Skip to main content

Secure DevOps environments for Zero Trust

This document summarizes best practices for securing developer and DevOps platform environments to implement Zero Trust principles (verify explicitly, use least privilege access, assume breach), based on the following Microsoft Learn articles:

Secure the developer environment

Developer environments can serve as entry points for attackers to infiltrate systems.

Best practices for least privilege

To prevent attackers from gaining administrator access through compromised developer environments, apply the following least privilege principles:

  • Implement least privilege and just-in-time (JIT) access for DevOps: Ensure team members maintain only minimal access to environments for the shortest required time.
  • Don't use personal access tokens (PATs) for source code access: Use SSH keys or HTTPS (with identity federation) for accessing SaaS-based DevOps tools and code repositories. Avoid using PATs.
  • Standardize on GitHub Enterprise Managed User (EMU) accounts: Control user accounts through your corporate Identity Provider (IdP) and synchronize GitHub usernames and emails with corporate identities.
  • Connect to the organization identity store: Ensure connections to SaaS environments (HTTPS, PAT, SSH) are tied to the organization identity store. Enforce access control via SSO.
  • Use an SSH certificate authority (CA): Use signed SSH certificates to allow members to securely access Git resources.
  • Use a Git credential manager: Leverage identity support in tools like Visual Studio and use a Git credential manager to harden access to your code.

Best practices for branch security

Implement branching strategies and controls to prevent unauthorized access or modification of the code repository.

  • Protect branches with code reviews: Require validations, reviews, and approvals for changes to protected branches.
  • Control approval authorizations: Have Git repository administrators control approval authorities and enforce workflows such as requiring approval reviews or status checks before merging pull requests.

Best practices for trusting tools, extensions, and integrations

IDE extensions and integration tools enhance productivity but can also expand the attack surface.

  • Integrate tools only from trusted marketplaces and publishers: Verify the trustworthiness of publishers when adopting new tools or extensions.
  • Control extension use: Understand the permissions required by extensions (e.g., file read access, cloud connections) and limit the attack surface.
  • Track extensions on developer machines: Limit VS Code extensions to those from verified publishers and regularly check installed extensions (e.g., using code --list-extensions --show-versions).

Secure the DevOps platform environment

DevOps platforms, responsible for pipelines and production deployments, are also targets for attackers.

How bad actors target pipelines

Attackers attempt to compromise pipelines by exploiting vulnerabilities such as:

  • Extracting runtime variables and argument injection.
  • Retrieving service principals or credentials from pipelines.
  • Misusing misconfigured Personal Access Tokens (PATs).
  • Exploiting vulnerabilities or misconfigurations in integrated tools (e.g., test frameworks, SAST/DAST tools) that have access to code.

Best practices for secret and certificate management

Effective secret management is essential to prevent catastrophic breaches.

  • Secure storage for secrets and certificates: Store secrets in secure storage like Azure Key Vault, not in code or team environments.
  • Configure Azure to trust GitHub's OIDC: Use OpenID Connect (OIDC) to allow GitHub Actions workflows to access Azure resources without storing long-lived secrets.

More best practices for DevOps environment security

  • Equip every DevOps platform environment with audit trails: Enable and review audit logs to track who accessed what and what changes occurred across all DevOps platform environments.
  • Secure the software supply chain: Remove unnecessary libraries and open-source components to reduce the attack surface.
  • Automate Infrastructure-as-Code (IaC) template scans: Automate scanning of IaC templates to detect misconfigurations and compliance violations.
  • Automate approval workflows: Implement checks (gates) to confirm security, business value, and quality before pushing code to production.
  • Allow only verified DevOps tool integrations: Enforce least privilege by allowing only verified integrations and setting appropriate read/write permissions.