Updated – 29/08/2023 – The current mechanism of running secret scanning (CredScan) is being deprecated in September 2023. Instead, you can see secret scanning results generated by GitHub Advanced Security for Azure DevOps (GHAzDO). This enables you to receive detections across all branches, git history, and secret leak protection via push protection to your repositories.
One could contend that a significant aspect of cybersecurity involves addressing code bugs, including those that are presently known and unknown. Such bugs may signify vulnerabilities, thereby raising the potential for malicious actors to exploit them and compromise applications operating within your system.
In this article, we will show you how to get started with Microsoft Defender for DevOps to help you get better visibility of security across the different phases of the software development lifecycle.
Table of Contents
Introduction
Microsoft Defender for Cloud offers several key value propositions for organizations looking to secure their cloud workloads:
1) Cloud Security Posture Management (CSPM) – CSPM offers visibility throughout multi-cloud and hybrid environments, from development to runtime, and offers alerts and suggestions to security teams on vital vulnerabilities and misconfigurations that may result in security issues. Furthermore, CSPM comes equipped with in-built workflows to enhance the security posture and facilitate remediation at scale.
2) Cloud Workload Protection Platform (CWPP) – Cloud Workload Protection examines workloads utilizing sophisticated analytics and threat intelligence to help minimize the risk of attack and promptly address emerging threats.
3) DevOps security management – Offers a set of capabilities that allow developers to develop code more securely, offers guidance on best security practices for your source code repositories, and examines templates employed for deploying code in your Azure environment.
4) Cloud-Native Application Protection Platform (CNAPP) – CNAPP seamlessly combines security and compliance capabilities into a single platform to provide end-to-end cloud security for full-stack workloads across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure Cloud Services.
With its advanced machine learning and behavioral analytics capabilities, Microsoft Defender for Cloud can detect and remediate threats quickly and accurately, minimizing the risk of data breaches and other security incidents. Whether you’re a small business or a large enterprise, Microsoft Defender for Cloud is an essential tool for securing your cloud workloads and protecting your critical data.
These pillars of capabilities together play a key role in helping you determine, improve, and maintain the overall security posture of your Azure environment. They also help you implement good cyber hygiene for your Azure resources.
Microsoft Defender for DevOps Overview
Defender for DevOps is quite new and was released to the public at Microsoft Ignite in October 2022 which is still in preview at the time of this writing.
Microsoft Defender for DevOps is an extension of Microsoft Defender for Cloud. It enhances the capabilities of Defender for Cloud by enabling organizations to prioritize security early in the development process and offering centralized security management. Rather than being a standalone feature, Microsoft Defender for DevOps consists of a collection of capabilities bundled together in a single plan. These capabilities are designed to assist in shifting security left and integrating security into the software development lifecycle.
The concept of code security is well-established, and there are established security tools like GitHub Advanced Security (GHAS) that aid in identifying vulnerabilities, secrets, and other security flaws within your source code management systems. If you are already utilizing security tools such as GHAS, you may wonder why we need Defender for DevOps. Is security not already ingrained within the development lifecycle when employing tools like GHAS?
Well GHAS, as a security tool, primarily caters to developers, while Defender for DevOps aims to bridge the gap between security teams and developers. Security teams often bear the responsibility of identifying vulnerabilities within production environments. The distinctive advantage of Defender for DevOps lies in its ability to seamlessly integrate with GHAS, granting security teams visibility into security vulnerabilities, secrets, and misconfigurations within source code management systems through the Defender for Cloud dashboard.
To enable this visibility, onboarding your source code management systems onto Defender for Cloud and installing the Microsoft Security DevOps application to your repositories are essential steps. It is through the Microsoft Security DevOps application that Defender for DevOps effectively detects secrets, vulnerabilities, and misconfigurations within your code. Consequently, to fully leverage the capabilities offered by Defender for DevOps, you must take the following actions:
- Onboard your source code management systems.
- Install the Microsoft Security DevOps application to your repositories.
During its public preview phase, Defender for DevOps currently provides support for two source code management systems: GitHub and Azure DevOps. As time progresses, we can anticipate that Microsoft might expand its offerings by incorporating additional capabilities and extending support to other source code management systems, such as GitLab.
The initial set of capabilities offered by Microsoft Defender for Cloud focuses on cloud security posture management (CSPM) for your source code management systems, delivering unified visibility into your DevOps posture.
Prerequisites
To follow this article, you need to have the following:
1) Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) Azure DevOps subscription in the same tenant as your Azure subscription where you use Microsoft Defender for Cloud. If you don’t have an Azure DevOps subscription, you can create a free one here. Then you need to create an Azure DevOps organization.
3) For GitHub repositories, make sure to follow the guidance to set up GitHub Advanced Security for your organization.
