From 99e82b213581ef352a1c4108fd9794552db47a61 Mon Sep 17 00:00:00 2001 From: Jose Moreno Date: Wed, 20 Dec 2023 13:23:18 +0100 Subject: [PATCH] Added service field --- checklists/appsvc_security_checklist.en.json | 29 +++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/checklists/appsvc_security_checklist.en.json b/checklists/appsvc_security_checklist.en.json index fb93fa09e..7b3f4ef89 100644 --- a/checklists/appsvc_security_checklist.en.json +++ b/checklists/appsvc_security_checklist.en.json @@ -6,6 +6,7 @@ "text": "Use Key Vault to store secrets", "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.", "waf": "Security", + "service": "App Services", "guid": "834ac932-223e-4ce8-8b12-3071a5416415", "id": "A01.01", "severity": "High", @@ -17,6 +18,7 @@ "text": "Use Managed Identity to connect to Key Vault", "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.", "waf": "Security", + "service": "App Services", "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", "id": "A01.02", "severity": "High", @@ -28,6 +30,7 @@ "text": "Use Key Vault to store TLS certificate.", "description": "Store the App Service TLS certificate in Key Vault.", "waf": "Security", + "service": "App Services", "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", "id": "A01.03", "severity": "High", @@ -39,6 +42,7 @@ "text": "Isolate systems that process sensitive information", "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.", "waf": "Security", + "service": "App Services", "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", "id": "A01.04", "severity": "Medium", @@ -50,6 +54,7 @@ "text": "Do not store sensitive data on local disk", "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", "waf": "Security", + "service": "App Services", "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", "id": "A01.05", "severity": "Medium", @@ -61,6 +66,7 @@ "text": "Use an established Identity Provider for authentication", "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.", "waf": "Security", + "service": "App Services", "guid": "919ca0b2-c121-459e-814b-933df574eccc", "id": "A02.01", "severity": "Medium", @@ -72,6 +78,7 @@ "text": "Deploy from a trusted environment", "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.", "waf": "Security", + "service": "App Services", "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", "id": "A02.02", "severity": "High", @@ -83,6 +90,7 @@ "text": "Disable basic authentication", "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.", "waf": "Security", + "service": "App Services", "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", "id": "A02.03", "severity": "High", @@ -94,6 +102,7 @@ "text": "Use Managed Identity to connect to resources", "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.", "waf": "Security", + "service": "App Services", "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", "id": "A02.04", "severity": "High", @@ -105,6 +114,7 @@ "text": "Pull containers using a Managed Identity", "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.", "waf": "Security", + "service": "App Services", "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", "id": "A02.05", "severity": "High", @@ -116,6 +126,7 @@ "text": "Send App Service runtime logs to Log Analytics", "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...", "waf": "Security", + "service": "App Services", "guid": "47768314-c115-4775-a2ea-55b46ad48408", "id": "A03.01", "severity": "Medium", @@ -127,6 +138,7 @@ "text": "Send App Service activity logs to Log Analytics", "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", "waf": "Security", + "service": "App Services", "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", "id": "A03.02", "severity": "Medium", @@ -138,6 +150,7 @@ "text": "Outbound network access should be controlled", "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.", "waf": "Security", + "service": "App Services", "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", "id": "A04.01", "severity": "Medium", @@ -149,6 +162,7 @@ "text": "Ensure a stable IP for outbound communications towards internet addresses", "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)", "waf": "Security", + "service": "App Services", "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", "id": "A04.02", "severity": "Low", @@ -160,6 +174,7 @@ "text": "Inbound network access should be controlled", "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.", "waf": "Security", + "service": "App Services", "guid": "0725769e-e669-41a4-a34a-c932223ece80", "id": "A04.03", "severity": "High", @@ -171,6 +186,7 @@ "text": "Use a WAF in front of App Service", "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.", "waf": "Security", + "service": "App Services", "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", "id": "A04.04", "severity": "High", @@ -182,6 +198,7 @@ "text": "Avoid for WAF to be bypassed", "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.", "waf": "Security", + "service": "App Services", "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", "id": "A04.05", "severity": "High", @@ -193,6 +210,7 @@ "text": "Set minimum TLS policy to 1.2", "description": "Set minimum TLS policy to 1.2 in App Service configuration.", "waf": "Security", + "service": "App Services", "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", "id": "A04.06", "severity": "Medium", @@ -205,6 +223,7 @@ "text": "Use HTTPS only", "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.", "waf": "Security", + "service": "App Services", "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", "id": "A04.07", "severity": "High", @@ -217,6 +236,7 @@ "text": "Wildcards must not be used for CORS", "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.", "waf": "Security", + "service": "App Services", "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", "id": "A04.08", "severity": "High", @@ -228,6 +248,7 @@ "text": "Turn off remote debugging", "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.", "waf": "Security", + "service": "App Services", "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", "id": "A04.09", "severity": "High", @@ -240,6 +261,7 @@ "text": "Enable Defender for Cloud - Defender for App Service", "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", "waf": "Security", + "service": "App Services", "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", "id": "A04.10", "severity": "Medium", @@ -251,6 +273,7 @@ "text": "Enable DDOS Protection Standard on the WAF VNet", "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", "waf": "Security", + "service": "App Services", "guid": "223ece80-b123-4071-a541-6415833ea3ad", "id": "A04.11", "severity": "Medium", @@ -262,6 +285,7 @@ "text": "Pull containers over a Virtual Network", "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.", "waf": "Security", + "service": "App Services", "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", "id": "A04.12", "severity": "Medium", @@ -273,6 +297,7 @@ "text": "Conduct a penetration test", "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.", "waf": "Security", + "service": "App Services", "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", "id": "A05.01", "severity": "Medium", @@ -284,6 +309,7 @@ "text": "Deploy validated code", "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", "waf": "Security", + "service": "App Services", "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", "id": "A06.01", "severity": "Medium", @@ -295,6 +321,7 @@ "text": "Use up-to-date platforms, languages, protocols and frameworks", "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", "waf": "Security", + "service": "App Services", "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", "id": "A06.02", "severity": "High", @@ -388,4 +415,4 @@ "state": "Preview", "timestamp": "October 20, 2023" } -} \ No newline at end of file +}