How to Secure Applications Using Security as Code
Follow along as Chuck Losh, Solutions Architect, uses Azure App Service, Visual Studio Code, GitHub, and PHP to run an experiment on how to secure applications using security as code from Trend Micro Cloud One™ – Application Security.
Well, with cloud services in Microsoft Azure it's definitely a brand new frontier to explore which presents new security challenges. For instance, how can I protect my modern web applications when I start utilizing PaaS services such as Azure App Service? It's secure, right? That's why I am paying for the hosted service, right? Well, yes and no. Microsoft secures the infrastructure, but we still need to secure our apps. Using PaaS services produces new challenges for security. For example, we cannot access the underlying infrastructure (Virtual Machines). So, we cannot install a traditional security agent based deployment on a Azure Virtual Machine. What is a DevOps engineer to do?
There are two objectives of this article. The first is how to provision a test application from GitHub with a combination of Visual Studio Code, Azure Extensions, and the hosted Azure App Service. The second is how to secure that application with a new technology such as Security as Code with a product called Trend Micro Cloud One Application Security. This will allow us to protect the application at its source inside the Azure App Service.
Let's start with an application to build. Here is a simple PHP "Hello world" application from the official Microsoft GitHub repo for sample code to try out. GitHub link referenced below for this article. https://github.com/Azure-Samples/php-docs-hello-world
echo "Hello World!";
Seems, simple enough, right? So, how do we protect this guy? Well, first let's get it up and running in an Azure App Service plan. You are going to need to have PHP and Git installed on your Microsoft Windows system if you don't have them installed.
You can install these open source tools using Chocolatey package manager. This is my go to method on a Microsoft Windows machine. Here is the link to Chocolatey for reference, https://chocolatey.org/. Installation output shown while I was installing php is provided below as an example. The packages are installed with the choco command also referenced below as a guide, and you will need to do that in an elevated Microsoft Powershell Terminal Window.
choco install <package name>
After you have your tools, here is the command to clone the example Microsoft Azure-Samples repo for a test PHP application. This is free from Microsoft and available to the public to test and experiment.
git clone https://github.com/Azure-Samples/php-docs-hello-world
Next, you are going to want to download and install Microsoft Visual Studio Code. This is free and available to download here https://code.visualstudio.com/ . Once you have downloaded and installed it, go ahead and do a File Open command. You are going to want to open the location of the cloned repo. If you have done everything correctly so far, your IDE environment should look pretty similar. Kudos to you!
Now you are going to want to add an extension to your IDE to work with Azure App Service, so that you can publish your test PHP web app to Azure. The extensions bar is on the left highlighted in the picture below, and you can easily search for official Microsoft Azure Extensions in the Marketplace. The one we are going to use is the Azure App Service. Go ahead and click the green install button. Follow the instructions provided to get signed into Azure App Service in your Azure Subscription. Note, this is a "preview" new extension.
Next, we are going to continue to follow the instructions to deploy our first test PHP application into your Azure App Service by following the instructions and hitting the blue deployment arrow. (Note: the instruction says Node.js but the blue deployment will work fine for our test php application).
Next, you will be naming your test web app a globally unique name and selecting your source code and destination subscription.
Once you select the name and development environment from the prompts ie (PHP 7.3, Linux environment, free app service plan F1), the app will start building and publishing right out of your IDE to Microsoft Azure (shown below in the IDE console). Pretty cool!
In a couple minutes, you should see your app fully deployed in your IDE. All associated files from the repo that you cloned should now show up as published under the App Service Plan area. Your app is now live on Microsoft Azure!
Now, let's go ahead and visit our newly deployed test application! Go ahead and point your browser to the AppServicePlan name you chose. For example, mine was https://phptestappazure.azurewebsites.net.
Okay, so now we accomplished a deployment into Azure App Service. Step 1 completed!
How do we safeguard our newly deployed PHP web app using security as code? By using Trend Micro Application Security! The documentation is provided below on the solution from Trend Micro.
This solution works as security as code. This means we will be injecting a security library into our code which will be injected into our App Services Plan.
First, in VS Code you will need to create a /bin directory and place the Trend Micro .so or PHP security library extension in your source code. This is shown below.
You now want to go ahead and commit that to your Azure Web App by saving and committing the file and re-deploying using that blue deployment arrow again.
The next thing you want to do is SSH your app service plan using Kudu. You can see how to do that in the screenshot below.
You have access to your Azure app deployed via console inside the app service plan.
You will need to adjust your hosted php.ini file in the Azure App Service plan to use the new security library extension added. To do that you are going to want to make a settings.ini file in your home directory as shown below. You will put the following information as shown below. This adds the .so to the app services plan master php.ini file and also gives the information to register the security library to the Trend Micro Cloud One Application Security console.
echo "extension=/home/site/wwwroot/bin/trend_app_protect-x86_64-Linux-gnu-4.1.5-20180731.so" >> setting.ini
echo "zend_extension=/home/site/wwwroot/bin/trend_app_protect-x86_64-Linux-gnu-4.1.5-20180731.so" >> setting.ini
echo trend_app_protect.key = your key from trend micro >> setting.ini
echo trend_app_protect.secret = your secret from trend micro >> setting.ini
Once you have done that, you should be able to restart your app service plan in the Azure portal for initial security configuration. Your new app for all subsequent deployments and changes you make in Microsoft Visual Studio code will utilize the injected security libraries to protect your application in real-time!
You can check that the security libraries are actively protecting your app by checking the log on the Azure App Service plan shown below after restart. You can see that the security libaries are connected to the Cloud One Application Security Console.
That's it! Your app is now protected and registered with Trend Micro Cloud One Application Security. This solution can protect your app in real-time and give real-time feedback if your app is under attack and the feedback can be used to help your developers integrate secure code while being protected. Example of the application monitoring screen shown below.
Pretty cool! I would highly recommend contacting and trialing out Cloud One Application Security if you're interested. Happy test deploying! Hope this article was informative!
Articles used for Reference in my research:
Trend Micro Application Security:
Configure PHP apps with Microsoft Azure App Service
Microsoft GitHub for php hello world sample test app