As important as it is to ensure that your application performs the functions it needs to, you also need to ensure it doesn't do things that it shouldn't. In the previous chapter, you learned about quality and testing in order to continuously measure whether your application is doing what it is supposed to do. In this chapter, you will learn how to prevent any unwanted behavior. This is the subject of security and compliance. While increasing the flow of value to your end users—by deploying faster and shortening delivery cycles—you will still want to make sure that you are delivering secure and compliant software. In this chapter, you will learn how to address these concerns in your DevOps processes.

To do this, this chapter will start by discussing the perceived trade-off between speed and security, and it will explain how security is not decreased but might even be increased when embracing DevOps. Next, a specific dimension of security is addressed: how to handle secrets such as keys and passwords that your pipeline and application need securely. Following this, code scanning tools for automatically identifying possible security risks in your application code and in your dependencies are discussed. The chapter concludes by discussing how to keep your infrastructure and configuration deployments compliant, and how to detect runtime security risks and threats using Azure Policy and Security Center.

The following topics will be covered in this chapter:

• Applying DevOps principles to security and compliance
• Working with secrets
• Detecting application code vulnerabilities
• Working with dependencies
• Ensuring infrastructure compliance
• Monitoring and detecting runtime security risks and threats
• Other tools you can use