Microsoft Defender for DevOps Azure DevOps Connector – Microsoft Defender for Cloud PoC Series

This article is a continuation of Microsoft PoC Series which provides you guidelines on perform a proof of concept for a specific Microsoft plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article. 

There are two platforms currently covered by Defender for - GitHub and Azure . This article will go into detail about Azure DevOps Services.

If you'd like to also learn about the GitHub connector with Microsoft Defender for DevOps, then check out this article here.

Liana_Anca_Tomescu_0-1684768181395.png

Microsoft Defender for DevOps with Azure DevOps provides security teams with visibility into the security posture of their Azure DevOps environments, while also giving developers and DevOps teams a simplified remediation experience for pre-production vulnerabilities and misconfigurations.

With Defender for DevOps, security administrators get full visibility in a single view from DevOps inventory and the security posture of pre-production application code. Based on the Microsoft Security DevOps extension, you can leverage a collection of static analysis tools to scan code for security issues in Azure DevOps using Azure Pipelines. These static analysis tools include ESLint which scans Javascript code for security issues, Bandit for scanning Python code, Infrastructure as Code (IaC) scanning for Terraform (among others) using Terrascan, IaC scanning for ARM and Bicep files using Template Analyzer, and scanning on Windows agents from Windows Defender (not open source, and requires Windows Defender to be enabled on the Windows agent in order to run). See more here.

Teams can gather comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can also help developers prioritize critical code fixes with Pull Request annotations.

To start a POC (proof of concept) for Microsoft Defender for DevOps, you need to have the correct setup in Azure DevOps and in Microsoft Defender for Cloud.

Create an Azure DevOps Trial subscription in the same tenant as your Azure subscription where you use Microsoft Defender for Cloud. See here.

Then create an organization in Azure DevOps.

Next, you need to have the necessary permissions:

  • Project Collection Admin role enabled in Azure DevOps in order to enable the connector from within Azure DevOps, as here.

Liana_Anca_Tomescu_1-1684768181416.png

  • Admin privileges in order to enable the Microsoft Security DevOps extension (the Microsoft Security Devops extension installs all the security scanning tools) as per here
  • Defender for Cloud permissions here (Defender for DevOps specific):
    • Azure Account- with permissions to sign into Azure portal
    • Contributor role- on the relevant Azure subscription
    • Security Administrator role- on the relevant subscription
  • OAuth enabled in the Azure DevOps Organization Settings, which you can find by looking at the Organization Settings in Azure DevOps as shown the image below.

Liana_Anca_Tomescu_2-1684768181420.png

  • If you are using the free version of Azure DevOps and you're trying to execute a pipeline, you will receive an error message when trying to execute the pipeline. This message will ask you to visit here and request increased parallelism in Azure DevOps. This can take 2-4 days.

Liana_Anca_Tomescu_3-1684768181435.png

If you don't want to wait this time, or your PoC schedule can't afford this time, an alternative to create a pipeline is by using a Hosted Build Agent, which you can do by following these steps.

For beginning the preparation of the POC, you will need to first create the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance for enabling the Azure DevOps connector in Microsoft Defender for Cloud to authorize the connection.

Liana_Anca_Tomescu_4-1684768181454.png

Note: You will need to have an Azure subscription and Azure DevOps organization in the same tenant to enable the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance here to create a new organization in Azure DevOps. See the guide here.

Then, switch over to Azure DevOps, by going to https://dev.azure.com/ .

You will need to enable two extensions in Azure DevOps– the Microsoft Security DevOps extension to run the security scans, and the SARIF SAST Scans Tab extension to view the results of the Security DevOps extension in simplified manner in a new tab in the Azure DevOps build results.

Liana_Anca_Tomescu_5-1684768181481.png

 

Next in the Azure DevOps organization, you should create a new Azure DevOps project.

Then, you'll be installing a new empty Git repository in that ADO project, which should include some sample code that you want to test.

Liana_Anca_Tomescu_6-1684768181493.png

The two Microsoft Defender for DevOps extensions in Azure DevOps.

You can run security scans via the Security DevOps extension on the Azure pipeline builds. For this reason, you need to configure a pipeline using YAML code. You can follow the guidance to create a new pipeline and to include the required YAML code to the Microsoft Security DevOps task and the dotnet dependencies here. This includes the yaml code with the necessary tasks for the build to run with the security scans.

Note: In the yaml file, if you would like to break the build from succeeding if any security scanning tool in the Security DevOps extension has found issues in the Build, then include the necessary category and break: true to the Security DevOps task in the yaml file. Here is an example of a configuration that will break the build if a secret is detected by Microsoft Security DevOps.

trigger:
- main

pool:
  vmImage: windows-latest

steps:
- task: MicrosoftSecurityDevOps@1
  displayName: 'Security DevOps' 
  inputs:
    break: true

Note: There are dotnet dependencies when using the Microsoft Security DevOps task if using a self-hosted agent to be included in the yaml (see the docs here or the Github lab 14). The dotnet dependencies are not required if using the default Azure DevOps agents of windows-latest or ubuntu-latest.

