保護 PaaS 部署Securing PaaS deployments

本文提供的資訊可協助您:This article provides information that helps you:

  • 了解將應用程式裝載在雲端的安全性優點Understand the security advantages of hosting applications in the cloud
  • 評估平台即服務 (PaaS) 與其他雲端服務模型相較之下的安全性優點Evaluate the security advantages of platform as a service (PaaS) versus other cloud service models
  • 將您的安全性焦點從以網路為中心變更成以身分識別為中心的周邊安全性方法Change your security focus from a network-centric to an identity-centric perimeter security approach
  • 實作一般 PaaS 安全性最佳做法建議Implement general PaaS security best practices recommendations

開發安全應用程式在 Azure 上的是安全性問題和控制項開發的雲端應用程式時,您應該考慮軟體開發生命週期的每個階段的一般指南。Developing secure applications on Azure is a general guide to the security questions and controls you should consider at each phase of the software development lifecycle when developing applications for the cloud.

雲端安全性優點Cloud security advantages

在雲端環境中有一些安全性優點。There are security advantages to being in the cloud. 在內部部署環境中,組織可能責任重大但可投資在安全性上的資源卻相當有限,導致創造出一種攻擊者能夠利用所有層級弱點的環境。In an on-premises environment, organizations likely have unmet responsibilities and limited resources available to invest in security, which creates an environment where attackers are able to exploit vulnerabilities at all layers.

雲端時代的安全性優點

組織能夠藉由使用提供者的雲端型安全性功能和雲端智慧,改進其威脅偵測和回應時間。Organizations are able to improve their threat detection and response times by using a provider’s cloud-based security capabilities and cloud intelligence. 藉由將責任轉移給雲端提供者,組織便可擴大安全性涵蓋範圍,而能夠將安全性資源和預算重新配置給其他業務優先順序項目。By shifting responsibilities to the cloud provider, organizations can get more security coverage, which enables them to reallocate security resources and budget to other business priorities.

責任劃分Division of responsibility

了解您與 Microsoft 之間的責任劃分相當重要。It’s important to understand the division of responsibility between you and Microsoft. 在內部部署環境中,您擁有整個堆疊,但是當您移到雲端時,部分責任就會轉移給 Microsoft。On-premises, you own the whole stack but as you move to the cloud some responsibilities transfer to Microsoft. 以下責任矩陣圖顯示 SaaS、PaaS 及 IaaS 部署中由您負責和由 Microsoft 負責的堆疊領域。The following responsibility matrix shows the areas of the stack in a SaaS, PaaS, and IaaS deployment that you are responsible for and Microsoft is responsible for.

責任區

就所有雲端部署類型而言,您擁有您的資料和身分識別。For all cloud deployment types, you own your data and identities. 您需負責保護您資料和身分識別、內部部署資源及您所控制之雲端元件 (因服務類型而異) 的安全性。You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).

不論部署類型為何,一律由您承擔責任的對象包括:Responsibilities that are always retained by you, regardless of the type of deployment, are:

  • 資料Data
  • 端點Endpoints
  • 帳戶Account
  • 存取管理Access management

PaaS 雲端服務模型的安全性優點Security advantages of a PaaS cloud service model

讓我們使用相同的責任矩陣圖,來看看 Azure PaaS 部署與內部部署相較之下的安全性優點。Using the same responsibility matrix, let’s look at the security advantages of an Azure PaaS deployment versus on-premises.

PaaS 的安全性優點

Microsoft 是從堆疊底部的實體基礎結構開始來減輕常見的風險和責任。Starting at the bottom of the stack, the physical infrastructure, Microsoft mitigates common risks and responsibilities. 由於 Microsoft 雲端受到 Microsoft 持續不斷的監視,因此難以對它進行攻擊。Because the Microsoft cloud is continually monitored by Microsoft, it is hard to attack. 對攻擊者來說,以 Microsoft 雲端作為目標並非明智之舉。It doesn’t make sense for an attacker to pursue the Microsoft cloud as a target. 除非攻擊者擁有許多資金和資源,否則攻擊者就可能轉移到另一個目標。Unless the attacker has lots of money and resources, the attacker is likely to move on to another target.

在攻擊當中,PaaS 部署與內部部署之間並沒有差異。In the middle of the stack, there is no difference between a PaaS deployment and on-premises. 在應用程式層以及帳戶和存取管理層,您都有類似的風險。At the application layer and the account and access management layer, you have similar risks. 在本文的<後續步驟>一節中,我們將引導您進行將這些風險消除或降到最低的最佳做法。In the next steps section of this article, we will guide you to best practices for eliminating or minimizing these risks.

