update module

Author: ceperezb

learn-pr/wwl-sci/.openpublishing.redirection.wwl-sci.json

@@ -747,6 +747,11 @@
       "source_path_from_root": "/learn-pr/wwl-sci/design-solutions-secure-microsoft-365/6-evaluate-solutions-securing-data-microsoft-purview.yml",
       "redirect_url": "/training/modules/design-solutions-secure-microsoft-365/4a-evaluate-solutions-securing-data-microsoft-purview",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/learn-pr/wwl-sci/design-solutions-secure-applications/5-design-security-lifecycle-strategy-applications.yml",
+      "redirect_url": "/training/modules/design-solutions-secure-applications/2a-design-full-lifecycle-strategy-application-security",
+      "redirect_document_id": false
     }
     ]
 }

learn-pr/wwl-sci/design-solutions-secure-applications/includes/1-introduction-application-security.md

@@ -22,6 +22,6 @@ As a cybersecurity architect, you design security strategies that protect applic
 
 Your role isn't to write secure code yourself, but to define the standards, select the technologies, and design the architectures that make secure development the default path for your organization. This means you need to understand how security controls map to each phase of the application lifecycle, from initial requirements through production operations.
 
-This module covers both foundational practices, like the Microsoft Security Development Lifecycle (SDL) and the Microsoft Cloud Security Benchmark (MCSB) DevOps Security controls, and specific Azure technologies that protect applications at runtime. You evaluate how to assess existing application portfolios, model threats against business-critical systems, and design solutions that use workload identities, API management, and web application firewalls to reduce risk.
+This module covers both foundational practices, like the Microsoft Security Development Lifecycle (SDL) and the Microsoft Cloud Security Benchmark v2 (MCSBv2) DevOps Security controls, and specific Azure technologies that protect applications at runtime. You evaluate how to assess existing application portfolios, model threats against business-critical systems, and design solutions that use workload identities, API management, and web application firewalls to reduce risk.
 
 Each unit builds on the previous one, starting with the standards and frameworks that guide secure development, then moving through evaluation techniques, and finishing with specific technology solutions you recommend as part of your architecture.

learn-pr/wwl-sci/design-solutions-secure-applications/includes/10-summary.md

@@ -43,14 +43,14 @@ You've learned how to:
 - [Defender for App Service overview](/azure/defender-for-cloud/defender-for-app-service-introduction)
 - [Defender for Containers overview](/azure/defender-for-cloud/defender-for-containers-introduction)
 - [Microsoft Cloud Security Benchmark overview](/security/benchmark/azure/overview)
-- [Azure Well-Architected Framework — Security pillar](/azure/well-architected/security/)
+- [Azure Well-Architected Framework: Security pillar](/azure/well-architected/security/)
 
 ### Threat modeling
 
 - [Microsoft Threat Modeling Tool](/azure/security/develop/threat-modeling-tool)
 - [Recommendations for threat analysis](/azure/well-architected/security/threat-model)
 - [STRIDE threat model](https://www.microsoft.com/securityengineering/sdl/threatmodeling)
-- [MCSB DS-1: Conduct threat modeling](/security/benchmark/azure/mcsb-v2-devop-security#ds-1-conduct-threat-modeling)
+- [MCSBv2 DS-1: Conduct threat modeling](/security/benchmark/azure/mcsb-v2-devop-security#ds-1-conduct-threat-modeling)
 - [Introduction to threat modeling (Microsoft Learn training)](/training/modules/tm-introduction-to-threat-modeling/)
 
 ### Workload identities
@@ -59,7 +59,7 @@ You've learned how to:
 - [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)
 - [Workload identity federation](/entra/workload-id/workload-identity-federation)
 - [Conditional Access for workload identities](/entra/identity/conditional-access/workload-identity)
-- [Microsoft Entra ID Protection — workload identity risk](/entra/id-protection/concept-workload-identity-risk)
+- [Microsoft Entra ID Protection: workload identity risk](/entra/id-protection/concept-workload-identity-risk)
 - [Access reviews for service principals](/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review)
 
 ### API management and security

learn-pr/wwl-sci/design-solutions-secure-applications/includes/2-design-implement-standards-secure-application-development.md

@@ -1,12 +1,22 @@
 As a cybersecurity architect, one of your most impactful responsibilities is defining the standards and practices that development teams follow to build secure software. Without clear standards, security becomes inconsistent across projects, vulnerabilities accumulate as technical debt, and remediation costs increase dramatically when issues are discovered late in the development process.
 