In order to validate the implementation was successful for Azure DevOps, developers can run the Azure Pipelines with the Microsoft Security DevOps extension as above, and see the security scan results during the Azure pipeline build runs. Your security team can manage secrets, code scanning findings and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. The other validation in Azure DevOps for developers involves seeing secrets at the pull request stage as pull request annotations, before they're merged into the main branch, usually the main/master repository.

For DevOps teams, it's useful for them to be able to see the security scan results, such as secrets, during the Azure pipeline build runs, as they are used to interacting in Azure DevOps. To validate this, go to the Pipelines in Azure DevOps.

Liana_Anca_Tomescu_7-1684768252014.png

Select your pipeline that you enabled with the Security DevOps extension, and click Run pipeline.

Liana_Anca_Tomescu_8-1684768252020.png

After a few minutes, you will see if your run has succeeded or failed.

Liana_Anca_Tomescu_9-1684768252026.png

Click on the pipeline run, and see the Summary of the run. Notice the Errors tab and the Warnings tab, which include security issues found in the repo.

Liana_Anca_Tomescu_10-1684768252042.png

Liana_Anca_Tomescu_11-1684768252057.png

Beside Summary, go to the Scans tab, which appears due to the SARIF SANS Scans Tab extension you enabled. This scans tab will show the security scan findings per scanning tools.

Liana_Anca_Tomescu_12-1684768252079.png

This is one view of the security scans that your developers can see from Azure DevOps.

However, Defender for DevOps crucially allows customers to manage the secrets, code scanning finding results and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. This means that your security team can view these ADO security issues across the Azure DevOps organizations, projects and repos from one centralised location of Microsoft Defender for Cloud. To see the credentials in Microsoft Defender for Cloud, go to the portal.azure.com and to Microsoft Defender for Cloud.

Go to Recommendations.

Liana_Anca_Tomescu_13-1684768252104.png

Under Remediate vulnerabilities, select the recommendation Code repositories should have secret scanning findings resolved.

Liana_Anca_Tomescu_14-1684768252127.png

See the secrets found under Findings.

Liana_Anca_Tomescu_15-1684768252141.png

Select the secret to get more information about it, including the Build URL and the Repo URL in Azure DevOps.

Liana_Anca_Tomescu_16-1684768252158.png

Pull Request Annotations

The other task you can do is to see pull request annotations which contain the secrets and Infrastructure As Code security issues found in the Azure DevOps repos.

See here to enable ADO pull request annotations in MDC and in ADO

  1. In Microsoft Defender for Cloud, go to DevOps Security in the side bar. Tick the box beside the Azure DevOps project. and Configure pull request annotations.

Liana_Anca_Tomescu_17-1684768252169.png

Select Configure at the top.

Liana_Anca_Tomescu_18-1684768252173.png

In the new screen, turn on pull request annotations.

Liana_Anca_Tomescu_19-1684768252175.png

Now pull request annotations are enabled for all branches in that repository.

  1. Then you need to enable pull request annotations in Azure DevOps, by following the guidance here.

See the process for validating pull request annotations in Azure DevOps for secrets here.

See the pull request annotations then in Azure DevOps, by going under Repos, in Pull Requests.

Liana_Anca_Tomescu_20-1684768252182.png

Click on the pull request to see the high severity pull request annotations showing Secret Access Keys discovered.

Liana_Anca_Tomescu_21-1684768252206.png

Now, the developers can take action on these secrets (by removing them from the repository, and having them in a key vault such as Azure Key Vault). The guidance for this can be found here and in the recommendation in Microsoft Defender for Cloud.

In Microsoft Defender for Cloud, you can view workbooks which are essentially reports specific to Defender for Cloud. To see these, go to Microsoft Defender for Cloud, and from the left-hand navigation blade, under the General section, select Workbooks.

From here, under the Defender for Cloud section, you can select the workbook DevOps Security Workbook, specifically focused on allowing you to focus on Defender for DevOps, to see an overview of security findings from Azure DevOps. There are several tabs that you click through. See more information about this workbook here.

Liana_Anca_Tomescu_22-1684768252224.png

Blogs

  • Download (free) a special Appendix about Defender for DevOps from the latest Microsoft Defender for Cloud book published by Microsoft Press

Defender for DevOps Documentation

By the end of this article, you should have been able to understand the value proposition of Microsoft Defender for DevOps and now have the knowledge of run a PoC for it on Azure DevOps.

Thanks to the following teammates for reviewing this article:

Charles Oxyer, Microsoft Defender for DevOps Product Manager

Yuri Diogenes, Principal Microsoft Defender for Cloud Product Manager

P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.

 

This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.