Agentless code scanning for GitHub and Azure DevOps (preview)
đ Start free preview âśď¸ Watch a video on agentless code scanning Most security teams want to shift left. But for many developers, "shift left" sounds like "shift pain". Coordination. YAML edits with extra pipeline steps. Build slowdowns. More friction while they're trying to go fast. đŞ Pipeline friction YAML edits with extra steps âąď¸ Build slowdowns More friction, less speed 𧊠Complex coordination Too many moving parts That's the tension we wanted to solve. With agentless code scanning in Defender for Cloud, you get broad visibility into code and infrastructure risks across GitHub and Azure DevOps - without touching your CI/CD pipelines or installing anything. ⨠Just connect your environment. We handle the rest. Already in preview, here's what's new Agentless code scanning was released in November 2024, and we're expanding the preview with capabilities to make it more actionable, customizable, and scalable: â GitHub & Azure DevOps Connect your GitHub org and scan every repository automatically đŻ Scoping controls Choose exactly which orgs, projects, and repos to scan đ Scanner selection Enable code scanning, IaC scanning, or both 𧰠UI and REST API Manage at scale, programmatically or in-portal or Cloud portal đ Available for free during the preview under Defender CSPM How agentless code scanning works Agentless code scanning runs entirely outside your pipelines. Once a connector has been created, Defender for Cloud automatically discovers your repositories, pulls the latest code, scans for security issues, and publishes findings as security recommendations - every day. Here's the flow: 1 Discover Repositories in GitHub or Azure DevOps are discovered using a built-in connector. 2 Retrieve The latest commit from the default branch is pulled immediately, then re-scanned daily. 3 Analyze Built-in scanners run in our environment: Code Scanning â looks for insecure patterns, bad crypto, and unsafe functions (e.g., `pickle.loads`, `eval()`) using Bandit and ESLint. Infrastructure as Code (IaC) â detects misconfigurations in Terraform, Bicep, ARM templates, CloudFormation, Kubernetes manifests, Dockerfiles, and more using Checkov and Template Analyzer. 4 Publish Findings appear as Security recommendations in Defender for Cloud, with full context: file path, line number, rule ID, and guidance to fix. Get started in under a minute 1 In Defender for Cloud, go to Environment settings â DevOps Security 2 Add a connector: Azure DevOps â requires Azure Security Admin and ADO Project Collection Admin GitHub â requires Azure Security Admin and GitHub Org Owner to install the Microsoft Security DevOps app 3 Choose your scanning scope and scanners 4 Click Save â and we'll run the first scan immediately s than a minute No pipeline configuration. No agent installed. No developer effort. Do I still need in-pipeline scanning? Short answer: yes - if you want depth and speed in the development workflow. Agentless scanning gives you fast, wide coverage. But Defender for Cloud also supports in-pipeline scanning using Microsoft Security DevOps (MSDO) command line application for Azure DevOps or GitHub Action. Each method has its own strengths. Here's how to think about when to use which - and why many teams choose both: When to use... âď¸ Agentless Scanning đď¸ In-Pipeline Scanning Visibility Quickly assess all repos at org-level Scans and enforce every PR and commit Setup Requires only a connector Requires pipeline (YAML) edits Dev experience No impact on build time Inline feedback inside PRs and builds Granularity Repo-level control with code and IaC scanners Fine-tuned control per tool or branch Depth Default branch scans, no build context Full build artifact, container, and dependency scanning đĄ Best practice: start broad with agentless. Go deeper with in-pipeline scans where "break the build" makes sense. Already using GitHub Advanced Security (GHAS)? GitHub Advanced Security (GHAS) includes built-in scanning for secrets, CodeQL, and open-source dependencies - directly in GitHub and Azure DevOps. You don't need to choose. Defender for Cloud complements GHAS by: Surfaces GHAS findings inside Defender for Cloud's Security recommendations Adds broader context across code, infrastructure, and identity Requires no extra setup - findings flow in through the connector You get centralized visibility, even if your teams are split across tools. One console. Full picture. Core scenarios you can tackle today đĄď¸ Catch IaC misconfigurations early Scan for critical misconfigurations in Terraform, ARM, Bicep, Dockerfiles, and Kubernetes manifests. Flag issues like public storage access or open network rules before they're deployed. đŻ Bring code risk into context All findings appear in the same portal you use for VM and container security. No more jumping between tools - triage issues by risk, drill into the affected repository and file, and route them to the right owner. đ Focus on what matters Customize which scanners run and where. Continuously scan production repositories. Skip forks. Run scoped PoCs. Keep pace as repositories grow - new ones are auto-discovered. What you'll see - and where All detected security issues show up as security recommendations in the recommendations and DevOps Security blades in Defender for Cloud. Every recommendation includes: â Affected repository, branch, file path, and line number đ ď¸ The scanner that found it đĄ Clear guidance to fix What's next We're not stopping here. These are already in development: đ Secret scanning Identify leaked credentials alongside code and IaC findings đŚ Dependency scanning Open-source dependency scanning (SCA) đż Multi-branch support Scan protected and non-default branches Follow updates in our Tech Community and release notes. Try it now - and help us shape what comes next Connect GitHub or Azure DevOps to Defender for Cloud (free during preview) and enable agentless code scanning View your discovered DevOps resources in the Inventory or DevOps Security blades Enable scanning and review recommendations Microsoft Defender for Cloud â Recommendations Shift left without slowing down. Start scanning smarter with agentless code scanning today. Helpful resources to learn more Learn more in the Defender for Cloud in the Field episode on agentless code scanning Overview of Microsoft Defender for Cloud DevOps security Agentless code scanning - configuration, capabilities, and limitations Set up in-pipeline scanning in: Azure DevOps GitHub action Other CI/CD pipeline tools (Jenkins, BitBucket Pipelines, Google Cloud Build, Bamboo, CircleCI, and more)Integrating Security into DevOps Workflows with Microsoft Defender CSPM