在堆疊頂端的資料控管和權限管理,您需承擔一項可由金鑰管理降低的風險。At the top of the stack, data governance and rights management, you take on one risk that can be mitigated by key management. (金鑰管理涵蓋在最佳做法中)。雖然金鑰管理是一項額外的責任,但在 PaaS 部署中有些領域已不再需要由您管理,因此您可以將資源轉移到金鑰管理。(Key management is covered in best practices.) While key management is an additional responsibility, you have areas in a PaaS deployment that you no longer have to manage so you can shift resources to key management.

Azure 平台也藉由使用各種網路型技術,提供您增強式 DDoS 保護。The Azure platform also provides you strong DDoS protection by using various network-based technologies. 不過,所有類型的網路型 DDoS 保護方法在每一連結和每一資料中心上都有其限制。However, all types of network-based DDoS protection methods have their limits on a per-link and per-datacenter basis. 若要協助避免大型 DDoS 攻擊所帶來的影響,您可以利用可讓您快速且自動相應放大規模來防禦 DDoS 攻擊的 Azure 核心雲端功能。To help avoid the impact of large DDoS attacks, you can take advantage of Azure’s core cloud capability of enabling you to quickly and automatically scale out to defend against DDoS attacks. 我們將在建議的做法文章中,更詳細地深入探討如何這麼做。We'll go into more detail on how you can do this in the recommended practices articles.

讓防禦者的心態邁向現代化Modernizing the defender’s mindset

伴隨 PaaS 部署而來的就是您整體安全性方法的轉變。With PaaS deployments come a shift in your overall approach to security. 您會從需要全部自行控制轉變成與 Microsoft 分享責任。You shift from needing to control everything yourself to sharing responsibility with Microsoft.

PaaS 與傳統內部部署的另一個重大差異在於一個新觀點,就是定義主要安全性周邊的是什麼。Another significant difference between PaaS and traditional on-premises deployments, is a new view of what defines the primary security perimeter. 在過去,主要內部部署安全性周邊是您的網路,而大多數內部部署安全性設計皆使用網路作為其主要安全性樞紐。Historically, the primary on-premises security perimeter was your network and most on-premises security designs use the network as its primary security pivot. 就 PaaS 部署而言,將身分識別視為主要安全性周邊可為您提供較佳的服務。For PaaS deployments, you are better served by considering identity to be the primary security perimeter.

採用以身分識別作為主要安全性周邊的原則Adopt a policy of identity as the primary security perimeter

雲端運算的五個基本特性之一是廣泛的網路存取,這使得以網路為中心的思維不是那麼重要。One of the five essential characteristics of cloud computing is broad network access, which makes network-centric thinking less relevant. 雲端運算的大部分目標在於讓使用者不論身在哪個位置都能存取資源。The goal of much of cloud computing is to allow users to access resources regardless of location. 就大多數使用者而言,他們的位置將是網際網路上的某一處。For most users, their location is going to be somewhere on the Internet.

下圖說明安全性周邊如何從網路周邊發展到身分識別周邊。The following figure shows how the security perimeter has evolved from a network perimeter to an identity perimeter. 安全性變得較不著重於防禦您的網路,而是較著重於防禦您的資料,以及管理您應用程式和使用者的安全性。Security becomes less about defending your network and more about defending your data, as well as managing the security of your apps and users. 主要的差異在於您想要讓安全性更貼近於您公司所看重的方面。The key difference is that you want to push security closer to what’s important to your company.

以身分識別作為新的安全性周邊

一開始,Azure PaaS 服務 (例如 Web 角色和 Azure SQL) 提供極少或未提供任何傳統網路周邊防禦。Initially, Azure PaaS services (for example, web roles and Azure SQL) provided little or no traditional network perimeter defenses. 在認知上,元素的用途是對網際網路公開 (Web 角色),而驗證則提供新的周邊 (例如 BLOB 或 Azure SQL)。It was understood that the element’s purpose was to be exposed to the Internet (web role) and that authentication provides the new perimeter (for example, BLOB or Azure SQL).

