Teaching Cyber Blog

Subscribe for news and updates




Steps to protect your Azure App Service

Pragmatic cyber security tips to help secure your internet facing Azure App Service.

App Service is a platform as a service (PaaS) by Microsoft Azure. This check list assumes you have an inventory of App Service, you know what you have and what each app does and their importance to you or your organisation.

1. Enable encryption in transit (HTTPS) your App Service encrypts the communication between clients, users and your application.

2. Restrict access to your App Service by configuring IP restrictions or implementing Azure Virtual Network service endpoints. IP restrictions allow you to allow specific IP addresses that can access your app from specific virtual networks.

3. Use authentication and authorization mechanisms to control access to your app. Azure Active Directory provides identity and access management.

4. Do not store sensitive information, including database connection strings or API access keys, in any code or configuration files. Use Azure Key Vault for secure storage and retrieval of secrets and sensitive config information.

5. Where appropriate use Azure Web Application Firewall. WAF help protect your application from the common web vulnerabilities and attacks, and can be configured and aligned to OWASP. Custom WAF rules can also be added.

6. Keep your App Service up to date with the latest security patches and updates. This applies to all software, including your own creations.

7. Enable diagnostics and monitoring, Azure Monitor provides monitoring capabilities, including log analytics and application insights. Detective controls can detect suspicious activities and potential security breaches.

8. Follow secure coding practices to minimize the chances of adding vulnerabilities in to your application. OWASP is a great resource as a first place to reference.

9. Conduct regular security vulnerability scanning and where necessary penetration testing on your App Service to identify vulnerabilities and address them quickly.

10. Keep up to date on security, perform regular training and education.


Posted

in

by

×