This forth article in our series builds on the main overview (âStrategy to Execution: Operationalizing Microsoft Defender CSPMâ). Here, we focus on embedding security directly into DevOps workflows using Microsoft Defender for Cloudâs Cloud Security Posture Management (CSPM) capabilities. Introduction DevOps has revolutionized the way organizations build, deploy, and manage everything from applications to enterprise infrastructure, to capture the full breadth of stuff that goes into code repos, breaking down silos between development and operations teams and enabling faster software delivery, consistent and declarative infrastructure. However, increased speed often brings heightened security risks if vulnerabilities slip through the pipeline unnoticed. The antidote is to âshift security left,â weaving it throughout every stage of the software development lifecycle (SDLC). Microsoft Defender Cloud Security Posture Management (CSPM) provides the automation, continuous monitoring, and governance controls essential for implementing DevSecOps. By integrating CSPM with your CI/CD pipelines, you can detect misconfigurations and vulnerabilities early, prevent security bottlenecks, and maintain both agility and robust protection across Azure, AWS, GCP, and beyond. Below, weâll explore the importance of aligning security practices with DevOps goals, detail how Defender CSPM supports shift-left security, and provide operational steps to incorporate automated checks and remediation into your CI/CD processes. Why Security Belongs in DevOps Reducing Security Debt Late-stage vulnerability discovery can be costly, forcing teams to revisit code or configurations after theyâve been deployed. By integrating security early, potential issues are detected and remediated when fixes are fastest and least disruptive. Maintaining DevOps Agility Security, when bolted on at the end, risks slowing down release cycles. Embedding checks and automated gating within your DevOps pipeline helps maintain velocity, ensuring security standards are met without derailing rapid deployments. Aligning Security with Development Goals Effective DevOps aims to deliver high-quality, reliable software quickly. Security shouldnât be an afterthought; it should reinforce the same objectives, high-quality, secure software. With the right tools and processes, security becomes a natural part of the release process, not an obstacle. How Defender CSPM Enhances DevSecOps Shift-Left Security Defender CSPM scans for vulnerabilities and misconfigurations early in the SDLC, detecting issues in code or Infrastructure-as-Code (IaC) templates before they reach production. Code-to-Cloud Contextualization Security risks don't exist in isolation. Defender CSPM provides end-to-end visibility from code to cloud, tracing vulnerabilities from the development phase through deployment. For instance, if a developer introduces an insecure dependency, Defender CSPM can assess its impact on the cloud environment, enabling teams to address security risks in context. Infrastructure-as-Code (IaC) Security By analyzing Terraform, ARM, and other IaC templates, Defender CSPM helps prevent security misconfigurations before infrastructure is provisioned. If a Terraform script inadvertently exposes a storage bucket to the internet, Defender CSPM flags the issue and provides actionable remediation steps. Reachability Analysis (via Endor Labs Integration) Through integration with Endor Labs, Defender CSPM can perform advanced reachability analysis on vulnerabilities within code dependencies or container images. By identifying whether your application actually calls the affected functions or libraries, this approach helps security teams focus remediation efforts on genuinely exploitable vulnerabilitiesâthereby reducing noise and prioritizing the highest-impact risks. You can learn more about reachability analysis types in Endor Labsâ guide. Continuous Assessments Rather than relying on sporadic audits, Defender CSPM continuously monitors cloud resources to identify and address misconfigurations, vulnerabilities, and compliance gaps in real time. Container Image Security Defender CSPM scans container images for known vulnerabilities before deployment, alerting teams if an exploitable package is included and providing guidance for mitigation. Security as Code Security policies, governance models, and compliance requirements can be codified and enforced automatically within CI/CD pipelines, allowing teams to integrate security without disrupting delivery speed. Automated Remediation Customizable playbooks can automatically fix issuesâfrom misconfigured IAM policies to security patchesâreducing manual effort and human error. Security Gates in CI/CD Pipelines To prevent insecure deployments, Defender CSPM enforces security gates in DevOps workflows. If a high-risk vulnerability is detected during the build or deployment phase, the pipeline is halted until the issue is resolved, ensuring only secure code reaches production. Seamless Integration with DevOps Workflows Defender CSPM integrates natively into popular CI/CD solutions, enabling collaborative workflows that bring together development, security, and operations teams under a shared responsibility model. Automated Compliance Checks Defender CSPM verifies infrastructure and applications against regulatory standards (e.g., PCI-DSS, HIPAA) throughout the DevOps lifecycle. New compliance requirements (e.g., mandatory data encryption) are continuously evaluated for adherence. Continuous Visibility and Risk Prioritization Defender CSPM dynamic security posture assessment helps teams focus on high-impact risks by surfacing critical vulnerabilities with remediation guidance. Step-by-Step: Integrating Defender CSPM into DevOps Workflows Below is a practical framework combining both conceptual guidance and operational steps to help you establish DevSecOps with Defender CSPM. Step 1: Setting Up Security Gates in the CI/CD Pipeline Objective: Automate security checks at critical stages to ensure security policies are enforced before software moves to production. Define Security Policies for Development Collaborate with development and security teams to establish code-level and infrastructure-level policies (e.g., no exposed ports, mandatory encryption, disallowing vulnerable libraries). Use Defender CSPM to enforce these policies directly within the pipeline so that non-compliant code is flagged early, including the ability to trace its potential impact on cloud environments. For detailed on configuring Defender for Cloud in your pipeline, see the official CI/CD integration documentation. Configure Automated Gates Integrate Defender CSPM with Azure DevOps, GitHub Actions, or other CI/CD tools. Set up automated scans at each build or deployment step. Deployments halt if critical issues arise, such as vulnerabilities with severity above a set threshold. This ensures that only secure and compliant code is deployed to production. Read further