Deployment and Administration

Secure Development and Operations

Secure Development and Operations
KanBo is developed following a strict Secure Development Lifecycle (SDL) aligned with OWASP ASVS Level 1, NIST, and FIPS standards.

Core SDL Practices

Peer-reviewed code for every merge request.

Isolated CI/CD environments (no developer access).

Automated CVE scanning and dependency locking.

Cryptographic protection for all refresh tokens.

No hardcoded secrets — all keys stored in Azure Key Vault or equivalent.

Biannual penetration testing and security review.

Continuous Monitoring

Microsoft Defender for Cloud Apps and Azure Sentinel integration.

Real-time anomaly detection using SIEM rules.

TLS certificate expiry alerts and automated rotation routines.

KanBo’s security posture is validated continuously — not annually.

Network and Infrastructure Hardening

Deploying KanBo inside your Azure or GCC High tenant allows you to apply the full Microsoft cloud security stack and layer additional defense-in-depth controls.

Recommended Hardening Blueprint

Identity and Access

Enforce Azure AD Conditional Access + MFA (FIDO2 / Certificate).

Implement Privileged Access Workstations (PAW) or Azure Bastion for admins.

Enable Just-in-Time (JIT) access for elevated roles.

Use Customer Lockbox (GCC High) to prevent external access.

Network Segmentation

Place all KanBo components inside a private VNet and dedicated subnets.

Restrict inbound access to corporate CIDR ranges only.

Use ExpressRoute or VPN for internal traffic.

Host Elasticsearch on a dedicated, isolated VM behind Azure Firewall.

Firewall Rules (Reference Example)

DirectionProtocolTargetSourcePurposeOutboundHTTPS 443*.graph.microsoft.comKanBo subnetMicrosoft Graph integrationOutboundHTTPS 443login.microsoftonline.comKanBo subnetAuthenticationInboundHTTPS 443Corporate WANLoad BalancerSecure user access only—RDP/SSH——Blocked – Admin via Bastion only

Automation

Use the Microsoft 365 IP Address and URL Web Service for automatic endpoint updates in your firewall or NSGs.

KanBo’s footprint is fully deterministic — only Microsoft 365 endpoints are required.

KanBo is developed following a strict Secure Development Lifecycle (SDL) aligned with OWASP ASVS Level 1, NIST, and FIPS standards.

Core SDL Practices

Peer-reviewed code for every merge request.
Isolated CI/CD environments (no developer access).
Automated CVE scanning and dependency locking.
Cryptographic protection for all refresh tokens.
No hardcoded secrets — all keys stored in Azure Key Vault or equivalent.
Biannual penetration testing and security review.

Continuous Monitoring

Microsoft Defender for Cloud Apps and Azure Sentinel integration.
Real-time anomaly detection using SIEM rules.
TLS certificate expiry alerts and automated rotation routines.

KanBo’s security posture is validated continuously — not annually.

Network and Infrastructure Hardening

Deploying KanBo inside your Azure or GCC High tenant allows you to apply the full Microsoft cloud security stack and layer additional defense-in-depth controls.

Recommended Hardening Blueprint

Identity and Access

Enforce Azure AD Conditional Access + MFA (FIDO2 / Certificate).
Implement Privileged Access Workstations (PAW) or Azure Bastion for admins.
Enable Just-in-Time (JIT) access for elevated roles.
Use Customer Lockbox (GCC High) to prevent external access.

Network Segmentation

Place all KanBo components inside a private VNet and dedicated subnets.
Restrict inbound access to corporate CIDR ranges only.
Use ExpressRoute or VPN for internal traffic.
Host Elasticsearch on a dedicated, isolated VM behind Azure Firewall.

Firewall Rules (Reference Example)

Direction	Protocol	Target	Source	Purpose
Outbound	HTTPS 443	*.graph.microsoft.com	KanBo subnet	Microsoft Graph integration
Outbound	HTTPS 443	login.microsoftonline.com	KanBo subnet	Authentication
Inbound	HTTPS 443	Corporate WAN	Load Balancer	Secure user access only
—	RDP/SSH	—	—	Blocked – Admin via Bastion only

Automation

Use the Microsoft 365 IP Address and URL Web Service for automatic endpoint updates in your firewall or NSGs.

KanBo’s footprint is fully deterministic — only Microsoft 365 endpoints are required.