Introduction
This article is a continuation of Microsoft Defender PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more comprehensive approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article.
Importance of DevSecOps
There are two Source Code Management platforms currently supported by Defender for DevOps – GitHub Enterprise Cloud and Azure DevOps Services. This article will go into detail about GitHub Enterprise Cloud.
Microsoft Defender for DevOps with GitHub allows security teams to determine how secure the GitHub environments are, while also empowering developers and DevOps teams to protect these environments.
With Defender for DevOps, security administrators get full visibility in a single view from DevOps inventory and the security posture of pre-production application code, which includes findings from code, secret, and open-source dependency vulnerability scans via GitHub Advanced Security.
Microsoft Defender for DevOps, using GitHub Advanced Security, finds security issues with third party dependencies through Dependabot, code scanning through CodeQL and secret scanning and presents the results back to Microsoft Defender for Cloud on one centralized platform.
Developers or DevOps teams can enable security of Infrastructure as Code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments, allowing security administrators to focus on any critical evolving threats. There are several other capabilities which are based on the Microsoft Security DevOps extension. Using this extension, you can leverage a collection of static analysis tools to scan code for security issues in GitHub during the GitHub Actions.
Teams can gather comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can help developers prioritize critical code fixes with Pull Request annotations and assign developer ownership by triggering custom workflows feeding directly into the tools developers use and love.
Planning & Pre-Requisites
To start a POC (proof of concept) for Microsoft Defender for DevOps , you need to have the correct setup in GitHub and in Microsoft Defender for Cloud.
The necessary requirements and permissions:
- A GitHub account. To create a new account, go here. If you would like to use a trial GitHub account for this POC, go to https://github.com/join .
- To have all the features associated with Defender for DevOps, you need to enable GitHub Advanced Security. You can get GitHub Advanced Security via a GitHub Enterprise. See more about these licenses and about their billing.
GitHub Advanced Security Reqs (see here)
- 30-day Trial of Github Enterprise Cloud here is necessary to get Github Advanced Security which enables all DfD scans.
Note: Alternatively, in a POC, you can get all the GitHub Advanced Security functionality for public repositories.
- An Azure subscription
- Defender for Cloud permissions here (Defender for DevOps specific):
- Azure Account- with permissions to sign into Azure portal
- Contributor role- on the relevant Azure subscription
- Security Administrator role- on the relevant subscription
- GitHub permissions:
- Organisation Administrator- in GitHub
Preparation
Create the GitHub Connector in Microsoft Defender for Cloud
For beginning the preparation of the POC, you will need to first create the GitHub connector in Microsoft Defender for Cloud. Follow the guidance for enabling the GitHub connector in Microsoft Defender for Cloud to create and authorise the connection.
When creating the connector, in step 3, you should ensure to confirm if all the GitHub Advanced Security features are enabled of secret scanning, code scanning with CodeQL and open-source dependency scanning with Dependabot.
After you authorize Defender for DevOps, when you click Install under the Install Defender for DevOps, you can select the organisation you want to protect and then select the repositories you want to protect.
Then from the left navigation bar, under Security, go to Code security and analysis. From here, enable Dependabot and Secret scanning (if it wasn’t enabled already on the repository).
Once you have enabled this functionality, go back to Defender for Cloud, click Review and create on the GitHub connector, and then finalising the connect creation.
Once you do this, then your GitHub connector will appear in the Environment Settings in a few moments.
Enable the GitHub Advanced Security Functionality of CodeQL
As you enabled the connector, then you should enable CodeQL (a feature of GitHub Advanced Security) which does code scanning to find security issues in your code.
To do this, go to the repository you want to enable CodeQL on, and on the top navigation bar, select Security, and then click Code scanning from the left navigation bar.
From here, you are brought to the GitHub Settings blade, and you can set up CodeQL analysis, using either the Default or Advanced settings depending on your code.
Once you have done this, now CodeQL, Dependabot and Secret scanning have all been enabled on the repository.
Implementation and Validation
To validate the implementation for GitHub, there are two personas that need to be involved: the developer and the security admin.
The Developer Implementation in GitHub
The developer can see the GitHub Advanced Security results from the Security tab in the repository.
Next, the developer also needs to enable MSDO (Microsoft Security DevOps extension) by using GitHub Actions.
MSDO contains several capabilities such as ESLint which scans Javascript code, Bandit scanning from Python code, Infrastructure as Code (IaC) scanning for Terraform (among others) using Terrascan, IaC scanning for ARM and Bicep files using Template Analyzer, and AntiMalware scanning on Windows agents from Windows Defender (not open source and requires Windows Defender to be enabled on the Windows agent to run).
The guidance to enable MSDO scanning with GitHub actions is found here.