-This unit covers two complementary frameworks: the Microsoft Security Development Lifecycle (SDL), which provides 10 key security practices for integrating security into development, and the Microsoft Cloud Security Benchmark (MCSB) DevOps Security controls, which provide specific technical guidance for securing the development pipeline.
+This unit covers two complementary frameworks: the Microsoft Security Development Lifecycle (SDL), which provides 10 key security practices for integrating security into development, and the Microsoft Cloud Security Benchmark v2 (MCSBv2) DevOps Security controls, which provide specific technical guidance for securing the development pipeline.
 
 ## Microsoft Security Development Lifecycle (SDL) practices
 
+Security risks and the need to mitigate them can occur at any point in the development lifecycle.
+
+:::image type="content" source="../media/development-lifecycle.png" alt-text="Diagram that shows the steps in the development lifecycle." border="true" lightbox="../media/development-lifecycle.png":::
+
+- **Design:** ensure that the architecture doesn't allow attackers to easily gain unauthorized access to the workload, its data, or other business assets.
+- **Code:** ensure that writing and reuse of code doesn't allow attackers to take control of the application to perform unauthorized actions. Developers should also work in a secure environment that prevents attackers from altering code without their knowledge.
+- **Build and deploy:** ensure that the CI/CD processes don't allow unauthorized users to alter the code and allow attackers to compromise it.
+- **Run:** ensure that the environment running the code follows security best practices across people, process, and technology, including security baseline configurations and operational controls.
+- **Zero Trust architecture and governance:** all stages should follow Zero Trust principles: assume breach, explicitly verify trust, and grant the least privilege required for each user, service identity, and application component.
+
 The Microsoft SDL is a set of practices and tools that help organizations build more secure software. It has evolved over 20 years at Microsoft and continues to adapt as the threat landscape changes. The SDL integrates security into each stage of the development process, following a continuous improvement model rather than a one-time assessment.
 
-Security risks can occur at any point in the development lifecycle. During design, insecure architecture can give attackers easy access. During coding, vulnerabilities can allow unauthorized control of applications. During build and deployment, compromised continuous integration and continuous delivery (CI/CD) processes can alter code. During runtime, misconfigured environments expose workloads. The SDL addresses all of these stages through 10 key practices.
+These are the 10 key security practices of the SDL that help you integrate security into each stage of your overall development process. 
 
 ### The 10 SDL practices
 
@@ -23,37 +33,31 @@ Security risks can occur at any point in the development lifecycle. During desig
 
 As an architect, your role is to determine which of these practices are mandatory for your organization, define how they're enforced, and establish the governance structure that sustains them over time.
 
-## MCSB DevOps Security controls
-
-The Microsoft Cloud Security Benchmark (MCSB) DevOps Security family provides seven specific controls that map to the SDL practices and offer detailed implementation guidance for Azure and GitHub environments.
-
-### DS-1: Conduct threat modeling
-
-Implement STRIDE-based threat modeling as a mandatory design-phase activity. Create data flow diagrams (DFDs) that map system components, data flows, trust boundaries, and external dependencies. For each component and data flow, systematically evaluate threats across all six STRIDE categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Use the Microsoft Threat Modeling Tool for consistency and integrate threat model outputs into Azure DevOps work items with clear ownership and acceptance criteria.
-
-### DS-2: Secure the software supply chain
-
-Implement dependency scanning and management that covers both direct and transitive dependencies. Generate SBOM documents in industry-standard formats (SPDX, CycloneDX). Use tools like GitHub Advanced Security with Dependabot for automated vulnerability detection and pull request-based remediation. Configure Azure Artifacts with signature verification and dependency pinning to prevent confusion attacks and unauthorized package substitution. Extend visibility to deployed environments using Microsoft Defender for Cloud DevOps Security for code-to-cloud traceability.
-
-### DS-3: Secure the DevOps infrastructure
+## MCSBv2 DevOps Security controls
 
