Ash Moran
Amoran.io

Follow

Amoran.io

Follow
Microsoft Defender For Azure DevOps!

Microsoft Defender For Azure DevOps!

Ash Moran's photo
Ash Moran
·Jan 5, 2023·

4 min read

A Microsoft logo is seen outside a booth at GSMA Mobile World Congress on Feb. 28, 2022, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Scanning infrastructure as code (IaC) files for misconfiguration and secrets is an important process that helps ensure the security and compliance of an organization’s infrastructure. Misconfigurations in IaC files can lead to vulnerabilities in the infrastructure that can be exploited by attackers, while secrets such as passwords and API keys stored in these files can be exposed if they are not properly protected.

By regularly scanning IaC files for these issues, organizations can identify and fix potential problems before they become a security risk. Additionally, scanning for secrets helps organizations ensure that sensitive information is not accidentally committed to version control and exposed to unauthorized parties. Overall, scanning IaC files for misconfiguration and secrets is a critical aspect of maintaining a secure and compliant infrastructure.

Microsoft Defender — DevOps Security (Preview)

What is it?

“Microsoft Defender for Cloud enables comprehensive visibility, posture management, and threat protection across multicloud environments including Azure, AWS, GCP, and on-premises resources. Defender for DevOps, a service available in Defender for Cloud, empowers security teams to manage DevOps security across multi-pipeline environments.”

Ref: Microsoft Defender for DevOps — the benefits and features | Microsoft Learn

How to Configure

I will put the link below, however here is a quick guide to help you get started. Link

Prerequisites

As always, there are a few things you want to make sure are in place before we begin.

For the connection, you will need to enable Third-party application access via OAuth.

Load Azure DevOps and navigate to Organization Settings at the bottom left. If you see Project Settings, you will need to go back a page.

Whilst in here, you will need to go to Permissions. During Setting, it will check if you have the following role. Make sure the user that will be creating the connection is in this group (Project Collection Administrators).

Next, click on Market Place and install the following Extensions:

  • Microsoft Security DevOps
  • SARIF SAST Scans Tab

Ref: Configure the Microsoft Security DevOps Azure DevOps extension | Microsoft Learn

Now we have the pre-reqs in place, let’s connect the Microsoft Defender for cloud portal with Azure DevOps.

Load your Azure Portal and navigate to the Defender for Cloud Portal

Under the Environment Settings tab, you will see something similar. For now, you can ignore the Orange, as you may not have this setup already.

For now, click on Add Environment and Select Azure Devops:

One the next screen, we want to enter the details of our connector:

You can add many connectors for different environments if you are wanting to split out permissions. For now, let’s run through as a test.

Click next on this, or if this is out of preview, select your plan.

Give the Authorization for the connection:

Once done, you can configure which Azure DevOps Organizations and projects to connect to:

Once happy, click review and create.

If everything has gone well, you will see the DevOps Security tab change into this:

How to scan?

Now that we have set up all the connectivity, we need to configure how and what to scan within our pipelines.

For the initial test, Microsoft gives you a simple YAML file to run through.

# Starter pipeline
# test
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# aka.ms/yaml
trigger: none
pool:
vmImage: 'windows-latest'
steps:
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 3.1.x
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 5.0.x
- task: UseDotNet@2
displayName: 'Use dotnet'
inputs:
version: 6.0.x
- task: MicrosoftSecurityDevOps@1
displayName: 'Microsoft Security DevOps'

You could, therefore, upload this to your Azure Repo and create a Pipeline:

If not, you could select a start pipeline and paste it in:

Once added, run the pipeline and see what it shows.

Viewing the results

There are multiple ways to view the results. If you’ve added to the code, you will see this during the Pipeline run:

If not here, once finished, you will see a scan tab appear on your job:

Here, you will see the results and outputs:

For most though, your SecOps team will probably manage via the Defender Portal:

Here you can monitor results and manage your CI/CD pipelines.

Granular Scans

Before closing up, it’s worth mentioning that you can be more granular with your scans. Defender does offer multiple breakouts such as:

Defender Scan - Devops (Preview)

  • task: MicrosoftSecurityDevOps@1
    displayName: 'Microsoft Security DevOps'
    inputs:
    categories: 'IaC,secrets'

It’s worth reading the documentation or using the portal to view options:

I hope you have enjoyed this guide and that it has been helpful in securing your Azure DevOps environment with Defender. If you have any further questions or would like additional information on this topic, please don’t hesitate to reach out.

Thank you for reading and I hope you have a great day!

Did you find this article valuable?

Support Ash Moran by becoming a sponsor. Any amount is appreciated!

See recent sponsors Learn more about Hashnode Sponsors
 
Share this