新式安全性做法是假設敵人已經突破網路周邊。Modern security practices assume that the adversary has breached the network perimeter. 因此,新式防禦做法已經轉移到身分識別。Therefore, modern defense practices have moved to identity. 組織必須以增強式驗證與授權防疫 (最佳做法) 建立身分識別型安全性周邊。Organizations must establish an identity-based security perimeter with strong authentication and authorization hygiene (best practices).

網路周邊的原則和模式已經存在數十年。Principles and patterns for the network perimeter have been available for decades. 對照之下,業界在使用身分識別作為主要安全性周邊方面就相對較無經驗。In contrast, the industry has relatively less experience with using identity as the primary security perimeter. 儘管如此,我們也已累積足夠的經驗來提供一些一般性的建議,這些建議已經過實地驗證且適用於幾乎所有 PaaS 服務。With that said, we have accumulated enough experience to provide some general recommendations that are proven in the field and apply to almost all PaaS services.

以下是管理身分識別周邊的最佳做法。The following are best practices for managing the identity perimeter.

最佳做法:保護您用來保護 PaaS 部署的金鑰和認證。Best practice: Secure your keys and credentials to secure your PaaS deployment.
詳細資料:遺失金鑰和認證是相當常見的問題。Detail: Losing keys and credentials is a common problem. 您可以使用集中式的解決方案,在硬體安全性模組 (Hsm) 中儲存金鑰和祕密。You can use a centralized solution where keys and secrets can be stored in hardware security modules (HSMs). Azure Key Vault透過加密驗證金鑰、 儲存體帳戶金鑰、 資料加密金鑰、.pfx 檔案,以及使用 Hsm 所保護的金鑰的密碼來保護您的金鑰和祕密。Azure Key Vault safeguards your keys and secrets by encrypting authentication keys, storage account keys, data encryption keys, .pfx files, and passwords using keys that are protected by HSMs.

最佳做法:不要將認證與其他祕密放在原始程式碼或 GitHub 中。Best practice: Don’t put credentials and other secrets in source code or GitHub.
詳細資料:唯一比遺失金鑰和認證更糟的情況,就是讓未經授權者能夠存取這些機密資料。Detail: The only thing worse than losing your keys and credentials is having an unauthorized party gain access to them. 攻擊者能夠利用 Bot 技術來尋找存放在程式碼存放庫 (例如 GitHub) 中的金鑰和密碼。Attackers can take advantage of bot technologies to find keys and secrets stored in code repositories such as GitHub. 請勿將金鑰和密碼放在這些公用程式碼存放庫中。Do not put key and secrets in these public code repositories.

最佳做法:使用可讓您從遠端直接管理這些 VM 的管理介面,保護混合式 PaaS 和 IaaS 服務上的 VM 管理介面。Best practice: Protect your VM management interfaces on hybrid PaaS and IaaS services by using a management interface that enables you to remote manage these VMs directly.
詳細資料:可以使用遠端管理通訊協定,例如 SSHRDPPowerShell 遠端處理Detail: Remote management protocols such as SSH, RDP, and PowerShell remoting can be used. 一般而言,建議您不要啟用從網際網路直接遠端存取 VM 的功能。In general, we recommend that you do not enable direct remote access to VMs from the internet.

可能的話,請使用替代的方法,例如在 Azure 虛擬網路中使用虛擬私人網路。If possible, use alternate approaches like using virtual private networks in an Azure virtual network. 如果沒有替代方法可用,則請務必使用複雜密碼和雙因素驗證 (例如 Azure Multi-Factor Authentication)。If alternative approaches are not available, ensure that you use complex passphrases and two-factor authentication (such as Azure Multi-Factor Authentication).

最佳做法:使用增強式驗證與授權平台。Best practice: Use strong authentication and authorization platforms.
詳細資料:使用 Azure AD 中的同盟身分識別,而不要使用自訂使用者存放區。Detail: Use federated identities in Azure AD instead of custom user stores. 使用同盟身分識別時,您可以利用平台型方法並將已授權之身分識別的管理委派給您的合作夥伴。When you use federated identities, you take advantage of a platform-based approach and you delegate the management of authorized identities to your partners. 在員工已被解雇而該資訊必須透過多個身分識別與授權系統來反映時,同盟身分識別方法尤其重要。A federated identity approach is especially important when employees are terminated and that information needs to be reflected through multiple identity and authorization systems.

