Blog Post

Healthcare and Life Sciences Blog
2 MIN READ

Manage DevOps Security Posture & Governance through single pane of glass with Defender for DevOps

Jaswant_Singh's avatar
Jaswant_Singh
Icon for Microsoft rankMicrosoft
Apr 27, 2023

Defender for DevOps helps unify, strengthen, insights to prioritize remediation and manage DevOps security posture across multi-pipeline environments, such as GitHub and Azure DevOps:

 

Unified visibility into DevOps security posture: Security administrators now have full visibility into DevOps inventory and the security posture of pre-production application code, which includes findings from code, secret, and open-source dependency vulnerability scans. They can configure their DevOps resources across multi-pipeline and multicloud environments in a single view.

Discover misconfigurations in Infrastructure as Code (IaC), Detect exposed secrets in code and Enable pull request annotations in GitHub and Azure DevOps:

Strengthen cloud resource configurations throughout the development lifecycle: You can enable security of Infrastructure as Code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments, allowing security administrators to focus on any critical evolving threats.

Prioritize remediation of critical issues in code: Apply comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can help developers prioritize critical code fixes with Pull Request annotations and assign developer ownership by triggering custom workflows feeding directly into the tools developers use and love.

 

Microsoft Security DevOps is a command line application that integrates static analysis tools into the development lifecycle. Microsoft Security DevOps installs, configures, and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). Microsoft Security DevOps is data-driven with portable configurations that enable deterministic execution across multiple environments.

The Microsoft Security DevOps uses the following Open Source tools:

Name Language License
Bandit Python Apache License 2.0
BinSkim Binary--Windows, ELF MIT License
ESlint JavaScript MIT License
Credscan Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files
common types: default passwords, SQL connection strings, Certificates with private keys
Not Open Source
Template Analyzer ARM template, Bicep file MIT License
Terrascan Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation Apache License 2.0
Trivy container images, file systems, git repositories Apache License 2.0

 

Defender for DevOps capabilities:

Surface DevOps security posture insights in a single console:  Give security admins full visibility into the security posture of preproduction application code and resource configurations across GitHub, Azure DevOps, and multicloud environments.

Automatically discover your DevOps inventory: View your organization’s entire DevOps inventory to automatically discover rogue codebases across GitHub and Azure DevOps.

Help secure cloud infrastructure in code: Enable security of infrastructure-as-code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments.

Prioritize remediation of critical issues in code: Utilize deep threat landscape context to help developers prioritize critical code fixes with actionable feedback. Assign developer ownership by triggering custom workflows that feed directly into the tools developers use and love.

 

Some useful links:

Microsoft Defender for DevOps - the benefits and features | Microsoft Learn

https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action 

Configure the Microsoft Security DevOps Azure DevOps extension 

Updated Apr 27, 2023
Version 2.0
  • srankit's avatar
    srankit
    Copper Contributor

    These are very interesting features. Some organizations have both Azure Devops &  GitHub and single console to protect pipelines in both environments will make it easy for security teams.