Remediating Infrastructure-as-Code Misconfigurations with DevOps Security in Defender for Cloud

Introduction 

In today's application development landscape, organizations are widely adopting Infrastructure-as-Code (IaC) technology to automate the provisioning and management of resources to support cloud native applications and workloads across their multi-cloud environments. By utilizing IaC, organizations can manage infrastructures with the same versioning, testing, and processes that they use for their application code, leading to more reliable, efficient, and secure operations. 

The Importance of Infrastructure-as-Code Security 

Misconfigurations in IaC templates can pose a significant security risk. For instance, organizations using an outdated version of Transport Layer Security () might expose their services and data to potential breaches. This risk is compounded by the speed and scale at which IaC operates – a single misconfiguration can be propagated across multiple instances, creating a wide . 

The high-velocity nature of IaC causes traditional security practices to fall short, only identifying weaknesses in the security of cloud infrastructure after it is in production. These potential data breaches and service disruptions caused by attacks on cloud infrastructure can result in significant financial and reputational risk. 

Bridging the gap between security and development teams can be challenging, especially when they operate in distinct silos with different toolsets.  

By integrating Microsoft for Cloud into Azure and GitHub environments, security teams and developers can now collaborate toward security posture management from code to cloud. Security teams can view the security hygiene of each repository, identifying which repositories contain critical IaC misconfigurations before the infrastructure is provisioned to production workloads. As security teams are not typically the ones updating the underlying code, they must have an automated and simple method to highlight these findings back to the developers. 

With Pull Request (PR) annotations, security vulnerabilities and misconfigurations are surfaced back to the source code management system at a given line of code in the Pull Request. Each annotation has information regarding the severity of the issue, a description of the issue, and remediation guidance to empower the developer to rapidly identify and prioritize security issues. Developers can now remediate each finding without having the need for security teams to initiate remediation workflows. Security teams and developers can now work together more effectively, making IaC more efficient, more reliable, and more secure. 

End-to-End Scenario: Using Microsoft Defender for Cloud to secure Infrastructure-as-Code 

The scenario below shows how Microsoft Defender for Cloud can help prevent an ARM template in Azure DevOps from deploying a poorly configured Azure App Service web app, preventing critical security issues from reaching production. 

1. Security Persona onboards the Azure DevOps environment to Microsoft Defender for Cloud, configures Microsoft Security DevOps in the CI/CD ( and continuous delivery) pipeline, and enables PR annotations for Azure DevOps repositories. Click here to learn more about onboarding DevOps security in Defender for Cloud. Click here to learn more about PR annotations. 

 

charlesoxyer_6-1684431293840.png

2. Developer commits an ARM template to deploy an App Service and submits a Pull Request in repository “Contoso Hotels.” 

charlesoxyer_7-1684431293845.png

3. Microsoft Defender for Cloud scans the Pull Request for any security vulnerabilities or misconfigurations. 

 

4. Developer gets notified in the PR that the template contains critical IaC security misconfigurations through an automated comment on the Pull Request coming from Microsoft Defender for Cloud. In the comment, the developer can see the exact line of code where the misconfiguration is located, the severity, and a description of the issue. For example, the web app was configured to not require the latest version. The developer remediates the security findings using the recommendations from the annotation and merges the PR with the healthy IaC template. 

 

charlesoxyer_8-1684431293850.png

5. In Microsoft Defender for Cloud, the security team can also see every IaC misconfiguration that was found in their GitHub and ADO repositories through the dedicated DevOps Security blade.  

 

charlesoxyer_9-1684431293853.png

6. The security team can now navigate to the dedicated Microsoft Defender for Cloud recommendations to see more information regarding misconfigurations and assign the developer remediation owner to the repository. Click here to learn more about assigning owners and due dates for recommendation remediation. 

 

charlesoxyer_10-1684431293855.png

 

charlesoxyer_11-1684431293857.png

7. The developer can now fix all the findings coming from Microsoft Defender for Cloud, improving security posture and reducing the of cloud native applications. 

 

Summary 

This blog discussed how security teams and developers can work together to shift-left cloud security posture management through using Microsoft Defender for Cloud.  

More information 

 

This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.