details on how to configure the Microsoft Security DevOps (MSDO) Action. Enable Continuous Security Assessments Trigger a security scan on every code commit to catch new vulnerabilities immediately. For infrastructure, leverage Infrastructure as Code (IaC) scans before provisioning resources (e.g., checking ARM or Terraform templates against security policies). Pre-Deployment Security Testing Incorporate static (SAST) and dynamic (DAST) security testing as part of the pipeline. For instance, use SonarQube for SAST and OWASP ZAP for DAST, with Defender CSPM acting as the overarching guardrail to confirm findings and enforce organizational policies. Role-Based Access Control (RBAC) Implement RBAC so that only authorized personnel can modify security policies and configurations, preserving the integrity of security settings. Step 2: Continuous Security Assessments During the Development Lifecycle Objective: Perform ongoing, automated security checks throughout coding, testing, and release cycles. Monitor All Cloud Resources Enable continuous monitoring of dev, staging, and production environments. Defender CSPM flags issues like unencrypted data or open ports as soon as they appear, expediting remediation. Automate Security Checks on IaC Scan Infrastructure as Code (IaC) templates for security compliance before resource creation. For example, if a Terraform template lacks encryption on a storage bucket, Defender CSPM can flag or block the deployment. This proactive approach ensures that security is embedded in the infrastructure from the outset, reducing the risk of security breaches. Define Clear DevSecOps Roles Clearly define roles within the DevSecOps framework. Developers are responsible for writing secure code, DevOps teams manage secure infrastructure provisioning, and security engineers validate controls. Forming a DevSecOps council or similar forum can help ensure alignment and timely resolution of vulnerabilities. This collaborative approach fosters a culture of shared responsibility for security. Collaborative Feedback Loops Regularly review CSPM findings with both development and security teams. Integrate with ticketing systems like Service Azure Boards to track vulnerabilities and manage them as backlog items. This continuous feedback loop helps in prioritizing and addressing security issues, ensuring that they are resolved in a timely manner. Step 3: Automating Feedback Loops Between Security and DevOps Teams Objective: Ensure rapid vulnerability detection, assignment, and remediation through real-time notifications and integrated workflows. Automate Vulnerability Notifications Use Azure Logic Apps or similar tools to push alerts to communication platforms like Teams or email. These alerts should provide details on the severity of the vulnerability, affected resources, and recommended fixes so that developers can act quickly. For example, if Defender CSPM detects an unencrypted storage bucket, an alert can be sent to the relevant team with instructions on how to enable encryption. Establish a Continuous Remediation Loop Defender CSPM flags a critical issue, a playbook can automatically open a pull request with recommended configuration changes or patches. Developers can then fix the code, and the pipeline will re-run security checks before merging the changes. This ensures that vulnerabilities are addressed promptly and that the code remains secure throughout the development lifecycle. Track Vulnerability Remediation Progress Assign Service Level Agreements (SLAs) for vulnerabilities based on their severity. Regularly review CSPM dashboards to monitor the progress of vulnerability remediation and set escalation rules for overdue items via tools like ServiceNow. This helps ensure that critical vulnerabilities are addressed within the required timeframes and that any delays are promptly escalated. Automated Reporting and Metrics Generate monthly or weekly reports on the security posture, including open vulnerabilities, average remediation time, and block rates in the pipeline. Use tools like Azure Workbooks or Power BI to visualize trending data and identify areas for process improvement. These reports can help in tracking the effectiveness of security measures and in making informed decisions to enhance the overall security posture. Strategic Benefits of DevSecOps with Defender CSPM Proactive Risk Mitigation: By catching vulnerabilities early, organizations can minimize the chance of costly breaches and protect customer trust. Defender CSPM provides code-to-runtime contextualization, allowing teams to identify and address security issues from the code level to the cloud infrastructure. This proactive approach ensures that security is embedded throughout the development lifecycle, preventing issues from escalating. Faster Remediation and Reduced Security Debt: Continuous monitoring and automated fixes prevent issues from lingering or piling up, ensuring that your production environment stays clean. For example, if a misconfiguration is detected in a Terraform script, Defender CSPM can alert the team and provide guidance on how to fix it. This helps maintain a secure infrastructure from the outset, reducing the risk of security breaches. Compliance Monitoring at Runtime: Defender CSPM identifies misconfigurations and vulnerabilities against various frameworks (e.g., PCI-DSS, HIPAA) after deployment, reducing manual overhead for compliance checks. While there isnât a direct mapping of tool findings to a specific compliance framework during the build stage, continuous runtime assessments help maintain a secure and compliant environment, ensuring that infrastructure and applications meet regulatory and security requirements once deployed. Enhanced Collaboration: Transparency and shared ownership bridge the gap between development, security, and operations teams, making security an enabler rather than a roadblock. Defender CSPM integrates seamlessly into DevOps workflows, enabling security teams to work closely with development and operations teams. This collaboration helps identify and mitigate security risks early in the development process, fostering a culture of shared responsibility for security. Consistent Scalability: As your cloud footprint expands, automated checks ensure that new resources, teams, and pipelines follow the same robust security standards. Continuous visibility into the security posture of the cloud environment helps in prioritizing risks based on their impact, ensuring that the most critical security issues are addressed promptly. Key Metrics to Track DevSecOps Success Vulnerability Detection Rate: Ensures early and frequent discovery of security issues. Deployment Block Rate: Indicates how often releases are halted due to security violations. A high block rate may mean teams need additional training or improved processes. Mean