# Security — Daily DevOps & .NET

> Practical security practices: secure coding, dependency management, secrets handling, authentication, authorization, compliance, and DevSecOps integration.

Source: https://daily-devops.net/tags/security/
Generated: 2026-06-12

## About this topic

- [Topic landing page](https://daily-devops.net/tags/security/): Practical security practices: secure coding, dependency management, secrets handling, authentication, authorization, compliance, and DevSecOps integration.
- [Back to all topics](https://daily-devops.net/tags/)
- [Site index](https://daily-devops.net/llms.txt)

## Articles tagged "Security" (25)

- [.claudeignore Doesn't Exist. Here's What Does.](https://daily-devops.net/posts/claudeignore-dotnet/): .claudeignore is a hallucination. Claude invented it, the internet spread it, and now Claude keeps recommending it. Here is what actually works in .NET.
- [Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools](https://daily-devops.net/posts/privacy-audit-automation-dotnet-cli/): Quarterly audits can't catch PII added last Tuesday. Build .NET CLI tools that make compliance a build-time fact, not a spreadsheet fantasy.
- [Security Tests That Prove Themselves](https://daily-devops.net/posts/cli-security-testing-audit/): Build xUnit and WebApplicationFactory security tests that emit timestamped evidence tied to commit hashes. Retire the SharePoint screenshot folder.
- [Security Cosplay: Your Password-Only Admin Panel Isn't Fooling Anyone](https://daily-devops.net/posts/multi-factor-authentication-azure-ad-b2c/): Password-only admin authentication is security cosplay. How Azure AD B2C conditional MFA creates actual protection for privileged operations.
- [Certified, Filed, Forgotten: The Compliance Trainwreck](https://daily-devops.net/posts/compliance-verification-dotnet-cli/): Consultants paid. Docs filed. Then compliance becomes a Word doc ritual until an audit exposes the drift. CLI tools fix what checklists never could.
- [Who Ran That Migration? Audit Trails for .NET CLI Tools](https://daily-devops.net/posts/audit-trail-dotnet-cli-tools/): dotnet ef database update prints Success and forgets. Add structured logging, user identity, and correlation IDs so privileged CLI runs leave evidence.
- ["We Store Secrets in appsettings.json": A Horror Story in Five Acts](https://daily-devops.net/posts/managed-identity-rbac-azure-resources/): That ClientSecret has been in your Git history since 2019. Here's how Azure Managed Identity eliminates credentials from your .NET apps entirely.
- [247 Strangers Have Root Access to Your Production](https://daily-devops.net/posts/supply-chain-security-github-dependabot/): npm install pulls 247 strangers past your vendor approval gate. Wire up Dependabot, dependency review, and SBOMs to satisfy ISO 27001 A.15 properly.
- [Stop Deploying Garbage to Production](https://daily-devops.net/posts/continuous-deployment-security-gates/): Failing tests as warnings, secrets in Git, no approvals. Build GitHub Actions gates that enforce ISO 27001 A.14.2 and A.18.2 before production.
- [Your Azure SQL Backups Won't Save You (Here's Why)](https://daily-devops.net/posts/backup-recovery-azure-sql-database/): Azure SQL's seven-day default retention is a compliance time bomb. Configure long-term backup, geo-replication, and tested restores in Bicep.
- [Your Stack Traces Are Love Letters to Attackers](https://daily-devops.net/posts/error-handling-security-information-disclosure/): That helpful stack trace in your API response is a roadmap for attackers. Learn secure error handling that logs everything but reveals nothing.
- [Your Logout Button Is Lying: ASP.NET Session Security Done Right](https://daily-devops.net/posts/session-management-aspnet-authentication/): Most ASP.NET session configs pass code review but fail security audits. Learn what actually matters for cookie authentication and JWT tokens.
- [Container Registry & Image Security in AKS Deployments](https://daily-devops.net/posts/container-registry-image-security-aks/): ACR security is foundational. Learn practical hardening: image scanning, signing, RBAC, private endpoints, and policy enforcement for AKS clusters.
- [Your TLS Config is Probably Wrong: Five Audit Failures I Keep Finding](https://daily-devops.net/posts/encryption-transit-azure-frontdoor/): That TLS 1.0 you kept for backward compatibility? Auditors flag it every time. Here is how Azure Front Door enforces encryption that actually passes.
- [Trust Is Not a Control: ISO 27001 Compliance via GitHub](https://daily-devops.net/posts/change-control-github-branch-protection/): "We trust our developers" fails audits. GitHub branch protection makes ISO 27001 change control technically enforceable, not just documented.
- [NuGet Packages: The Suppliers You Forgot to Audit](https://daily-devops.net/posts/dependency-management-nuget-security/): dotnet add package invites unvetted suppliers into production. Enforce Central Package Management, signature checks, and vulnerability scans.
- [Your Azure SQL Is Public Right Now. ISO 27017 Demands You Fix It](https://daily-devops.net/posts/network-isolation-azure-vnet/): Azure defaults expose your database to the internet. ISO 27017 CLD 13.1.4 calls that a compliance failure. VNets and Private Endpoints fix it.
- [Your Incident Response Plan Is a Lie. Here's How to Fix It.](https://daily-devops.net/posts/incident-response-github-actions/): ISO 27001 demands effective incident response. GitHub Actions transforms your dusty Word doc into automated workflows that actually work at 3 AM.
- [Your Encryption Is Broken — .NET Data Protection Done Right](https://daily-devops.net/posts/cryptography-dotnet-data-protection/): XOR operations and hardcoded keys fail audits. Learn how .NET Data Protection API with Azure Key Vault delivers real cryptographic compliance.
- [Your appsettings.json Is a Compliance Violation](https://daily-devops.net/posts/secrets-management-azure-keyvault/): That connection string in your config file violates ISO 27017. Azure Key Vault is not optional—it is the compliance minimum you have been ignoring.
- [Audit Logging That Survives Your Next Security Incident](https://daily-devops.net/posts/audit-logging-azure-app-insights/): Most audit logs fail when incidents happen. Structured logging with Application Insights creates trails auditors accept and engineers actually use.
- [Your [Authorize] Attribute Is Compliance Theater](https://daily-devops.net/posts/access-control-aspnet-core/): Your [Authorize] attributes fool developers but not auditors. ISO 27001 A.9 demands actual authorization — not role strings scattered across your codebase.
- [Why ISO Standards Actually Matter for .NET Developers](https://daily-devops.net/posts/iso-standards-intro-dotnet-developers/): ISO/IEC 27001, 27017, and 27701 aren't compliance theater anymore—they're engineering requirements in cloud-native .NET that affect every code decision.
- [ISO/IEC 27001, 27017 & 27701 for .NET Developers — The Complete Series](https://daily-devops.net/posts/iso-standards/): Nearly 30 articles map ISO/IEC 27001, 27017, and 27701 to concrete .NET and Azure: secrets, access control, GDPR erasure, and supply chain security.
- [Pod Identity & Access Control in AKS: What Actually Breaks](https://daily-devops.net/posts/pod-identity-access-control-aks/): Workload Identity Federation changed how AKS handles authentication. Credential leaks, RBAC failures, identity drift: what breaks and how to fix it.

## Optional

- [Full site index for LLMs](https://daily-devops.net/llms.txt)
- [Full content of all articles](https://daily-devops.net/llms-full.txt)
- [RSS for this tag](https://daily-devops.net/tags/security/feed.rss)
- [Atom for this tag](https://daily-devops.net/tags/security/feed.atom)
- [JSON Feed for this tag](https://daily-devops.net/tags/security/feed.json)