search

Azure / azure-sdk

This is the Azure SDK parent repository and mostly contains documentation around guidelines and policies as well as the releases for the various languages supported by the Azure SDK.
http://azure.github.io/azure-sdk
MIT License
478 stars 295 forks source link

[PrivilegedOperation] attribute #5589

Open vinodkumarys opened 1 year ago

vinodkumarys commented 1 year ago

We are part of Azure Trusted Platform and Azure Security Monitoring team.

ASK: Create an attribute (PrivilegedOperation) in Core package so that all Azure SDKs can use this attribute to mark/label privileged API methods. This will help us to find privileged method calls during static analysis of repositories using Azure SDKs. We want to use static analysis to improve audit logging for privileged calls which will improve overall security posture for Azure. We also believe this can be useful in other scenarios which requires a list of privileged methods exposed by Azure SDKs.

We are ready to jump on a call and provide more detailed information as required.

heaths commented 1 year ago

@KrzysztofCwalina @tg-msft they'd like this for .NET initially, but we may want this for other languages as well - even some that may not support the concept of attributes where we could perhaps publish a list of patterns to check. But in the case of .NET, attributes may be a more useful feature if we defined such an attribute in Azure.Core. This could also be useful in GitHub for CodeQL as well to statically analyze patterns.

KrzysztofCwalina commented 1 year ago

It would be good to understand what these analyzers would actually do, and in general, the whole E2E. Also, the cross-language question is a good one. I would be very much interested in what we would do in other languages, as the answer to this question might impact what we want to do for .NET.