Companies on the forefront of digital transformation have seen DevOps provide software engineers and operations teams with a faster and more efficient way to develop code. Unfortunately, while DevOps practices have enabled faster, more efficient development cycles, they’ve also uncovered a new bottleneck—security. While many organizations have opted to push security to the end of application development and management, this can be very costly. NIST estimated the cost of fixing a security defect in production can be up to 60 times more expensive than during the development cycle. Conversely, Digital leaders recognize the importance of shifting security left and tackling vulnerabilities as soon as they arise. These leaders are integrating security into delivery pipelines, leveraging modern platform capabilities and fostering collaboration between the development and security teams in the latest evolution of the DevOps methodology, DevSecOps. Embracing DevSecOps is a software delivery advantage! By uncovering vulnerabilities earlier, your team can save time remediating issues and realizing compliancy, while also minimizing any associated costs.
So how can your organization begin their DevSecOps adoption journey?
It starts with incorporating security into the early stages of the development lifecycle (shift left) along with providing end-to-end observability to facilitate collaboration between the development and security teams. At last year’s Ignite, we discussed ways to shift left by adding security scans to container images created as part of Continuous Integration (CI) workflow. This helps developers scan for common vulnerabilities in their container images before pushing to a container registry. Securing Container images is one great way of shifting security left, but organizations also need to give visibility into delivery pipelines and registry scans to their security teams.
At Microsoft Build 2021, we are excited to announce the public preview of Azure Security Center (ASC) integration with GitHub Actions. The new capabilities are our first steps towards building shared tooling and experience by extending the reporting from container scans into Azure Security Center—providing security teams better insight and understanding as to the source of vulnerable container images and the workflows and repositories they come from.
With this tighter integration we are allowing DevSecOps teams to run vulnerability scans, resolve findings, and visualize the security posture of workflows within their CI/CD pipeline.
CI/CD vulnerability scanning of container images helps shift security left by offering increased visibility and control and by providing CI/CD scan assessments to Azure Security Center (ASC). Now, your security teams can access a holistic, 360-degree view across CI/CD pipelines and runtime resources through CI/CD scan assessments in ASC. DevSecOps teams will now receive greater, shared insight into development practices and potentially vulnerable code, containers, and infrastructure.
Going forward, any workflow that pushes a container image without a scan action present will alert the user with an ASC recommendation. Each ASC recommendation details the affected resources along with a proposed remediation path and steps to help each path achieve a “healthy” state. Below are details on how to enable the new capabilities across GitHub and Azure to get you started with your DevSecOps journey.
You can easily onboard this feature by navigating to Settings->Integrations in Azure Security Center
After clicking on Configure CI/CD integration, select the Microsoft Managed Application Insights account pertaining your region of choice.
To enable CI/CD Scanning in GitHub, start by adding the connection string and authentication token to publish the CI/CD scan results back to your Microsoft Managed Application Insights account.
Now it’s time to harvest insights into container image vulnerabilities. After you’ve enabled CI/CD scanning for images built and published from GitHub workflows, ASC showcases any vulnerabilities found in those images. Of course, it’s important to form a holistic picture of your data, and you can use these CI/CD scan results along with registry scan results to trace the lifecycle of the image from CI/CD to registry.
It’s important to think of this expanded scanning capability as the conduit to foster collaboration among your developer and SecOps teams. CI/CD vulnerability scanning gives much needed visibility into container images and the GitHub workflows that are pushing these images. You can also help developers scan their container images for common vulnerabilities—eliminating issues before deploying to a container registry, a containerized web app, or a Kubernetes cluster.
This feature is currently in Public Preview so please use non-production workflows while using this feature. This feature is available only in Public Cloud. You will need to use the feature flag as shown to use the feature in Azure Portal (https://ms.portal.azure.com/?feature.cicd=true#blade/Microsoft_Azure_Security/SecurityMenuBlade/5/0/). This feature flag will be removed in a few days.
To learn more about container security check out documentation and visit the GitHub and Azure page to find the full list of GitHub and Azure integrations. Don’t forget to check out the 6 tips for integrating security into your DevOps practices whitepaper to explore even more ways to kickstart your DevSecOps journey.
For any questions regarding the public preview please send an email to email@example.com
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.