4) Defender for DevOps doesn’t yet support all Azure regions. The currently supported regions are (Australia East, Central US, and West Europe).
5) The maximum number of GitHub repositories that can be onboarded to Microsoft Defender for Cloud is 2,000. If you try to connect more than 2,000 GitHub repositories, only the first 2,000 repositories, sorted alphabetically, will be onboarded.
6) Required permissions: You need an Azure account with permission to sign into the Azure portal. You need a Contributor role on the relevant Azure subscription. You need an Organization Administrator in GitHub and a Security Admin role in Defender for Cloud.
7) Source Code Management Systems Azure DevOps and GitHub. The supported versions are GitHub Free, Pro, Team, and GitHub Enterprise Cloud.
8) Pricing: While in public preview, Defender for DevOps is available for free before it becomes GA, after which point it is a paid plan and you are charged according to its pricing model.
9) To assess your repositories, you need to onboard your source-code management systems to Defender for Cloud (more on this in the next section).
Assume you have all the prerequisites in place, take the following steps:
Onboarding Source Management System
To integrate your Azure DevOps and GitHub repositories with Defender for Cloud, you can easily complete the onboarding process by following the step-by-step instructions provided below.
This onboarding process results in the creation of a security connector, which serves as a storage for the configuration preferences you have chosen during the onboarding. By utilizing the security connector, Defender for Cloud establishes a connection with your source code management systems, enabling it to offer you a unified view of your DevOps posture across all your repositories.
Onboarding GitHub Repositories
To add your GitHub repositories to Defender for Cloud, follow these steps using a user who possesses the Contributor role on the Azure subscription and the Security Admin role in Defender for Cloud:
1. Sign in to the Azure portal.
2. Navigate to the Microsoft Defender for Cloud dashboard.
3. Select Environment settings.
4. Select + Add environment and then click GitHub as shown in the figure below.
5. Enter the name of the security connector, like GitHubMDCConnector.
6. Next, select the Azure subscription and resource group in which the security connector is created.
7. Select the Azure region and then click Next: Select plans >.
Note: Defender for DevOps only supports Australia East, Central US, and West Europe during the preview.
8. Under the Select Plans page, security posture management is enabled by default and can’t be disabled. Defender for DevOps plan is enabled (done by default) or you can disable the plan that protects your DevOps environments and source code with advanced defenses for your GitHub resources.
9. Click on Next: Authorize connection >.
10. On the Authorize connection page, select Authorize, and then in the pop-up that appears, click Authorize Microsoft Security DevOps. Once the connection has been authorized, a green check mark is displayed with Authorized.
11. Next, select Install to install the Defender for DevOps app on your repositories. If you want to install the app on existing as well as any GitHub repositories, that you create going forward, select All repositories as shown in the figure below. Alternatively, you can choose Only selected repositories and then select the desired repositories from the dropdown list.
// Read more about Defender for DevOps GitHub Application permissions update.
Next, click on Install. Once, the app has been installed, a green check mark is displayed with Installed.
12. Last, select Next: Review and Create >, and then click Create.
Please note that if you select All repositories, it may take up to 4 hours for your GitHub repositories to appear in the Environment settings.
Once you have successfully integrated your repositories into Defender for Cloud, you can incorporate security measures into your pipelines and deployments using the Microsoft Security DevOps application that you installed while completing the onboarding procedure (more on this in the next section).
Next, let’s see how to onboard Azure DevOps repositories to Defender for Cloud.
Onboarding Azure DevOps Repositories
The onboarding process for your Azure DevOps repositories follows a similar approach to the onboarding process for GitHub. However, there is one key distinction: you must have OAuth enabled for third-party application access in your Azure DevOps organization settings.
Once you have confirmed that third-party application access is enabled via OAuth, you will require a user with a Contributor role on the Azure subscription where the security connector is established, as well as the Security Admin role in Defender for Cloud.
1. Sign in to the Azure portal.
2. Navigate to the Microsoft Defender for Cloud dashboard.
3. Select Environment settings.
4. Select + Add environment and then click on Azure DevOps as shown in the figure below.
5. Enter the name of the security connector, like the ADOConnector.
6. Next, select the Azure subscription and resource group in which the security connector is created.
7. Select the Azure region and then click Next: Select plans >.
8. Under the Select Plans page, security posture management is enabled by default and can’t be disabled. Defender for DevOps plan is enabled (done by default) or you can disable the plan that protects your DevOps environments and source code with advanced defenses for your Azure DevOps resources.
9. Next: Authorize connection >.
10. On the Authorize connection page, select Authorize, and then in the pop-up that appears, make sure to read the list of required permissions, and then click Accept as shown in the figure below.
