Microsoft Defender for DevOps

What is Microsoft Defender for DevOps?

Microsoft Defender for DevOps adds additional security capabilities to the robust Microsoft Defender for Cloud service for security posture management and threat protection for code, code management systems, and deployment pipelines. It strengthens the development lifecycle by protecting code management systems and shifting security solutions left so that security issues can be found early and mitigated before deployment to production.

Defender for DevOps provides tools that scan code for vulnerabilities and vulnerable dependencies, scan infrastructure as code for security configuration issues, container vulnerabilities, and credentials. It also
provides security configuration recommendations to harden code management systems and protect them from attacks.

Defender for DevOps fills five vital needs for managing the security of code and code management systems:

- Vulnerabilities in code
  - - Keep depencies up-to-date with automated pull-requests
  - - Detect and monitor for leaked credentials and secrets

- Secure and compliant Infrastructure-as-Code (IaC)
  - - Deploy and enforce policy to ensure uniformity and best practices
  - - Find and fix issues before they are deployed, prevent drift

- Security monitoring
  - - Respond to suspicious activities in code, pipelines, and the developer cloud
  - - Assess the impact of vulnerabilities and risks easily

- Continuos cloud security and compliance
  - - Assess and view state of pre-production resources
  - - Compare posture to security and compliance standards
  - - Leverage attack graphs and attack simulation

- Secure cloud-native workloads
  - - Multi-cloud integration, Containers, Serverless, APIs

Setup DevOps Security

To setup DevOps Security click Cloud Security -> DevOps Security (Preview) and the following blade opens.

Add the connector

Next you need to add the Connector. Press Add Connector on the option 1: Connect DevOps environments.

Click the Azure DevOps (preview). Fill the Connector details and click next: Select Plans.

Note. You can only select Central US as region during Public Preview.

Select the DevOps plan if not selected and click Next to Authorize Connection

Click Authorize and the popup window will open where Defender for Devops is asking permissions from the Azure DevOps projects.

You ask app authorization with these permissions:

After the permissions are accepted the authorize blade has updated and shows “Edit connector account” with two new options:

Select the appropriate Organizations, Projects and Repositories.

If you get that information on red background you need ask Project Collection Admin role to choose the projects.

When you have selected what you want, click review and create.

Configure pipelines

To configure pipelines in Azure Devops, click the Follow the steps button which opens the overview page of Defender for DevOps. Here is the shortcut to the pipeline configuration.

Connect your GitHub repositories to Microsoft Defender for Cloud

By connecting your GitHub repositories to Defender for Cloud, you’ll extend Defender for Cloud’s enhanced security features to your GitHub resources. These features include:

Defender for Cloud’s Cloud Security Posture Management (CSPM) features – Assesses your GitHub resources according to GitHub-specific security recommendations. You can also learn about all of the recommendations for DevOps resources. Resources are assessed for compliance with built-in standards that are specific to DevOps. Defender for Cloud’s asset inventory page is a multicloud enabled feature that helps you manage your GitHub resources alongside your Azure resources.
Defender for Cloud’s Cloud Workload Protection features – Extends Defender for Cloud’s threat detection capabilities and advanced defenses to your GitHub resources.

Here is a link to this operation.

Additional information

Automate Defender for DevOps Recommendation Remediation

Logic Apps are a workflow automation feature of Microsoft Defender for Cloud (MDC) in which you can create and run automated workflows that integrate your apps, data, services, and systems. This blog walks through creating a Logic App that you can use to auto-remediate the Defender for DevOps Recommendation in MDC called “GitHub repositories should have Dependabot scanning enabled” by enabling Dependabot on a GitHub repo.

Security Operators will find this Logic App particularly useful because they do not need to be familiar with GitHub or login to GitHub to enable Dependabot scanning. Instead, SecOps can enable Dependabot open source dependency scanning remotely and on numerous repositories by using Logic App automation.

DevOps Security Workbook

The new DevOps Security workbook in Microsoft Defender for Cloud (MDC) provides you with a unified interactive experience enabling you to quickly gain visibility and insights into your DevOps security posture in coordination with the newest MDC service Defender for DevOps.

The DevOps Security workbook provides you with a customizable foundation that helps you visualize the state of your DevOps posture for the connectors you have configured. You can investigate credential exposure, including types of credentials and repo locations. Then you can do the same for code, dependencies, and hardening.

You also to Deploy the workbook from Github.

Please note that the Defender for DevOps is in the Public Preview in time written. And it is available in Central US only.

Share on Social Media

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

DEFENDER FOR CLOUD DEFENDER FOR DEVOPS

Table of Contents