使用平台提供的驗證與授權機制,而不要使用自訂程式碼。Use platform-supplied authentication and authorization mechanisms instead of custom code. 原因在於開發自訂驗證程式碼可能容易出錯。The reason is that developing custom authentication code can be error prone. 您的大多數開發人員都不是安全性專家,因此可能不是很清楚驗證與授權方面的微妙細節和最新發展。Most of your developers are not security experts and are unlikely to be aware of the subtleties and the latest developments in authentication and authorization. 商業程式碼 (例如,來自 Microsoft) 通常都經過廣泛的安全性檢閱。Commercial code (for example, from Microsoft) is often extensively security reviewed.

使用雙因素驗證。Use two-factor authentication. 雙因素驗證是現行的驗證與授權標準,因為它可避免使用者名稱與密碼型驗證中固有的安全性弱點。Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses inherent in username and password types of authentication. 您應該將 Azure 管理 (入口網站/遠端 PowerShell) 介面和面向客戶之服務的存取方式都設計並設定成使用 Azure Multi-Factor AuthenticationAccess to both the Azure management (portal/remote PowerShell) interfaces and customer-facing services should be designed and configured to use Azure Multi-Factor Authentication.

使用標準驗證通訊協定,例如 OAuth2 和 Kerberos。Use standard authentication protocols, such as OAuth2 and Kerberos. 這些通訊協定已經過廣泛的對等檢閱,而可能作為您驗證與授權平台程式庫的一部分來實作。These protocols have been extensively peer reviewed and are likely implemented as part of your platform libraries for authentication and authorization.

在應用程式設計期間使用威脅模型化Use threat modeling during application design

Microsoft 安全性開發週期指定小組應在進行設計階段時,參與稱為威脅模型化的程序。The Microsoft Security Development Lifecycle specifies that teams should engage in a process called threat modeling during the design phase. 為了加快此程序,Microsoft 已建立 SDL Threat Modeling ToolTo help facilitate this process, Microsoft has created the SDL Threat Modeling Tool. 將應用程式設計模型化,並跨所有信任界限列舉 STRIDE 威脅,可以盡早攔截設計錯誤。Modeling the application design and enumerating STRIDE threats across all trust boundaries can catch design errors early on.

下表列出 STRIDE 威脅,並提供一些使用 Azure 功能的範例風險降低措施。The following table lists the STRIDE threats and gives some example mitigations that use Azure features. 這些風險降低措施並非能在各個情況下運作。These mitigations won’t work in every situation.

ThreatThreat 安全性屬性Security property 潛在的 Azure 平台風險降低Potential Azure platform mitigations
詐騙Spoofing AuthenticationAuthentication 需要 HTTPS 連線。Require HTTPS connections.
竄改Tampering 完整性Integrity 驗證 SSL 憑證。Validate SSL certificates.
否認性Repudiation 不可否認性Non-repudiation 啟用 Azure 監視和診斷Enable Azure monitoring and diagnostics.
資訊洩漏Information disclosure 保密Confidentiality 使用服務憑證將待用的敏感性資料加密。Encrypt sensitive data at rest by using service certificates.
Denial of service (拒絕服務)Denial of service 可用性Availability 監視潛在拒絕服務狀況的效能計量。Monitor performance metrics for potential denial-of-service conditions. 實作 IP 連線篩選。Implement connection filters.
權限提高Elevation of privilege 授權Authorization 使用具特殊權限身分識別管理Use Privileged Identity Management.

在 Azure App Service 上開發Develop on Azure App Service

Azure App Service 是一個 PaaS 供應項目,可讓您為任何平台或裝置建立 Web 與行動應用程式,以及連線到雲端或內部部署環境中任何位置的資料。Azure App Service is a PaaS offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. App Service 包含先前以 Azure 網站和 Azure 行動服務形式個別提供的 Web 和行動功能。App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services. 此外,它也包含可用來自動執行商務程序及裝載雲端 API 的新功能。It also includes new capabilities for automating business processes and hosting cloud APIs. App Service 會以單一整合式服務形式,為 Web、行動及整合案例提供一組豐富的功能。As a single integrated service, App Service brings a rich set of capabilities to web, mobile, and integration scenarios.

以下是使用 App Service 的最佳做法。Following are best practices for using App Service.

