This article is a continuation of Microsoft Defender PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article.
There are two DevOps platforms currently covered by Defender for DevOps- GitHub and Azure DevOps. This article will go into detail about Azure DevOps Services.
If you'd like to also learn about the GitHub connector with Microsoft Defender for DevOps, then check out this article here.
Microsoft Defender for DevOps with Azure DevOps provides security teams with visibility into the security posture of their Azure DevOps environments, while also giving developers and DevOps teams a simplified remediation experience for pre-production vulnerabilities and misconfigurations.
Teams can gather comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can also help developers prioritize critical code fixes with Pull Request annotations.
To start a POC (proof of concept) for Microsoft Defender for DevOps, you need to have the correct setup in Azure DevOps and in Microsoft Defender for Cloud.
Create an Azure DevOps Trial subscription in the same tenant as your Azure subscription where you use Microsoft Defender for Cloud. See here.
Then create an organization in Azure DevOps.
Next, you need to have the necessary permissions:
If you don’t want to wait this time, or your PoC schedule can’t afford this time, an alternative to create a pipeline is by using a Hosted Build Agent, which you can do by following these steps.
For beginning the preparation of the POC, you will need to first create the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance for enabling the Azure DevOps connector in Microsoft Defender for Cloud to authorize the connection.
Note: You will need to have an Azure subscription and Azure DevOps organization in the same tenant to enable the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance here to create a new organization in Azure DevOps. See the troubleshooting guide here.
Then, switch over to Azure DevOps, by going to https://dev.azure.com/ .
You will need to enable two extensions in Azure DevOps- the Microsoft Security DevOps extension to run the security scans, and the SARIF SAST Scans Tab extension to view the results of the Security DevOps extension in simplified manner in a new tab in the Azure DevOps build results.
Next in the Azure DevOps organization, you should create a new Azure DevOps project.
Then, you’ll be installing a new empty Git repository in that ADO project, which should include some sample code that you want to test.
The two Microsoft Defender for DevOps extensions in Azure DevOps.
You can run security scans via the Security DevOps extension on the Azure pipeline builds. For this reason, you need to configure a pipeline using YAML code. You can follow the guidance to create a new pipeline and to include the required YAML code to the Microsoft Security DevOps task and the dotnet dependencies here. This includes the yaml code with the necessary tasks for the build to run with the security scans.
Note: In the yaml file, if you would like to break the build from succeeding if any security scanning tool in the Security DevOps extension has found issues in the Build, then include the necessary category and break: true to the Security DevOps task in the yaml file. Here is an example of a configuration that will break the build if a secret is detected by Microsoft Security DevOps.
trigger: - main pool: vmImage: windows-latest steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Security DevOps' inputs: break: true
Note: There are dotnet dependencies when using the Microsoft Security DevOps task if using a self-hosted agent to be included in the yaml (see the docs here or the Github lab 14). The dotnet dependencies are not required if using the default Azure DevOps agents of windows-latest or ubuntu-latest.
In order to validate the implementation was successful for Azure DevOps, developers can run the Azure Pipelines with the Microsoft Security DevOps extension as above, and see the security scan results during the Azure pipeline build runs. Your security team can manage secrets, code scanning findings and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. The other validation in Azure DevOps for developers involves seeing secrets at the pull request stage as pull request annotations, before they’re merged into the main branch, usually the main/master repository.
For DevOps teams, it’s useful for them to be able to see the security scan results, such as secrets, during the Azure pipeline build runs, as they are used to interacting in Azure DevOps. To validate this, go to the Pipelines in Azure DevOps.
Select your pipeline that you enabled with the Security DevOps extension, and click Run pipeline.
After a few minutes, you will see if your run has succeeded or failed.
Click on the pipeline run, and see the Summary of the run. Notice the Errors tab and the Warnings tab, which include security issues found in the repo.
Beside Summary, go to the Scans tab, which appears due to the SARIF SANS Scans Tab extension you enabled. This scans tab will show the security scan findings per scanning tools.
This is one view of the security scans that your developers can see from Azure DevOps.
However, Defender for DevOps crucially allows customers to manage the secrets, code scanning finding results and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. This means that your security team can view these ADO security issues across the Azure DevOps organizations, projects and repos from one centralised location of Microsoft Defender for Cloud. To see the credentials in Microsoft Defender for Cloud, go to the portal.azure.com and to Microsoft Defender for Cloud.
Go to Recommendations.
Under Remediate vulnerabilities, select the recommendation Code repositories should have secret scanning findings resolved.
See the secrets found under Findings.
Select the secret to get more information about it, including the Build URL and the Repo URL in Azure DevOps.
The other task you can do is to see pull request annotations which contain the secrets and Infrastructure As Code security issues found in the Azure DevOps repos.
See here to enable ADO pull request annotations in MDC and in ADO
Select Configure at the top.
In the new screen, turn on pull request annotations.
Now pull request annotations are enabled for all branches in that repository.
See the process for validating pull request annotations in Azure DevOps for secrets here.
See the pull request annotations then in Azure DevOps, by going under Repos, in Pull Requests.
Click on the pull request to see the high severity pull request annotations showing Secret Access Keys discovered.
Now, the developers can take action on these secrets (by removing them from the repository, and having them in a key vault such as Azure Key Vault). The guidance for this can be found here and in the recommendation in Microsoft Defender for Cloud.
In Microsoft Defender for Cloud, you can view workbooks which are essentially reports specific to Defender for Cloud. To see these, go to Microsoft Defender for Cloud, and from the left-hand navigation blade, under the General section, select Workbooks.
From here, under the Defender for Cloud section, you can select the workbook DevOps Security Workbook, specifically focused on allowing you to focus on Defender for DevOps, to see an overview of security findings from Azure DevOps. There are several tabs that you click through. See more information about this workbook here.
By the end of this article, you should have been able to understand the value proposition of Microsoft Defender for DevOps and now have the knowledge of how to run a PoC for it on Azure DevOps.
Thanks to the following teammates for reviewing this article:
Charles Oxyer, Microsoft Defender for DevOps Product Manager
Yuri Diogenes, Principal Microsoft Defender for Cloud Product Manager
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.