Time to Detect (MTTD): Tracks the average time taken to detect a security issue from the moment it occurs. Shorter detection times reflect the effectiveness of continuous monitoring and automated security checks. Remediation Time (MTTR): Measures how quickly issues are resolved after detection. Shorter times reflect mature collaboration and processes. Compliance Pass Rate: Tracks how consistently code and cloud resources meet defined standards before going live. False Positive Rate: Measures the frequency of false positives in security alerts. A lower false positive rate indicates more accurate detection and reduces the burden on teams to investigate non-issues. Change Failure Rate: Indicates the percentage of changes that result in a failure or security issue. A lower change failure rate suggests that security is well-integrated into the development process and that changes are being implemented securely. Security Incident Frequency: Measures the number of security incidents over a specific period. Monitoring this metric helps in understanding the overall security posture and identifying trends or patterns in security incidents. Conclusion and Next Steps Integrating Defender CSPM into DevOps workflows is pivotal for any organization aiming to balance speed and security in the cloud. By automating security gates, shifting security checks left, and fostering real-time collaboration, you reduce the risk of late-breaking vulnerabilities and maintain a more resilient production environment. To revisit the broader context of this series and learn about our earlier topics, such as risk identification and prioritization, review the main overview article, Considerations for risk identification and prioritization in Defender for Cloud, and Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM. In our next piece, weâll explore how Defender CSPM can bolster proactive forensics and incident preparedness, equipping your organization to detect threats early and respond decisively when incidents occur. Stay tuned! Microsoft Defender for Cloud - Additional Resources Blog series main article - Strategy to Execution: Operationalizing Microsoft Defender CSPM Blog Series article - Considerations for risk identification and prioritization in Defender for Cloud Blog Series article - Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud Dick Lake, Security Product Manager, CxE Defender for CloudSecure containers software supply chain across the SDLC
In todayâs digital landscape, containerization is essential for modern application development, but it also expands the attack surface with risks like vulnerabilities in base images, misconfigurations, and malicious code injections. Securing containers across their lifecycle is critical. Microsoft Defender for Cloud delivers end-to-end protection, evaluating threats at every stageâfrom development to runtime. Recent advancements further strengthen container security, making it a vital solution for safeguarding applications throughout the Software development lifecycle (SDLC). Container software development lifecycle The lifecycle of containers involves several stages, during which the container evolves through different software artifacts. Container software supply chain It all starts with a container or docker script file, created or edited by developer in development phase, submitted into the code repository. Script file converts into a container image during the build phase via the CI/CD pipeline, submitted into container registry as part of the ship phase When a container image is deployed into a Kubernetes cluster, it transforms into running, ephemeral container instances, marking the transition to the runtime phase. A container may encounter numerous challenges throughout its transition from development to runtime. Ensuring its security requires maintaining visibility, mitigating risks, and implementing remediation measures at each stage of its journey. Microsoft Defender for Cloud's latest advancements in container security assist in securing your container's journey and safeguarding your containerized environments Command line interface (CLI) tool for container image scanning at build phase, is now in public preview Integrating security into every phase of your software development is crucial. To effectively incorporate container security evaluation early in the container lifecycle, particularly during the development phase, and to seamlessly integrate it into diverse DevSecOps ecosystems, the use of a Command Line Interface (CLI) is essential. This new capability of Microsoft Defender for Cloud provides an alternative method for assessing container image for security findings. This capability, available through a CLI abstract layer, allows for seamless integration into any tool or process, independently of Microsoft Defender for Cloud portal. Key purpose of Microsoft Defender for Cloud CLI: Expanding container security to cover the development phase, code repository phase, and CI/CD phase: o Development phase: Developers can scan container images locally on Windows, Linux, or Mac OS using PowerShell or any scripting terminal. o Code repository phase: Integrate the CLI into code repositories with webhook integrations like GitHub actions to scan and potentially abort pull requests based on findings. o CI/CD phase: Scan container images in the CI/CD pipeline to detect and block vulnerabilities during the build stage. Invoke scanning on-demand for specific container images. Integrate easily into existing DevSecOps processes and tools. For more details watch the demo CLI demo How it works Microsoft Defender for Cloud CLI requires authentication through API tokens. These tokens are managed via the Integrations section in the Microsoft Defender for Cloud Portal, by Security Administrators. Figure 3: API push tokens management The CLI supports Microsoft proprietary and third-party engines like Trivy, enabling vulnerability assessment of container images and generating results in SARIF format. It integrates with Microsoft Defender for Cloud for further analysis and helps incorporate security guardrails early in development. Additionally, it provides visibility of container artifacts' security posture from code to runtime and context essential for security issues remediations such as artifact owner and repo of origin. For more details, setup guides, and use cases, please refer to official documentation. Vulnerabilities assessment of container images in third party registries, now in public preview Container registries are centralized repositories used to store container images for the ship phase, prior deployment to Kubernetes clusters. They play an essential role in the container's software supply chain and accessing container images for vulnerabilities at this phase might be the last chance to prevent vulnerable images from