-Centralize secrets management using Azure Key Vault. Configure pipelines to retrieve secrets dynamically at runtime through managed identities or workload identity federation, eliminating hardcoded credentials. Enforce just-in-time access with approval gates for production deployments. Harden self-hosted build agents with network isolation. Integrate infrastructure-as-code (IaC) security scanning to prevent deployment of misconfigured resources.
+The Microsoft Cloud Security Benchmark v2 (MCSBv2) DevOps Security family provides seven specific controls that map to the SDL practices and offer detailed implementation guidance for Azure and GitHub environments.
 
-### DS-4: Integrate Static Application Security Testing (SAST)
+- DS-1: Conduct threat modeling
+- DS-2: Ensure software supply chain security
+- DS-3: Secure DevOps infrastructure
+- DS-4: Integrate static application security testing into DevOps pipeline
+- DS-5: Integrate dynamic application security testing into DevOps pipeline
+- DS-6: Enforce security of workload throughout DevOps lifecycle
+- DS-7: Enable logging and monitoring in DevOps
 
-Deploy multiple specialized SAST scanners because no single tool detects all vulnerability classes. Use GitHub CodeQL for semantic code analysis that identifies complex vulnerabilities like SQL injection through multiple function calls. Configure secret scanning with push protection to block credential exposure at commit time. Establish severity-based quality gates that prevent merge of critical findings. The Microsoft Security DevOps Extension can orchestrate scanners including Bandit, BinSkim, Checkov, ESLint, Template Analyzer, Terrascan, and Trivy through a single pipeline task.
+**DS-1: Conduct threat modeling:** Implement STRIDE-based threat modeling as a mandatory design-phase activity. Create data flow diagrams (DFDs) that map system components, data flows, trust boundaries, and external dependencies. For each component and data flow, systematically evaluate threats across all six STRIDE categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Use the Microsoft Threat Modeling Tool for consistency and integrate threat model outputs into Azure DevOps work items with clear ownership and acceptance criteria.
 
-### DS-5: Integrate Dynamic Application Security Testing (DAST)
+**DS-2: Ensure software supply chain security:** Implement dependency scanning and management that covers both direct and transitive dependencies. Generate SBOM documents in industry-standard formats (SPDX, CycloneDX). Use tools like GitHub Advanced Security with Dependabot for automated vulnerability detection and pull request-based remediation. Configure Azure Artifacts with signature verification and dependency pinning to prevent confusion attacks and unauthorized package substitution. Extend visibility to deployed environments using Microsoft Defender for Cloud DevOps Security for code-to-cloud traceability.
 
-Complement SAST with runtime testing in pre-production staging environments that mirror production architecture. Focus on high-risk attack surfaces: API authentication bypasses, authorization failures, session management vulnerabilities, and business logic flaws. For containerized workloads, implement continuous runtime monitoring with Microsoft Defender for Containers, combining pre-deployment image scanning with post-deployment behavioral analysis.
+**DS-3: Secure DevOps infrastructure:** Centralize secrets management using Azure Key Vault. Configure pipelines to retrieve secrets dynamically at runtime through managed identities or workload identity federation, eliminating hardcoded credentials. Enforce just-in-time access with approval gates for production deployments. Harden self-hosted build agents with network isolation. Integrate infrastructure-as-code (IaC) security scanning to prevent deployment of misconfigured resources.
 
-### DS-6: Secure the workload lifecycle
+**DS-4: Integrate static application security testing into DevOps pipeline:** Deploy multiple specialized SAST scanners because no single tool detects all vulnerability classes. Use GitHub CodeQL for semantic code analysis that identifies complex vulnerabilities like SQL injection through multiple function calls. Configure secret scanning with push protection to block credential exposure at commit time. Establish severity-based quality gates that prevent merge of critical findings. The Microsoft Security DevOps Extension can orchestrate scanners including Bandit, BinSkim, Checkov, ESLint, Template Analyzer, Terrascan, and Trivy through a single pipeline task.
 