最佳做法透過 Azure Active Directory 進行驗證Best practice: Authenticate through Azure Active Directory.
詳細資料:App Service 可為您的識別提供者提供 OAuth 2.0 服務。Detail: App Service provides an OAuth 2.0 service for your identity provider. OAuth 2.0 既將焦點放在為用戶端開發人員提供簡易性,同時又為 Web 應用程式、傳統型應用程式及行動電話提供特定授權流程。OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, and mobile phones. Azure AD 使用 OAuth 2.0 來讓您能夠授與對行動與 Web 應用程式的存取權。Azure AD uses OAuth 2.0 to enable you to authorize access to mobile and web applications.

最佳做法:根據必要知悉和最低權限安全性原則來限制存取。Best practice: Restrict access based on the need to know and least privilege security principles.
詳細資料:對於想要強制執行資料存取安全性原則的組織來說,限制存取是必須做的事。Detail: Restricting access is imperative for organizations that want to enforce security policies for data access. 您可以使用 RBAC 來將權限指派給特定範圍的使用者、群組及應用程式。You can use RBAC to assign permissions to users, groups, and applications at a certain scope. 若要深入了解授與使用者的應用程式存取權,請參閱開始使用存取管理To learn more about granting users access to applications, see Get started with access management.

最佳做法:保護您的金鑰。Best practice: Protect your keys.
詳細資料:Azure Key Vault 有助於保護雲端應用程式和服務所使用的密碼編譯金鑰和祕密。Detail: Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use. 您可以使用金鑰保存庫加密金鑰和密碼 (例如驗證金鑰、儲存體帳戶金鑰、資料加密金鑰、.PFX 檔案和密碼),方法是使用受硬體安全模組 (HSM) 保護的金鑰。With Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs). 為了加強保證,您可以在 HSM 中匯入或產生金鑰。For added assurance, you can import or generate keys in HSMs. 若要深入了解,請參閱 Azure Key VaultSee Azure Key Vault to learn more. 您可以使用 Key Vault 藉由自動更新管理 TLS 憑證。You can also use Key Vault to manage your TLS certificates with auto-renewal.

最佳做法:限制連入來源 IP 位址。Best practice: Restrict incoming source IP addresses.
詳細資料App Service 環境具有虛擬網路整合功能,可協助您透過網路安全性群組限制連入來源 IP 位址。Detail: App Service Environment has a virtual network integration feature that helps you restrict incoming source IP addresses through network security groups. 虛擬網路可讓您將 Azure 資源,放在您控制存取權的非網際網路可路由網路中。Virtual networks enable you to place Azure resources in a non-internet, routable network that you control access to. 若要深入了解,請參閱將您的應用程式與 Azure 虛擬網路整合To learn more, see Integrate your app with an Azure virtual network.

最佳做法:監視 App Service 環境的安全性狀態。Best practice: Monitor the security state of your App Service environments.
詳細資料:使用 Azure 資訊安全中心來監視 App Service 環境。Detail: Use Azure Security Center to monitor your App Service environments. 當資訊安全中心發現潛在的安全性弱點時會建立建議,引導您完成設定所需控制項的程序。When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls.

注意

監視 App Service 是預覽功能,僅適用於資訊安全中心的標準層Monitoring App Service is in preview and available only on the Standard tier of Security Center.

安裝 Web 應用程式防火牆Install a web application firewall

Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. 這些攻擊中最常見的是 SQL 插入式攻擊、跨網站指令碼攻擊等等。Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. 想要防止應用程式的程式碼受到這類攻擊會非常困難,而且可能需要對許多層次的應用程式拓撲執行嚴格的維護、修補和監視工作。Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. 集中式 Web 應用程式防火牆有助於簡化安全性管理作業,且更加確保應用程式管理員能夠對抗威脅或入侵。A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. 相較於保護每個個別的 Web 應用程式,WAF 方案還可透過在中央位置修補已知弱點,更快地因應安全性威脅。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 現有的應用程式閘道可以輕易地轉換成已啟用 Web 應用程式防火牆的應用程式閘道。Existing application gateways can be converted to a web application firewall enabled application gateway easily.

Web 應用程式防火牆 (WAF) 是一個應用程式閘道功能,可提供 Web 應用程式的集中式保護,免於遭遇常見的攻擊和弱點。Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF 會根據 Open Web Application Security Project (OWASP) 核心規則集 3.0 或 2.2.9 中的規則提供保護。WAF is based on rules from the Open Web Application Security Project (OWASP) core rule sets 3.0 or 2.2.9.

