Search Tutorials


AZ-400 - Develop a Security and Compliance Plan | JavaInUse

AZ-400 - Develop a Security and Compliance Plan

1. Pipeline Variables and Secrets

Managing sensitive data in CI/CD pipelines is a critical security concern. Azure DevOps provides several mechanisms for handling secrets safely in build and release pipelines.

Variable Types

Pipeline Variables

Variables in Azure Pipelines can be defined at multiple scopes: Pipeline-level (inline in YAML or UI), Stage-level, Job-level, and Step-level. Variables can be marked as secret, which masks their values in logs and prevents them from being exposed in plain text. Secret variables are not automatically passed to forked repository builds, providing protection against PR-based secret exfiltration.

Variable Groups

Variable Groups Overview

Variable groups store related variables that can be shared across multiple pipelines. They support: Standard variables (key-value pairs managed in Azure DevOps), Azure Key Vault linked variables (secrets retrieved from Key Vault at pipeline runtime), and pipeline permissions (control which pipelines can access the group). Variable groups can be scoped to specific stages in multi-stage YAML pipelines.

2. Azure Key Vault Integration

Key Vault in Pipelines

Azure Key Vault stores secrets, certificates, and encryption keys securely. Integration with Azure Pipelines is achieved through: Variable groups linked to Key Vault (secrets are fetched at runtime and mapped to pipeline variables), or the AzureKeyVault task (downloads secrets within a pipeline job). The service principal used by the pipeline must have Get and List permissions on the Key Vault secrets.

Key Vault Best Practices

Use separate Key Vaults for different environments (dev, staging, production). Enable soft delete and purge protection to prevent accidental secret loss. Enable diagnostic logging to audit secret access. Use Key Vault access policies or Azure RBAC to control who and what can access secrets. Rotate secrets regularly and use Key Vault secret versioning.

3. OWASP and Security Scanning

OWASP Dependency Check

OWASP in DevOps

The OWASP Top 10 lists the most critical web application security risks. In a DevOps pipeline, security scanning should be integrated at multiple stages: Static Application Security Testing (SAST) during build to find code vulnerabilities, Software Composition Analysis (SCA) to identify vulnerable third-party dependencies, and Dynamic Application Security Testing (DAST) against a running application in staging environments.

OWASP Dependency Check

OWASP Dependency-Check is an SCA tool that identifies known vulnerabilities in project dependencies by checking them against the National Vulnerability Database (NVD). It can be integrated into Azure Pipelines to fail builds when critical vulnerabilities are found. WhiteSource Bolt (now Mend) is another popular SCA tool available as an Azure DevOps extension.

4. Service Connections

Service Connections Security

Service connections authenticate Azure Pipelines to external services (Azure subscriptions, Docker registries, Kubernetes clusters, GitHub, etc.). Security best practices: use Workload Identity Federation (recommended) or service principals with minimum required permissions. Restrict service connection access to specific pipelines using pipeline permissions. Enable approval checks on service connections used for production deployments. Avoid sharing service connections across unrelated projects.

5. Secure Files

Secure Files Library

Secure files in Azure DevOps store files that are needed during pipeline execution but should not be committed to source control. Examples include: signing certificates, provisioning profiles, SSH keys, and license files. Secure files are encrypted at rest and can only be consumed by authorized pipelines using the DownloadSecureFile task. Access is controlled through pipeline permissions on each secure file.

6. GitHub Code Scanning

GitHub Advanced Security

GitHub Code Scanning uses CodeQL (a semantic code analysis engine) to find security vulnerabilities and coding errors. It runs as a GitHub Actions workflow on push and PR events. CodeQL supports multiple languages including C/C++, C#, Java, JavaScript, Python, Go, and Ruby. Scan results appear as annotations on PRs and in the Security tab.

GitHub Advanced Security for Azure DevOps

GitHub Advanced Security for Azure DevOps (GHAzDO) brings GitHub's security features to Azure Repos. It includes: Secret scanning (detects committed secrets like API keys and passwords), Dependency scanning (identifies vulnerable dependencies), and Code scanning (CodeQL-based SAST). Results are displayed in the Advanced Security tab of Azure DevOps repositories.

Exam Tip: Know how to secure pipeline secrets (secret variables, variable groups, Key Vault). Understand service connection types and security (especially Workload Identity Federation). Know the difference between SAST, SCA, and DAST. Remember that secure files are for sensitive files not in source control. GitHub Advanced Security for Azure DevOps (GHAzDO) brings code scanning, secret scanning, and dependency scanning to Azure Repos.

← Back to AZ-400 Preparation Topics


Popular Posts

1Z0-830 Java SE 21 Developer Certification Prepare with Notes and Real Time Practice Tests 1Z0-819 Java SE 11 Developer Certification Prepare with Notes and Real Time Practice Tests 1Z0-829 Java SE 17 Developer Certification Prepare with Notes and Real Time Practice Tests AWS AI Practitioner Certification Prepare with Notes and Real Time Practice Tests AZ-204 Azure Developer Associate Certification Prepare with Notes and Real Time Practice Tests AZ-305 Azure Solutions Architect Expert Certification Prepare with Notes and Real Time Practice Tests AZ-400 Azure DevOps Engineer Expert Certification Prepare with Notes and Real Time Practice Tests DP-100 Azure Data Scientist Associate Certification Prepare with Notes and Real Time Practice Tests AZ-900 Azure Fundamentals Certification Prepare with Notes and Real Time Practice Tests PL-300 Power BI Data Analyst Certification Prepare with Notes and Real Time Practice Tests Spring Professional Certification Prepare with Notes and Real Time Practice Tests Azure AI Foundry Hello World What is Azure AI Foundry Azure AI Agent Hello World Set up and run your first agent Foundry vs Hub Projects When to choose Foundry or hub-based Build Agents with SDK Threads, messages, runs in Python Bing Web Search Agent Ground agents with real-time data Function Calling Agent Custom functions & tool integration Spring Boot + Azure Key Vault Hello World Example Fetch secrets from Azure Key Vault in Spring Boot Spring Boot + Elasticsearch + Azure Key Vault Example Secure Elasticsearch config using Azure Key Vault Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication Connect Spring Boot to Azure AD using OAuth2 Deploy Spring Boot App to Azure App Service Host Spring Boot application on Azure App Service Secure Azure App Service using Azure API Management Protect deployed Spring Boot app with API Management Deploy Spring Boot JAR to Azure App Service Deploy executable JAR directly to Azure Deploy Spring Boot + MySQL to Azure App Service Host Spring Boot with MySQL database on Azure Spring Boot + Azure Managed Identity Example Access Azure Key Vault using Managed Identity Secure Spring Boot Azure Web App with Managed Identity + App Registration Secure Spring Boot app via Azure Portal configuration Elasticsearch 8 Security - Integrate Azure AD OIDC Integrate Azure AD OIDC with Elasticsearch & Kibana