在 Azure 上部署安全应用程序Deploy secure applications on Azure

本文介绍了在为云部署应用程序时需要考虑的安全活动和控制措施。In this article we present security activities and controls to consider when you deploy applications for the cloud. 介绍了在 Microsoft 安全开发生命周期 (SDL) 的发布和响应阶段要考虑的安全问题和概念。Security questions and concepts to consider during the release and response phases of the Microsoft Security Development Lifecycle (SDL) are covered. 目标是帮助你定义可用于部署更安全应用程序的活动和 Azure 服务。The goal is to help you define activities and Azure services that you can use to deploy a more secure application.

本文涵盖以下 SDL 阶段:The following SDL phases are covered in this article:

  • 发布Release
  • 响应Response

发布Release

发布阶段的重点是准备要公开发布的项目。The focus of the release phase is readying a project for public release. 这包括规划各种可有效执行发布后服务任务的方法,并解决以后可能会出现的安全漏洞。This includes planning ways to effectively perform post-release servicing tasks and address security vulnerabilities that might occur later.

在推出应用程序之前检查其性能Check your application's performance before you launch

在推出应用程序或将更新部署到生产环境之前,先检查该应用程序的性能。Check your application's performance before you launch it or deploy updates to production. 使用 Visual Studio 运行基于云的负载测试,以查找应用程序中的性能问题,提高部署质量,确保应用程序始终启动或可用,并且应用程序可以处理推出的流量。Run cloud-based load tests by using Visual Studio to find performance problems in your application, improve deployment quality, make sure that your application is always up or available, and that your application can handle traffic for your launch.

安装 Web 应用程序防火墙Install a web application firewall

Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. 这些攻击中最常见的攻击是 SQL 注入攻击和跨站点脚本攻击。Common among these exploits are SQL injection attacks and cross-site scripting attacks. 在应用程序代码中防止这些攻击可能会很困难。Preventing these attacks in application code can be challenging. 这可能需要在应用程序拓扑的多个层进行严格的维护、修补和监视。It might require rigorous maintenance, patching, and monitoring at many layers of the application topology. 集中式 WAF 有助于简化安全管理。A centralized WAF helps make security management simpler. 相较于保护每个单独的 Web 应用程序,WAF 解决方案还可通过在中央位置修补已知漏洞来响应安全威胁。A WAF solution can also react to a security threat by patching a known vulnerability at a central location versus securing each individual web application.

Azure 应用程序网关 WAF 可对 Web 应用程序进行集中保护,避免其受到常见的攻击和漏洞的危害。The Azure Application Gateway WAF provides centralized protection of your web applications from common exploits and vulnerabilities. WAF 基于 OWASP 核心规则集 3.0 或 2.2.9 中的规则。The WAF is based on rules from the OWASP core rule sets 3.0 or 2.2.9.

创建事件响应计划Create an incident response plan

准备事件响应计划至关重要,可帮助解决随时间推移可能出现的新威胁。Preparing an incident response plan is crucial to help you address new threats that might emerge over time. 准备事件响应计划包括:确定适当的安全事项紧急联系人,并为从组织中的其他组继承的代码以及获得许可的第三方代码制定安全服务计划。Preparing an incident response plan includes identifying appropriate security emergency contacts and establishing security servicing plans for code that's inherited from other groups in the organization and for licensed third-party code.

进行最终安全评审Conduct a final security review

仔细检查已执行的所有安全活动有助于确保你的软件版本或应用程序准备就绪。Deliberately reviewing all security activities that were performed helps ensure readiness for your software release or application. 最终安全评审 (FSR) 通常包括针对需求阶段定义的质量检验关和 bug 栏检查威胁模型、工具输出和性能。The final security review (FSR) usually includes examining threat models, tools outputs, and performance against the quality gates and bug bars that were defined in the requirements phase.

认证版本和存档Certify release and archive

在发布之前对软件进行认证有助于确保安全和隐私要求得到满足。Certifying software before a release helps ensure that security and privacy requirements are met. 存档所有相关数据对于执行发布后的服务任务至关重要。Archiving all pertinent data is essential for performing post-release servicing tasks. 存档还有助于降低与持续的软件工程相关的长期成本。Archiving also helps lower the long-term costs associated with sustained software engineering.

响应Response

发布后响应阶段的重点在于开发团队是否能够对描述所出现的软件威胁和漏洞的任何报告做出适当的响应。The response post-release phase centers on the development team being able and available to respond appropriately to any reports of emerging software threats and vulnerabilities.

执行事件响应计划Execute the incident response plan

能够实施在发布阶段制定的事件响应计划对于保护客户免受出现的软件安全或隐私漏洞的影响至关重要。Being able to implement the incident response plan instituted in the release phase is essential to helping protect customers from software security or privacy vulnerabilities that emerge.

监视应用程序性能Monitor application performance

在部署应用程序后对应用程序进行持续监视可能有助于检测性能问题和安全漏洞。Ongoing monitoring of your application after it's deployed potentially helps you detect performance issues as well as security vulnerabilities. 有助于应用程序监视的 Azure 服务包括:Azure services that assist with application monitoring are:

  • Azure Application InsightsAzure Application Insights
  • Azure 安全中心Azure Security Center

Application InsightsApplication Insights

Application Insights 是多个平台上面向 Web 开发人员的可扩展应用程序性能管理 (APM) 服务。Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. 使用它可以监视实时 Web 应用程序。Use it to monitor your live web application. Application Insights 会自动检测性能异常。Application Insights automatically detects performance anomalies. 其中包含功能强大的分析工具,可帮助你诊断问题并了解用户在应用中实际执行了哪些操作。It includes powerful analytics tools to help you diagnose issues and understand what users actually do with your app. Application Insights 有助于持续提高性能与可用性。It's designed to help you continuously improve performance and usability.

Azure 安全中心Azure Security Center

Azure 安全中心有助于预防、检测和响应威胁,同时增加 Azure 资源(包括 Web 应用程序)在安全方面的可见性和可控性。Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into (and control over) the security of your Azure resources, including web applications. Azure 安全中心可帮助检测可能被忽略的威胁。Azure Security Center helps detect threats that might otherwise go unnoticed. 它可以与各种安全解决方案协同工作。It works with various security solutions.

安全中心的免费层仅为 Azure 资源提供有限的安全性。Security Center’s Free tier offers limited security for your Azure resources only. 安全中心标准层将这些功能扩展到本地资源和其他云。The Security Center Standard tier extends these capabilities to on-premises resources and other clouds. 安全中心标准层可帮助你:Security Center Standard helps you:

  • 查找并修复安全漏洞。Find and fix security vulnerabilities.
  • 应用访问控制和应用程序控制来阻止恶意活动。Apply access and application controls to block malicious activity.
  • 使用分析和智能来检测威胁。Detect threats by using analytics and intelligence.
  • 在受到攻击时快速响应。Respond quickly when under attack.

后续步骤Next steps

下面的文章中推荐了一些安全控制措施和安全活动,可帮助你设计和开发安全的应用程序。In the following articles, we recommend security controls and activities that can help you design and develop secure applications.