Microsoft Security DevOps requires the following permissions:
✓ Identity (read)
✓ Work items (read and write)
✓ Build (read and execute)
✓ Code (read and write)
✓ PR threads
✓ Agent Pools (read)
✓ Packaging (read)
✓ Extensions (read)
✓ Entitlements (read)
✓ Release (read)
✓ Security Files (read)
✓ Task Groups (read)
✓ Variable Groups (read)
✓ Service Endpoints (read)
✓ Project and team (read)
✓ Graph (read)
✓ MemberEntitlement Management (read)
✓ Notifications (diagnostics)
✓ Audit Read Log
✓ Audit Manage Streams
✓ Service Hooks (read and write)
11. Next, from the dropdown list, select the Azure DevOps organizations to onboard.
12. If you want to discover existing as well as any ADO projects, that you create going forward, select the Auto discovery of projects. Alternatively, you can choose Selected Projects and then select the desired projects from the dropdown list.
13. Last, select Next: Review and Create >, and then click Create.
Once you have successfully integrated your repositories into Defender for Cloud, you can incorporate security measures into your pipelines and deployments using the Microsoft Security DevOps application that you installed while completing the onboarding procedure (more on this in the next section).
Microsoft Security DevOps application
Defender for DevOps offers an application known as Microsoft Security DevOps, which allows you to install, set up, and execute the most up-to-date versions of static analysis tools. With Microsoft Security DevOps, you can seamlessly integrate static analysis tools into the software development lifecycle, and shift security left.
By utilizing the open-source tools listed on this page, Microsoft Security DevOps performs static code analysis, commonly referred to as static application security testing (SAST). If you are utilizing GHAS (GitHub Advanced Security), these open-source tools are provided in addition to the tools already utilized by GHAS.
When configuring Microsoft Security DevOps for Azure DevOps, you have the option to include a credential scanner, widely known as CredScan, alongside the open-source tools listed on this page. Developed and maintained by Microsoft, the credential scanner for Azure DevOps aims to prevent the exposure of credentials such as passwords and SQL connection strings in source code and configuration files.
// Please check the following page to learn more about the supported file types for credential scanning in Defender for DevOps.
On the other hand, when configuring Microsoft Security DevOps for GitHub Actions, the credential scanner available for use is provided by GHAS. Check the official documentation to learn more about GitHub Advanced Security (GHAS).
Now let’s see how to configure the Microsoft Security DevOps application for GitHub Actions and Azure DevOps.
Microsoft Security DevOps for GitHub
To configure the Microsoft Security DevOps application for GitHub Actions, perform the following actions:
1. Sign in to GitHub.
2. Then navigate to the repository where you want to configure GitHub Actions.
3. Select Actions, and then look for the Simple workflow and click Configure.
5. Then enter a name for the workflow (like ‘mdcdevops.yml’).
6. In the Edit new file, insert the following code. This code will scan your IaC templates for misconfiguration, as well as discover any vulnerabilities. Notice in the code below the section that starts with: categories: ‘IaC’
name: MDC DevOps Sec IaC Scan
on:
# Triggers the workflow on push or pull request events but only for the main branch
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
jobs:
security:
runs-on: windows-latest
continue-on-error: false
strategy:
fail-fast: true
steps:
- uses: actions/checkout@v3
- uses: actions/setup-dotnet@v3
with:
dotnet-version: |
5.0.x
6.0.x
- name: Run Microsoft Security DevOps
uses: microsoft/security-devops-action@preview
continue-on-error: false
id: msdo
with:
categories: 'IaC'
- name: Upload alerts to Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}7. Last, select Commit Changes and then click Commit Changes. These actions ensure that you can scan for vulnerabilities, as well as for IaC in GitHub with the help of the Microsoft Security DevOps application.
Once the workflow has been executed, the scan results become visible on GitHub under Security > Code scanning alerts > Tool. Previously, these scan results were exclusively visible on GitHub. However, the introduction of Microsoft’s Defender for DevOps has expanded the visibility of these scan results.
By following the onboarding process of your GitHub repositories to Defender for DevOps as described in the previous steps, the scan results are now accessible on both the Defender for Cloud dashboard and GitHub.
It is important to keep in mind the shared security responsibility model for addressing code vulnerabilities. With Defender for DevOps, security teams gain the same level of visibility in Defender for Cloud as developers have in GitHub. This allows both teams to collaborate effectively in rectifying any vulnerabilities discovered within your source code management systems.
Besides setting up Microsoft Security DevOps for GitHub, you have the option to configure it for Azure DevOps as well (more on this in the next section).
Microsoft Security DevOps for Azure DevOps
To configure Microsoft Security DevOps for your Azure DevOps, perform the following actions by using admin privileges to the Azure DevOps organization:
1. Sign in to the Azure DevOps portal.
2. In the upper right corner, select Manage Extensions.
3. Select Browse Marketplace, using the search bar, find Microsoft Security DevOps, and then select it.
4. Select Get it free as shown in the figure below.
5. Then using the dropdown list, choose the Azure DevOps organization on which you want to install the Microsoft Security DevOps application, and click Install.