Next, the developer should also enable Pull Request annotations, which is where security findings are exposed. Any exposed issues can then be remedied by developers. This process can prevent and fix potential security vulnerabilities and misconfigurations before they enter the production stage. GitHub Advanced Security annotates the vulnerabilities within the differences in the file rather than all the vulnerabilities detected across the entire file. The guidance to enable pull request annotations in GitHub is found here.
Developers can see pull request annotations in GitHub, and Security operators can see any unresolved findings in Microsoft Defender for Cloud.
The Security Admin in Microsoft Defender for Cloud
As stated above, Defender for DevOps allows security operators to manage the security scan results from GitHub directly from Microsoft Defender for Cloud. This means that your security team can manage this across the GitHub organisations, projects, and repos from one centralised location of Microsoft Defender for Cloud. There are several recommendations that allow security admins to get visibility into security scan results from GitHub Advanced Security and MSDO.
These recommendations are found under the Remediate vulnerabilities control in the Recommendation page in Microsoft Defender for Cloud.
Under Remediate vulnerabilities, select the recommendation Code repositories should have secret scanning findings resolved.
If you select the secret (such as Amazon S3 Client Secret Access Key) then you get more information about it, including the HTML URL, the Location URL, and the Repo URL in GitHub.
Prevention
Now the security operator can ensure that all these findings are managed by the developers or DevOps teams.
The security operator can also do proactive threat hunting of the GitHub environments, by enabling the Defender CSPM plan, and they can then get additional contextual information about the GitHub environments with the Security Graph functionality. The guidance for creating these queries for getting additional GitHub context is here.
If there are any potential attack paths that an attacker can take to gain access to critical environments, then these are also tracked, as per here.
The developers should act on the findings (whether secrets, code scanning findings, open-source dependency scanning findings or IaC scanning findings). The guidance for how to remediate secrets can be found here, as well as in the recommendation in Microsoft Defender for Cloud.
Workbook
In Microsoft Defender for Cloud, you can view workbooks which are reports specific to Defender for Cloud. To see these, go to Microsoft Defender for Cloud, and from the left-hand navigation blade, under the General section, select Workbooks.
From here, under the Defender for Cloud section, you can select the workbook DevOps Security Workbook, specifically focused on allowing you to focus on Defender for DevOps, to see an overview of security findings from GitHub. There are several tabs that you click through. See more information about this workbook here.
Further Resources
- MDC Ninja Training: Become a Microsoft Defender for Cloud Ninja (microsoft.com) module 9 is Defender for DevOps
- MDC Lab for Defender for DevOps with GitHub
- The latest episode of Defender for Cloud in the Field features DfD: https://www.youtube.com/watch?v=wYCOyFUMRPk
- DfD Interactive Guide: Unify DevOps security management with Microsoft Defender for Cloud (cloudguides.com)
- DfD Ignite On-Demand session: https://ignite.microsoft.com/en-US/sessions/418befd8-a7ee-4f46-a6a8-8b522b120135?source=sessions
Blogs
- Pre-Deployment Protection for Infrastructure as Code - Microsoft Community Hub
- DevOps Security Workbook - Microsoft Community Hub
- Compliance for Exposed Secrets Discovered by Defender for DevOps - Microsoft Community Hub
- Automate Defender for DevOps Recommendation Remediation - Microsoft Community Hub
- Automate SecOps to Developer Communication with Defender for DevOps - Microsoft Community Hub
- Integrate security into your developer workflow with GitHub Advanced Security for Azure DevOps - Azure DevOps Blog (microsoft.com)
- Download (free) a special Appendix about Defender for DevOps from the latest Microsoft Defender for Cloud book published by Microsoft Press
Defender for DevOps documentation
- Microsoft Defender for DevOps - the benefits and features | Microsoft Learn
- Quickstart: Connect your GitHub repositories to Microsoft Defender for Cloud | Microsoft Learn
- Quickstart: Connect your Azure DevOps repositories to Microsoft Defender for Cloud | Microsoft Learn
- Configure the Microsoft Security DevOps GitHub action | Microsoft Learn
- Configure the Microsoft Security DevOps Azure DevOps extension | Microsoft Learn
- Discover misconfigurations in Infrastructure as Code - Defender for Cloud | Microsoft Learn
- Detect exposed secrets in code - Defender for Cloud | Microsoft Learn
- Tutorial Enable pull request annotations in GitHub or in Azure DevOps | Microsoft Learn
Automations
- Automate SecOps to Developer Communication with Defender for DevOps: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/automate-secops-to-developer-communication-with-defender-for/ba-p/3637669
Conclusion
By the end of this article, you should have been able to understand the value proposition of Microsoft Defender for DevOps and now have the knowledge of how to run a PoC for it on GitHub.
Thanks to the following teammates for reviewing this article:
Charles Oxyer, Microsoft Defender for DevOps Product Manager
David Trigano, Senior Microsoft Defender for DevOps Product Manager
Yuri Diogenes, Principal Microsoft Defender for Cloud Product Manager
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.