reaching your production runtime environments. Many organizations use a mix of cloud-native (ACR, ECR, GCR, GAR) and 3 rd party container registries. To enhance coverage, Microsoft Defender for Cloud now offers vulnerability assessments for third-party registries like Docker Hub and Jfrog Artifactory. These are popular 3 rd party container registries. You can now integrate them into your Microsoft Defender for Cloud tenant to scan container images for security vulnerabilities, improving your organization's coverage of the container software supply chain. This integration offers key benefits: Automated vulnerability scanning: Automatically scans container images for known vulnerabilities, helping identify and fix security issues early. Continuous monitoring: Ensures that new vulnerabilities are promptly detected and addressed. Compliance management: Assists organizations in maintaining compliance by providing detailed security posture reports on container images and resources. Actionable security recommendations: Provides recommendations based on best practices to improve container security. Figure 4: Docker Hub & Jfrog Artifactory environments Figure 5: Jfrog Artifactory container images in Security Explorer To learn more please refer to official documentation for Docker Hub and Jfrog Artifactory. Azure Kubernetes Service (AKS) security dashboard for cluster admin view, now in public preview, provides granular visibility into container security directly within the AKS portal Microsoft Defender for Cloud aims to provide security insights relevant to each audience in the context of their existing tools & process, helping various roles prioritize security and build secure software applications essential to ensure your containers security across SDLC. To learn more please explore AKS Security Dashboard Conclusion Microsoft Defender for Cloud introduces groundbreaking advancements in container security, providing a robust framework to protect containerized applications. With integrated vulnerability assessment, malware detection, and comprehensive security insights, organizations can strengthen their security posture across the software development lifecycle (SDLC). These enhancements simplify security management, ensure compliance, and offer risk prioritization and visibility tailored to different audiences and roles. Explore the latest innovations in Microsoft Defender for Cloud to safeguard your containerized environments- New Innovations in Container Security with Unified Visibility and Investigations.Bringing AppSec and CloudSec Together: Microsoft Defender for Cloud Integrates with Endor Labs
Modern enterprises operate at a breakneck pace, building applications that rely heavily on open-source dependencies while running workloads in complex, multi-cloud environments. Securing these applications requires a holistic perspective that covers both application security (AppSec) and cloud security (CloudSec). Historically, these two domains have operated in silos: AppSec teams focus on code scanning and secure development practices, while CloudSec teams concentrate on cloud infrastructure posture, runtime controls, and threat detection. Today, Microsoft Defender for Cloud and Endor Labs are bridging this divide with a native integration that delivers true code-to-runtime reachability. By combining Software Composition Analysis (SCA) with Cloud-Native Application Protection Platform (CNAPP) capabilities, security teams can pinpoint exploitable vulnerabilities from the moment code is written to the time itâs deployed in the cloud. Why Bringing AppSec and CloudSec Together Matters A Unified Approach to Vulnerability Management Organizations often discover the same vulnerabilities at different stages in the software development lifecycle (SDLC). AppSec flags them in code repositories, and CloudSec flags them again once theyâre running in production. By unifying AppSec and CloudSec in a single platform, customers can: Eliminate redundant alerts: Address the root cause of vulnerabilities when theyâre first discovered in code, rather than letting them reach production. Streamline communication and collaboration: Ensure AppSec and CloudSec teams share the same data and priorities. Complete Visibility and Prioritized Remediation Security teams need to see not just which vulnerabilities exist, but also how they can be exploited in the cloud. Defender for Cloud and Endor Labs integrate code-level vulnerability scanning with runtime visibility, showing full attack paths from developer commits to actively running workloads. Reduced Risk Through Early Intervention Only a small percentage of vulnerabilities are exploitable, but it can be labor-intensive to distinguish real threats from theoretical ones. Endor Labsâ function-level reachability surfaces truly exploitable flaws, and Defender for Cloud correlates that data with running cloud workloads to help teams prioritize and fix high-impact issues quickly. How the Microsoft Defender for Cloud + Endor Labs Integration Helps Function-Level Reachability Analysis Endor Labs employs a precise method of SCA that identifies whether a vulnerable function in an open-source library is actually called by your applicationâs code. This drastically reduces false positives and helps developers focus on real risks. By surfacing these exploitable vulnerabilities natively within Defender for Cloud, AppSec teams can act on high-severity issues without needing multiple tools or extensive manual triage. Code-to-Runtime Exploitability Even if a vulnerability is reachable at the function level, it may or may not be running in production. Microsoft Defender for Cloud correlates the results from Endor Labs with container images, Kubernetes clusters, and other runtime contexts. This helps CloudSec teams: Visualize full attack paths: Understand exactly how a vulnerability could be exploited in a running application. Implement mitigating controls: Deploy firewall rules, network segmentation, or access restrictions while developers work on permanent fixes. Example: If you have an application with a reachable vulnerability in an open-source library, CloudSec teams see where the vulnerable container is running and whether itâs exposed to the internet. They can then take immediate action to reduce risk by limiting internet exposure while AppSec teams work to patch or upgrade the dependency. Streamlined Communication & Collaboration By displaying Endor Labs findings directly in Defender for Cloud, development and security teams work with a common set of data, facilitating faster, more transparent remediation on the most critical vulnerabilities. Using the Integration in Defender for Cloud After you connect Endor Labs to Defender for Cloud, you can explore the data in two main locations: Cloud Security Explorer and Attack Paths. Cloud Security Explorer