6. Last, select Proceed to Organization.
Once you have installed the Microsoft Security DevOps Azure DevOps extension, you can proceed to configure your pipelines and incorporate Defender for DevOps tools to safeguard your CI/CD builds and deployments. To configure the pipelines in Azure DevOps, follow these steps:
1. Sign in to the Azure DevOps portal.
2. Click the project you want to configure your pipelines for.
3. Select Pipelines., and then click on New Pipeline.
4. Select Azure Repos Git and then click the repository you want.
5. Out of the available options, select the Starter pipeline, and then copy and paste the following code. Notice in the code below the task MicrosoftSecurityDevOps@1 section that starts with inputs: categories: IaC,secrets.
The Microsoft Security DevOps application for Azure DevOps can discover misconfigurations in IaC templates, as well as detect credentials and secrets (like passwords or connection strings).
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger: none
pool:
vmImage: 'windows-latest'
steps:
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 3.1.x
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 5.0.x
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 6.0.x
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps'
inputs:
categories: IaC,secrets6. To commit the pipeline, select Save and run. The pipeline will run for a few minutes and save the results.
As a side note, you can install the SARIF SAST Scans Tab extension on your Azure DevOps organization in order to ensure that the generated analysis results will be displayed automatically under the Scans tab as shown in the figure below.
As you can see, both secrets and IaC are categories for which you can configure the Microsoft Security DevOps application. Please check the following Microsoft Security DevOps action page to learn more about available categories that you can use in the Microsoft DevOps Security application.
// See Also: How To Backup Azure DevOps Git Repositories.
Cloud Security Explorer for DevOps
Have you ever wondered what happens when a new zero-day vulnerability is detected in your source code management systems or Infrastructure as Code (IaC) templates?
Zero-day vulnerabilities, by definition, are unknown until they are deployed in production. This is where Cloud Security Explorer in Microsoft Defender for Cloud can provide assistance.
Once you have successfully onboarded your repositories to Defender for DevOps, you can gain valuable insights into the repositories you have onboarded to Defender for Cloud. These insights can be accessed in various areas of Defender for Cloud, such as the Cloud Security Explorer.
The Cloud Security Explorer allows you to translate the knowledge you have of your environment into graph-based queries that you can run to determine what resources in your environment are exploitable and their business impact.
Once you have onboarded your repositories to Defender for Cloud, you can utilize the Cloud Security Explorer, as shown in the figure above, to write graph-based queries. This enables you to evaluate the contextual risk associated with potential exploitations, such as repositories being accessible via the Internet, and assess their corresponding business impact.
DevOps Security Workbook
Workbooks offer a versatile and adaptable platform for analyzing data and generating visually appealing reports.
In Microsoft Defender for Cloud (MDC), the new DevOps Security workbook delivers an integrated interactive experience that allows you to swiftly gain visibility and insights into your DevOps security status. This workbook works seamlessly with the latest MDC service, Defender for DevOps. By utilizing the DevOps Security workbook, you can establish a personalized foundation to visualize the condition of your DevOps setup for the connectors you have configured.
The DevOps Security workbook enables you to investigate potential credential exposure, encompassing various types of credentials and repository locations. Additionally, you can apply the same approach to assess your code, dependencies, and hardening measures.
To use the DevOps Security Workbook you must have a connector provisioned in your MDC environment to your source code management system as described earlier in this article.
Next, you navigate to Defender for Cloud, click on Workbooks, then click on DevOps Security (Preview) to launch the Workbook.
From here, the DevOps Security Workbook allows you to focus on Defender for DevOps, to see an overview of security findings from both Azure DevOps and GitHub. The Posture tab consolidates the view of the security posture of your DevOps repositories.
There are several tabs such as Secret, Code, and Infrastructure as Code that you click through. Check the following article to learn more about the DevOps Security Workbook.
That’s it there you have it!
Summary
In this article, we showed you how to use Microsoft Defender for DevOps to get better visibility of security across the different phases of the software development lifecycle.
Detecting secrets and misconfigurations is important because it allows you to discover vulnerabilities early on in the development lifecycle and remediate them before these vulnerabilities get deployed into production.
Defender for DevOps addresses the intersection of DevOps with the current threat landscape. It provides end-to-end security including visibility into code and code management systems and security capabilities that help prevent, detect, and respond to current threats. By shifting cloud security left, the risk is addressed earlier across every stage of the cloud application lifecycle—development, build, and operations.
To learn more about important changes to Defender for DevOps you can check the upcoming changes page.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
