Welcome to DevJev.nl: Your Guide to Azure, Cloud Security, and DevOps Mastery

This is the 2nd post in the category Azure DevOps Fundamentals of the blog post series on working with Azure DevOps In this post the I will show how to create a new Project in Azure DevOps.

Since it much more fun to do research and play with technology in collaboration with others, Wesley Camargo will be covering some of the topics on he’s blog , while other topics are covered by my here. Naturally the all related posts will be referenced between the two blogs.

With this post am kicking off a blog post series on working with Azure DevOps . The subjects covered by this series are organized into three categories:

• Azure DevOps Fundamentals
• Azure DevOps Advanced
• Azure DevOps Expert

Starting with the basic of basics of Azure DevOps Fundamentals :

How to create an Organization in Azure DevOps?

Since it much more fun to do research and play with technology in collaboration with others, Wesley Camargo will be covering some of the topics on he’s blog , while other topics are covered by my here. Naturally the all related posts will be referenced between the two blogs.

A new post and a new addition to the naming convention series . With this post I want to share my approach to naming Azure Management groups .

What are Management groups and theirs limits

If you are wondering about reasons for this approach to naming please have a look at the Naming convention background chapter of the The perfect azure naming convention . With that out of the way lets dig in.

In my previous post I went trough my experiences with using the basic Winget commands. And mentioned that anyone who needs more control over the installation options will quickly note that when Winget uses the default installation options when installing packages. In this post I would like to share with you how I managed to solve this and get the control I need during the installation process.

Winget Advanced installation, the override command

The winget install documentation shows that an --override option is available, with an input “A string that will be passed directly to the installer”. Simply said it should allow to override the default installation options with custom ones, similar to the way a regular installer GUI allows to the user to change settings during the installation process. A.k.a. a custom installation and exactly what I need!

During my summer holiday I had a one day break from sunny weather so I decided to use the family tablet to fiddle with some PowerShell. As expected only the standard software was installed on the tablet. I could either start installing everything I need manually or use this opportunity dig a bit into winget . I hope you will enjoy both the basics and the advanced configuration experience shared via this post.

With this post I want to share my approach to Git branch naming. This is the 4th and final post in the naming convention series .

When working in large teams, managing branches can quickly become a hassle. Comparing branches to figure out their feature set, is a time consuming and error prone activity. This should be avoided as it significantly increases the chance of releasing wrong or even broken functionality.
The most ideal solution here would be to use a backlog tool (for example Azure Boards with Azure Repos or with Github) where the branches can be directly linked to backlog items and visa versa. And dotting it i’s by implementing a proper branch naming convention.
However teams that do not have these tools available to them would need to rely on just the naming convention to help organizing and ordering branches.

With this post I want to share my approach to naming Azure DevOps variable groups. This post is the 3rd in the naming convention series .

The naming convention

In my experience there are a lot of different way’s Azure DevOps projects are organized. Also in contrary to the Azure resource naming variable groups are renamable and don’t possess an ability to hold additional metadata like tagging. This changes the approach to naming to focus much more on meaningful and descriptive naming within the context of the Azure DevOps project. Therefore a truly holistic naming of variable groups is challenging to achieve. But abiding the The 10 commandments for Azure naming conventions should still be feasible.

This post is the 2nd in the naming convention series . With this post I want to share my approach to naming Azure resources. Why a naming convention is important is already covered by my previous post . However I do believe that some background is required to understand this approach. So, lets dig in.

There are many Azure related naming conventions guides but this one is mine! For every 10 engineers and architects asked you will get 10 different replies on such a topic as naming conventions. With this blog post I would like to kick-off a small series of blog posts sharing my view points about Azure related naming conventions. In this post starting with why a proper naming convention is important and the 10 commandments I generally follow when working on a naming convention.

Back when all the Cloud and SaaS offerings where a brand new concept most IT administrators ended up choosing the domain name of a tenant. This choice would be then reflected in the SharePoint Online url and the only way to change it was to create brand new tenant. Either due to the somewhat poor choice from the IT administrators, due to mergers, rebranding or acquisitions some organization ended up with lets say less desirable domain name for their SharePoint URL.
Responding to clients with a “no it is not possible to change that” always bothered me back then. So when I learned that this option is now available (in preview) I immediately decided to try it. Via this post I want to share what I learned testing this option.

Like with the two previous posts Hacking Azure DevOps and I am in your pipeline reading all your secrets! I want to continue to raise awareness and understanding about pipeline security in Azure DevOps. In the previous post I have explained how secure / marked as secret variables are handled during pipeline runtime.
In this post I want to show how an Azure Resource Manager service connection configuration is handled during pipeline runtime. And which sensitive information is exposed through this service connection.
Like I mentioned in the previous posts, without proper security configuration for pipelines this information could be abused by attackers.

Introduction

With this blog post I want to raise awareness and understanding on how secure / marked as secret variables are handled during pipeline runtime in Azure DevOps and how these can be potentially exfiltrated. If proper security configuration is not in place this could potentially be abused by attackers.

Lets move ahead to create different types of variables and try to retrieve their values. By doing so at the end of this blog post it will be clear why it’s not very sensible to give all project team members full access to pipelines. And why in some cases it’s better to set-up private build agents.

Introduction

While this case is not a particularly new one and has been posted by Matt Cooper on devblogs.microsoft.com back in August 2020. I still feel that in relation to the possible data spillage it has not received sufficient exposure and the correct amount of awareness I would have expected. I actually stumbled upon this case by accident when playing with the Azure DevOps Library variables API.

So in this post I want to showcase how a possible attacker can use a compromised developers environment to gain access to almost all the data present in an Azure DevOps Organization. While access of the developers environment in question is limited to just a single Azure DevOps Project.