Cloud Security Explorer provides an interactive query experience to search, filter, and correlate security information from your connected environments. Once Endor Labs findings are ingested, you can write queries to pinpoint exploitable vulnerabilities and prioritize remediation efforts. To get started, you can use these sample queries: Code repository with critical or high severity reachable vulnerabilities Code repository with critical severity reachable vulnerabilities creates a container image Code repository with critical severity vulnerabilities that are reachable at the function level ontain critical reachable function vulnerabilities Attack Paths One of the most powerful features of combining Endor Labs with Defender for Cloud is the ability to see Attack Pathsâthe end-to-end chain of how a vulnerability in code can be exploited when deployed in your cloud environment. Defender for Cloud automatically correlates the vulnerability details (from Endor Labs) with runtime data to show how it could be exploited in your environment. The attack path view provides a graphical representation from the vulnerable function in your source code to the specific runtime asset. The example below illustrates an attack path involving an internet-exposed running container with reachable vulnerabilities. Endor Labs identified these vulnerabilities within the code repository, and Defender for Cloud traced a container image containing the same vulnerabilities back to that repository. Together, these insights indicate that an attacker could exploit the vulnerabilities during runtime. Conclusion By unifying AppSec and CloudSec, organizations gain a complete view of their security postureâfrom code commits in GitHub or Azure DevOps to production workloads running in Azure, Amazon Web Services, or Google Cloud Platform. The Microsoft Defender for Cloud + Endor Labs integration delivers reachability-based SCA, reducing noise from false positives and helping teams prioritize and remediate real threats faster. Ready to Get Started? Request a Demo from Endor Labs. Connect your Endor Labs tenant to Defender for Cloud. Begin seeing rich, prioritized vulnerability findings directly from Defender for Cloud.AKS Security Dashboard
In todayâs digital landscape, the speed of development and security must go hand in hand. Applications are being developed and deployed faster than ever before. Containerized application developers and platform teams enjoy the flexibility and scale that Kubernetes has brought to the software development world. Open-source code and tools have transformed the industry - but with speed comes increased risk and a growing attack surface. However, in vast parts of the software industry, developers and platform engineering teams find it challenging to prioritize security. They are required to deliver features quickly and security practices can sometimes be seen as obstacles that slow down the development process. Lack of knowledge or awareness of the latest security threats and best practices make it challenging to build secure applications. The new Azure Kubernetes Service (AKS) security dashboard aims to alleviate these pains by providing comprehensive visibility and automated remediation capabilities for security issues, empowering platform engineering teams to secure their Kubernetes environment more effectively and easily. Consolidating security and operational data in one place directly within the AKS portal allows engineers to benefit from a unified view of their Kubernetes environment. Enabling more efficient detection, and remediation of security issues, with minimal disruption to their workflows. Eventually reducing the risk of oversight security issues and improving remediation cycles. To leverage the AKS security dashboard, navigate to the Microsoft Defender for Cloud section in the AKS Azure portal. If your cluster is already onboarded to Defender for Containers or Defender CSPM, security recommendations will appear on the dashboard. If not, it may take up to 24 hours after onboarding before Defender for Cloud scans your cluster and delivers insights. Security issues identified in the cluster, surfaced in the dashboard are prioritized to risk. Risk level is dynamically calculated by an automatic attack path engine operating behind the scenes. This engine assesses the exploitability of security issues by considering multiple factors, such as cluster RBAC (Role Based Access Control), known exploitability in the wild, internet exposure, and more. Learn more about how Defender for Cloud calculates risk. Security issues surfaced in the dashboard are divided into different tabs: Runtime environment vulnerability assessment: The dynamic and complex nature of Kubernetes environments means that vulnerabilities can arise from multiple sources, with different ownership for the fix. For vulnerabilities originating from the containerized application code, Defender for Cloud will point out every vulnerable container running in the cluster. For each vulnerable container Defender for cloud will surface remediation guidelines that include the list of vulnerable software packages and specify the version that contains the fix. The scanning of container images powered by Microsoft Defender Vulnerability Management (MDVM) includes scanning of both OS packages and language specific packages see the full list of the supported OS and their versions. For vulnerabilities originating from the AKS infrastructure, Defender for cloud will include a list of all identified CVEs (common vulnerabilities and exposures) and recommend next steps for remediation. Remediation may include upgrading the Node pool image version or the AKS version itself. Since new vulnerabilities are discovered daily, even if a scanning tool is deployed as part of the CI/CD process, runtime scan canât be overlooked. Defender for cloud makes sure Kubernetes workloads are scanned daily compared to an up-to-date vulnerability list. Security misconfigurations: Security misconfigurations are also highlighted in the AKS security dashboard, empowering developers and platform teams to execute fixes that can significantly minimize the attack surface. In some cases, changing a single line of code in a container's YAML file, without affecting application functionality, can eliminate a significant attack vector. Each security misconfiguration highlighted in the AKS security dashboard includes manual remediation steps, and where applicable, an automated fix button is also available. For containers misconfigurations, a quick link to a built-in Azure policy is included for easily preventing future faulty deployments of that kind. This approach empowers DevOps & platform engineering teams to use the âSecure by Defaultâ method for application development. To conclude - automated remediation and prevention can be a game changer in keeping the cluster secure- a proactive approach that can help prevent security breaches before they can cause damage, ensuring that the cluster remains secure and compliant with industry standards. Ultimately, automated remediation empowers security teams to focus on more strategic tasks, knowing that their Kubernetes environment is continuously monitored and protected. Assigning owners to security issues Since cluster administration and containers security issues remediation is not always the responsibility of a single team or person, it is recommended to use the âassign ownerâ button in the security dashboard to notify the correct owner about the issue need to be handled. It is also possible to filter the view using the built-in filters and assign multiple issues to the same person quickly. Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide for a full subscription coverage, or enable on a single cluster using the dashboard settings section. Learn More If you havenât already, check out our previous blog post that introduced this journey: New Innovations in Container Security with Unified Visibility and Investigations. This new release continues to build on the foundation outlined in that post. With âElevate your container posture: from agentless discovery to risk prioritizationâ, weâve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.Proactively harden your cloud security posture in the age of AI with CSPM innovations
Generative AI applications have rapidly transformed industries, from marketing and content creation to personalized customer experiences. These applications, powered by sophisticated models, bring unprecedented capabilitiesâbut also unique security challenges. As developers build generative AI systems, they increasingly rely on containers and APIs to streamline deployment, scale effectively, and ensure consistent performance. However, the very tools that facilitate agile development also introduce new security risks. Containers, essential for packaging AI models and their dependencies, are susceptible to misconfigurations and can expose entire systems to attacks if not properly secured. APIs, which allow seamless integration of AI functionalities into various platforms, can be compromised if they lack robust access controls or encryption. As generative AI becomes more integrated into critical business processes, security admins are challenged with continuously hardening the security posture of the foundation for AI application. Ensuring core workloads, like containers and APIs, are protected is vital to safeguard sensitive data of any application. And when introducing generative AI, remediating vulnerabilities and misconfigurations efficiently, ensures a strong security posture to maintain the integrity of AI models and trust in their outputs. New cloud security posture innovations in Microsoft Defender Cloud Security Posture Management (CSPM) help security teams modernize how they proactively protect their cloud-native applications in a unified experience from code to runtime. API security posture management is now natively available in Defender CSPM We're excited to announce that API security posture management is now natively integrated into Defender CSPM and available in public preview at no additional cost. This integration provides comprehensive visibility, proactive API risk analysis, and security best practice recommendations for Azure API Management APIs. Security teams can use these insights to identify unauthenticated, inactive, dormant, or externally exposed APIs, along and receive risk-based security recommendations to prioritize and implement API security best practices. Additionally, security teams can now assess their API exposure risks within the context of their overall application by mapping APIs to their backend compute hosts and visualizing the topology powered by cloud security explorer. This mapping now enables end-to-end API-led attack path analysis, helping security teams proactively identify and triage lateral movement and data exfiltration risks. Weâve also enhanced API security posture capabilities by expanding sensitive data discovery beyond request and response payloads to now include API URLs, path, query parameters, and the sources of data exposure in APIs. This allows security teams to track and mitigate sensitive data exposure across cloud applications efficiently. In addition, the new support for API revisions enables automatic onboarding of all APIs, including tagged revisions, security insights assessments, and multi-regional gateway support for Azure API Management premium customers. Enhanced container security posture across the development lifecycle While containers offer flexibility and ease of deployment, they also introduce unique security challenges that need proactive management at every stage to prevent vulnerabilities from becoming exploited threats. Thatâs why weâre excited to share new container security and compliance posture capabilities in Defender CSPM, expanding current risk visibility across the development lifecycle: It's crucial to validate the security of container images during the build phase and block the build if vulnerabilities are found, helping security teams prevent issues at the source. To support this, weâre thrilled to share container image vulnerability scanning for any CI/CD pipeline is now in public preview. The expanded capability offers a command-line interface (CLI) tool that allows seamless CI/CD integration and enables users to perform container image vulnerability scanning during the build stage, providing visibility into vulnerabilities at build. After integrating their CI/CD pipelines, organizations can use the cloud security explorer to view container images pushed by their pipelines. Once the container image is built, scanned for vulnerabilities, it is pushed to a container registry until ready to be deployed to runtime environments. Organizations rely on cloud and third-party registries to pull container images, making these registries potential gateways for vulnerabilities to enter their environment. To minimize this, container image vulnerability scanning is now available for third-party private registries, starting with Docker Hub and JFrog Artifactory. The scan results are immediately available to both the security teams and developers to expedite patches or image updates before the container image is pushed to production. In addition to container security posture capabilities, security admins can also strengthen the compliance posture of Kubernetes across clouds. Now in public preview, security teams can leverage multicloud regulatory compliance assessments with support for CIS Kubernetes Benchmarks for Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service, and Google Kubernetes Engine (GKE). AI security posture management (AI-SPM) is now generally available Discover vulnerability and misconfiguration of generative AI apps using Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock to reduce risks associated with AI-related artifacts, components, and connectors built into the apps and provide recommended actions to proactively improve security posture with Defender CSPM. New enhancements in GA include: Expanded support of Amazon Bedrock provides deeper discovery of AWS AI technologies, new recommendations, and attack paths. Additional support for AWS such as Amazon OpenSearch (service domains and service collections), Amazon Bedrock Agents, and Amazon Bedrock Knowledge Bases. New AI grounding data insights provides resource context to its use as a grounding source within an AI application. Grounding is the invisible line between organizational data and AI applications. Ensuring the right data is used â and correctly configured in the application â for grounding can reduce hallucinations, prevent sensitive data loss, and reduce the risk of grounding data poisoning and malicious outputs. Customers can use the cloud security explorer to query multicloud data used for AI grounding. New âused for AI groundingâ risk factor in recommendations and attack paths can also help security teams prioritize risks to datastores. Thousands of organizations are already reaping the benefits of AI-SPM in Defender CSPM, like Mia Labs, an innovative startup that is securely delivering customer service through their AI assistant with the help of Defender for Cloud. âDefender for Cloud shows us how to design our processes with optimal security and monitor where jailbreak attempts may have originated.â Marwan Kodeih, Chief Product Officer, Mia Labs, Inc. New innovations to find and fix issues in code with new DevOps security innovations Addressing risks at runtime is only part of the picture. Remediating risks in the Continuous Integration/Continuous Deployment (CI/CD) pipeline is equally critical, as vulnerabilities introduced in development can persist into production, where they become much harderâand costlierâto fix. Insecure DevOps practices, like using untrusted images or failing to scan for vulnerabilities, can inadvertently introduce risks before deployment even begins. New innovations include: Agentless code scanning, now in public preview, empowers security teams to quickly gain visibility into their Azure DevOps repositories and initiate an agentless scan of their code immediately after onboarding to Defender CSPM. The results are provided as recommendations for exposed Infrastructure-as-Code misconfigurations and code vulnerabilities. End-to-end secrets mapping, now in public preview, helps customers understand how a leaked credential in code impacts deployed resources in runtime. It provides deeper risk insights by tracing exposed secrets back to code repositories where it originated, with both secret validation and mapping to accessible resources. Defender CSPM now highlights which secrets could cause the most damage to systems and data if compromised. Additional CSPM enhancements [General Availability] Critical asset protection: Enables security admins to prioritize remediation efforts with the ability to identify their âcrown jewelsâ by defining critical asset rules in Microsoft Security Exposure Management and applying them to their cloud workloads in Defender for Cloud. As a result, the risk levels of recommendations and attack paths consider the resource criticality tags, streamlining prioritization above other un-tagged resources. In addition to the General Availability release, we are also extending support for tagging Kubernetes and non-human identity resources. [Public Preview] Simplified API security testing integration: Integrating API security testing results into Defender for Cloud is now easier than ever. Security teams can now seamlessly integrate results from supported API security testing providers into Defender for Cloud without needing a GitHub Advanced Security license. Explore additional resources to strengthen your cloud security posture With these innovations, Defender CSPM users are empowered to enhance their security posture from code to runtime and prepared to protect their AI applications. Below are additional resources that expand on our innovations and help you incorporate them in your operations: Learn more about container security innovations in Defender for Cloud. Enable the API security posture extension in Environment Settings. Get started with AI security posture management for your Azure OpenAI, Azure Machine Learning, and Amazon Bedrock deployments. RSVP to join us on December 3rd the Microsoft Tech Community AMA to get your questions answered.
Using Defender XDR Portal to hunt for Kubernetes security issues
In the last article, we showed how to leverage binary drift detection. In this article (Part 2 of the Series) we will build on that capability using Defender XDR Portal. This article will walk you through some starter queries to augment the Defender for Container alerts and show you a quick way to hunt without requiring you to have an in-depth understanding of Kubernetes. To recap the series: Part 1: Newest detection âbinary driftâ and how you can expand the capability using Microsoft XDR Portal https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender-portal. We will also look what you get as result of native integration between Defender for Cloud and Microsoft XDR. We will also showcase why this integration is advantageous for your SOC teams Part 2 [current]: Further expanding on the integration capabilities, we will demonstrate how you can automate your hunts using Custom Detection Rules https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules. Reducing operational burden and allowing you to proactively detect Kubernetes security issues. Wherever applicable, we will also suggest an alternative way to perform the detection Part 3: Bringing AI to your advantage, we will show how you can leverage Security Copilot both in Defender for Cloud and XDR portal for Kubernetes security use cases.Leveraging Azure native tooling to hunt Kubernetes security issues
This series shows you how you can maximize your investments in Microsoft Security tools by leveraging XDR Portal and Defender for Kubernetes to hunt for security issues. If you are in red team this article will shorten your learning curve by allowing you to identify security issues using KQL with Container Security Alerts. This series is part of âSecurity using Azure Native servicesâ series and assumes that you are following the series âA guide to using Microsoft Sentinel for monitoring the security of your containerized applications and orchestration platformsâ https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/setting-up-sentinel-for-kubernetes-monitoring/ba-p/4118593