-Treat container and VM images as critical artifacts requiring immutable infrastructure practices. Use minimal base images with multi-stage builds. Integrate automated vulnerability scanning with quarantine policies that prevent deployment of images with critical CVEs. Enforce cryptographic signing and verification to prevent image substitution attacks. Use Azure Container Registry with Microsoft Defender for Containers for integrated scanning and content trust.
+**DS-5: Integrate dynamic application security testing into DevOps pipeline:** Complement SAST with runtime testing in pre-production staging environments that mirror production architecture. Focus on high-risk attack surfaces: API authentication bypasses, authorization failures, session management vulnerabilities, and business logic flaws. For containerized workloads, implement continuous runtime monitoring with Microsoft Defender for Containers, combining predeployment image scanning with post-deployment behavioral analysis.
 
-### DS-7: Implement DevOps logging and monitoring
+**DS-6: Enforce security of workload throughout DevOps lifecycle:** Treat container and VM images as critical artifacts requiring immutable infrastructure practices. Use minimal base images with multi-stage builds. Integrate automated vulnerability scanning with quarantine policies that prevent deployment of images with critical CVEs. Enforce cryptographic signing and verification to prevent image substitution attacks. Use Azure Container Registry with Microsoft Defender for Containers for integrated scanning and content trust.
 
-Capture all security-relevant DevOps activities: authentication events, code commits, pipeline modifications, deployment executions, secret access, and permission changes. Forward audit logs in real-time to Microsoft Sentinel for long-term forensic analysis and correlation with security events from other systems. Implement behavioral analytics to detect suspicious patterns such as after-hours pipeline modifications, unusual secret access, and privilege escalations.
+**DS-7: Enable logging and monitoring in DevOps:** Capture all security-relevant DevOps activities: authentication events, code commits, pipeline modifications, deployment executions, secret access, and permission changes. Forward audit logs in real-time to Microsoft Sentinel for long-term forensic analysis and correlation with security events from other systems. Implement behavioral analytics to detect suspicious patterns such as after-hours pipeline modifications, unusual secret access, and privilege escalations.
 
 ## Architect design considerations
 

learn-pr/wwl-sci/design-solutions-secure-applications/includes/2a-design-full-lifecycle-strategy-application-security.md

@@ -20,7 +20,7 @@ During the design phase, convert security requirements into technical specificat
 
 **Select approved frameworks and supply chain components.** Your design should mandate the use of trusted frameworks and libraries. Maintain a list of approved and prohibited dependencies and enforce it through guardrails in the development pipeline. Automate dependency scanning to verify that all components meet security requirements.
 
-**Define security design patterns.** Identify patterns that support segmentation, strong authorization, and uniform application security. Patterns like the Quarantine pattern help verify and block software that could introduce vulnerabilities. For more guidance, refer to the Azure Well-Architected architecture design patterns that support security.
+**Define security design patterns.** Identify patterns that support segmentation, strong authorization, and uniform application security. Patterns like the Quarantine pattern help verify and block software that could introduce vulnerabilities. For more information, see the Azure Well-Architected architecture design patterns that support security.
 
 **Perform threat modeling.** Conduct initial threat modeling during the design phase to confirm that design choices align with security requirements and to expose gaps that require mitigation. For workloads handling highly sensitive data, consider engaging specialized security experts. Threat modeling isn't a one-time activity but a continuous process that evolves with the software.
 
@@ -62,7 +62,7 @@ Security posture degrades over time if not actively maintained. This phase ensur
 
 - **Patch management.** Keep software, libraries, and infrastructure components current with security updates.
 - **Continuous improvement.** Regularly assess and refine the security of the development process through code reviews, feedback, and lessons learned from incidents and evolving threats.
-- **Decommission unused assets.** Remove legacy assets that are no longer needed. Every unused component is additional attack surface.
+- **Decommission unused assets.** Remove legacy assets that are no longer needed. Every unused component is another attack surface.
 - **Incident integration.** When issues are found in production, feed them back into the development process to prevent recurrence.