監視應用程式的效能Monitor the performance of your applications

監視係指收集和分析資料來判斷應用程式之效能、健康情況和可用性的行為。Monitoring is the act of collecting and analyzing data to determine the performance, health, and availability of your application. 有效的監視策略可協助您了解您應用程式元件的詳細操作。An effective monitoring strategy helps you understand the detailed operation of the components of your application. 它可透過通知重大問題來協助您增加運作時間,以便您在這些問題發生之前予以解決。It helps you increase your uptime by notifying you of critical issues so that you can resolve them before they become problems. 它也可協助您偵測可能和安全性相關的異常。It also helps you detect anomalies that might be security related.

使用 Azure Application Insights 來監視應用程式的可用性、效能及使用情況 (不論該應用程式是裝載在雲端還是內部部署環境)。Use Azure Application Insights to monitor availability, performance, and usage of your application, whether it's hosted in the cloud or on-premises. 使用 Application Insights,您可以快速識別並診斷應用程式的錯誤,不必等使用者回報。By using Application Insights, you can quickly identify and diagnose errors in your application without waiting for a user to report them. 有了所收集的資訊之後,您便可以針對應用程式的維護和改善,進行資訊充分的選擇。With the information that you collect, you can make informed choices on your application's maintenance and improvements.

Application Insights 具有廣泛的工具,能與它所收集的資料進行互動。Application Insights has extensive tools for interacting with the data that it collects. Application Insights 會將其資料儲存在一般存放庫中。Application Insights stores its data in a common repository. 它可以利用共用功能,例如警示、 儀表板和使用 Kusto 查詢語言的深入分析。It can take advantage of shared functionality such as alerts, dashboards, and deep analysis with the Kusto query language.

執行安全性滲透測試Perform security penetration testing

驗證安全性防禦措施,是與測試任何其他功能一樣重要。Validating security defenses is as important as testing any other functionality. 製作滲透測試您建置和部署程序的標準部分。Make penetration testing a standard part of your build and deployment process. 排程定期安全性測試和弱點掃描上部署應用程式,並監視開啟連接埠、 端點和攻擊。Schedule regular security tests and vulnerability scanning on deployed applications, and monitor for open ports, endpoints, and attacks.

模糊 (fuzz) 測試是一種方法提供程式介面 (進入點),剖析並取用此資料格式不正確的輸入的資料中尋找程式失敗 (程式碼錯誤)。Fuzz testing is a method for finding program failures (code errors) by supplying malformed input data to program interfaces (entry points) that parse and consume this data. Microsoft 安全性風險偵測是一個雲端為基礎的工具,可用來尋找 bug 和其他安全性漏洞,在您的軟體,再將它部署至 Azure。Microsoft Security Risk Detection is a cloud-based tool that you can use to look for bugs and other security vulnerabilities in your software before you deploy it to Azure. 此工具被設計來攔截弱點,因此您不需要修補錯誤、 處理當機,或回應攻擊的軟體發行之後,部署軟體之前。The tool is designed to catch vulnerabilities before you deploy software so you don’t have to patch a bug, deal with crashes, or respond to an attack after the software is released.

後續步驟Next steps

在此文章中,我們是將焦點放在 Azure PaaS 部署的安全性優點和雲端應用程式的安全性最佳做法。In this article, we focused on security advantages of an Azure PaaS deployment and security best practices for cloud applications. 接下來,請了解使用特定 Azure 服務保護 PaaS Web 和行動解決方案的建議做法。Next, learn recommended practices for securing your PaaS web and mobile solutions using specific Azure services. 我們將從 Azure App Service、Azure SQL Database、Azure SQL 資料倉儲及 Azure 儲存體開始著手。We’ll start with Azure App Service, Azure SQL Database and Azure SQL Data Warehouse, and Azure Storage. 當有適用於其他 Azure 服務的建議做法文章推出時,就會在以下清單中提供連結:As articles on recommended practices for other Azure services become available, links will be provided in the following list:

請參閱開發安全應用程式在 Azure 上的安全性問題和開發的雲端應用程式時,您應該考慮軟體開發生命週期的每個階段的控制項。See Developing secure applications on Azure for security questions and controls you should consider at each phase of the software development lifecycle when developing applications for the cloud.

如需更多安全性最佳做法,請參閱 Azure 安全性最佳做法與模式,以便在使用 Azure 設計、部署和管理雲端解決方案時使用。See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.

下列資源可提供更多有關 Azure 安全性和相關 Microsoft 服務的一般資訊:The following resources are available to provide more general information about Azure security and related Microsoft services: