Security

GitHub Actions and Azure - Using Environments with GitHub Actions

GitHub Actions and Azure - Using Environments with GitHub Actions

2021-05-07

Once you have a working GitHub Actions workflow, the next challenge is safely deploying across dev, staging, and production with the right secrets in the right places. This episode deep-dives into GitHub Actions Environments: how to scope secrets per environment to enforce the principle of least privilege, configure required reviewers and wait timers as production gates, and assign service principals with minimal Azure RBAC permissions. A live demo deploys the cloudwithchris.com Hugo site to Azure Storage, making every concept concrete.

Azure role-based access control (RBAC) at the data plane level

2021-04-21 · 7 min

Principal of least privilege is a commonly used phrase within the Technology Industry. The idea is that we'll assign permissions of what the user needs to get the job done, rather than anything broader or more privileged. This helps reduce the blast radius in the event of a compromised account. This stretches to Azure resources at the management plane, but in some cases can also stretch to the data plane of those resources. We'll be exploring these further in this blog post.

Discussing the Cloud with Chris GitHub Architecture and GitHub setup

Discussing the Cloud with Chris GitHub Architecture and GitHub setup

Karl Cooke (irishtechie.com) interviews Chris Reddington about the full architecture and GitHub workflow powering CloudWithChris.com. The session covers Azure Storage static website hosting, Azure CDN with a custom rules engine for enforcing HTTPS and security headers (CSP, HSTS, Permissions Policy), Hugo as the static site generator, multi-environment GitHub Actions pipelines (preview, staging, production), GitHub Codespaces for in-browser editing, and practical security hardening using securityheaders.com and Mozilla Observatory.

V016 - Weekly Technology Vlog #16

V016 - Weekly Technology Vlog #16

2021-04-19

Weekly Vlog #16 covers significant IoT Edge updates — including nested device hierarchies now GA and zero-touch provisioning blueprints — plus the GA of Azure API Management support for availability zones and a new open-source API portal. GitHub highlights include a detailed guide to implementing least-privilege secrets in GitHub Actions using environments and branch protection rules, and the GitHub CLI's new support for managing Actions workflows from the terminal. Chris recaps two Global Azure talks on Hugo static sites and GitHub Actions, shares a SecurityHeaders.com deep-dive using Azure CDN rules, and previews Azure RBAC data-plane content and an upcoming Azure Spring Cloud session.

Optimise your site - Addressing recommendations from securityheaders.com

2021-04-14 · 8 min

In my blog post earlier this week, I mentioned that I recently spoke at the Northern Azure User Group. The other speaker for the evening was Scott Hanselman, who talked about his journey moving a 17 year old .NET App into Azure. This was his blog. Along the way, he called out some of the tools that he used along the way. One was a tool called securityheaders.com. As any engaged listener does, I took note of the tools that he used, and added them to my cloudwithchris.com backlog during the talk. When I later investigated the initial rating of the site, I received a score of an F - which appears to be the lowest possible score that you can receive! Given that I only allow HTTPS traffic to my site, I was surprised by this - so I begun looking into the recommendations further.

33 - External Config and Claim Check Pattern - Easier Management and Externalising Payloads

33 - External Config and Claim Check Pattern - Easier Management and Externalising Payloads

2021-04-02

Chris and Peter cover two cloud design patterns in depth. The External Configuration Store pattern addresses one of the most critical security concerns in cloud development: keeping secrets and connection strings out of source code. They explore Azure Key Vault and Azure App Configuration as canonical implementations, discuss deployment slot behaviour, and highlight the risks of committing credentials to version control. The Claim Check pattern tackles a different challenge — what happens when your message payload exceeds the size limits of your messaging infrastructure (Azure Service Bus, Azure Queue Storage)? By externalising the payload to a data store and passing only a correlation ID on the queue, you gain scalability and flexibility at the cost of added latency. Azure Event Grid's automatic claim check generation is also demonstrated. Security is a thread running through both patterns: compromised config stores and poisoned messages both demand an operational response plan.

V013 - Weekly Technology Vlog #13 (Lots of Azure, DevOps & GitHub) Blogs, Quick-fire Azure Updates

V013 - Weekly Technology Vlog #13 (Lots of Azure, DevOps & GitHub) Blogs, Quick-fire Azure Updates

2021-03-28

Weekly Vlog #13 covers an action-packed Azure week: enterprise landing zones with modular designs, zonal disaster recovery via Azure Site Recovery, Security Center compliance enhancements, and Mark Russinovich's standout Ignite session on Azure innovation. The GitHub roundup highlights the GitHub Actions capture-the-flag security writeup and a multi-stage exploit chain from the GitHub Security Lab — essential reading for any DevSecOps practitioner. Cloud with Chris updates include the channel's most-viewed video to date on Git internals, a Fuse.js-powered site search, series navigation, and a packed April talk schedule featuring the Northern Azure User Group (alongside Scott Hanselman) and Global Azure Bootcamp.

V012 - Weekly Technology Vlog #12 (Busy week, and quite a few blog posts to cover!)

V012 - Weekly Technology Vlog #12 (Busy week, and quite a few blog posts to cover!)

2021-03-22

Three months and 350+ subscribers in, with content shipping every day of the past week: a GitHub Codespaces Cloud Drop, the final GPG commit-signing instalment covering YubiKey hardware key storage, a Welsh Azure User Group lightning talk on GitHub Actions, and a Terraform Cloud deep-dive on Azure state management. Azure news centres on Microsoft's commitment to bring Availability Zones to every region by end of 2021, new forecasted cost alerts for Azure Budgets, and the Start Small & Expand landing zone guidance from Sarah Lean and Thomas Maurer. GitHub updates include Dependabot gaining private registry support, CodeQL scanning for Solarigate traces, and a detailed post-mortem on the recent GitHub.com security incident.

Using GPG Keys to sign Git Commits - Part 4

2021-03-17 · 5 min

Part 4 - The final part (at least for now, until I find somewhere else that we can expand on with this)! This part will focus on porting the keys that we have recently generated onto our YubiKey device. I own a YubiKey NEO, so i'll be using that.

V011 - Weekly Technology Vlog #11

V011 - Weekly Technology Vlog #11

2021-03-15

Vlog #11 debuts a refreshed brand and on-screen layout, then covers a busy week: the third instalment of Chris's GPG commit-signing series (linking keys to Git and GitHub), the Cache Aside cloud design pattern episode, and a preview of the upcoming YubiKey-focused Part 4. Azure news centres on the preview of Trusted Launch VMs (defending against bootkits and rootkits), Azure Defender for Storage's new malware-upload detection, and Naraya — the ML system Microsoft uses to predict and proactively mitigate infrastructure failures at scale. On the security operations side, GitHub and Azure DevOps announce automated token revocation for leaked PATs found on public GitHub repositories.