic supports full access to all Azure DevOps Board features
Stakeholders	Provides partial support for viewing and modifying work items but not using all features.
Visual Studio Subscriber	Free access to a limited set of features.

DevOps built-in security Groups

Security Groups define what users of groups can do with each Azure DevOps features.

Azure DevOps has mainly two different level of built-in groups [Microsoft Doc]:

Collection-Level
Project-Level

The Team Administrator is the person who can grant permissions to specific features.

Note

Your Text Here

Project-Level Security Groups

Each project contains the following built-in groups:

Build Administrator
Contributor
Project Administrators
Project Valid Users
Readers

<ProjectName> Team

DevOps Security Groups	Description [Microsoft Doc]
Project readers	Permission to view project information, the code base, work items, and other artifacts but not modify them.
Project Contributors	Permission to contribute fully to the project code base and work item tracking. They cannot manage or administrator resources.
Project Administrators	Permission to administer all aspects of teams and project. Although they cannot create team projects.

Combination Matrix of the Access Level and Security Group in Project-Level

DevOps Security Groups	Access Levels	Description
Project Readers	Stakeholder	–
Project Readers	Basic	–
Project Readers	Visual Studio subscriber	–
Project Contributors	Stakeholder	Managers or users who don’t actively contribute to the code base but want to check project status or provide direction, feedback, feature ideas, and business alignment to a team.
Project Contributors	Basic	Full-time workers who contribute to the code base or manage project.
Project Contributors	Visual Studio subscriber	Code base contribution
Project Administrators	Stakeholder	The users, who are tasked to managing project resources. If them also need to contribute to the code base, then the Basic Access Level must be assigned to them.
Project Administrators	Basic	Managing project resources + Code base contribution
Project Administrators	Visual Studio subscriber	Code base contribution

Combination Matrix of the Access Level and Security Group in Collection-Level

DevOps Security Groups	Access Levels	Description
Project Collection Administrators	Stakeholders	The users, who are tasked with managing organization or collection resources and if they need to be contributed to the code base then they must be assigned to Basic Access Level.
Project Collection Administrators	Basic	–
Project Collection Administrators	Visual Studio Subscriber	–

Azure DevOps Levels

DevOps can be configured at different levels:

Organization/Collection
Project
Object

The focus of this document is Project-Level and object-Level.

Object-Level Groups

Managing the permission on Git branches.

Using Azure ADD Group in Azure DevOps

For managing the users the Azure DevOps can be connected to Azure AD. The AAD Groups can be used in Azure DevOps as well. But the Active directory Group hierarchy is not usable in Azure DevOps. It means the sub groups will not inherit the access level and permission group of their parent group.

Each AAD parent and sub group must be added separately to Azure DevOps and an Access Level and a Permission Group must be assigned to each one separately them.

The users which are assigned to the same AAD Group will have the same Access Level and Permission Group, which has been assigned to this AAD group in Azure DevOps.

Note

Your Text Here

The Advantage is: