Cloud Defender for DevOps

Microsoft Defender for Cloud is Microsoft's integrated security solution for cloud security posture management (CSPM) and cloud workload protection (CWP). In short, it can strengthen security posture by providing recommendations and identifying potential weaknesses such as misconfigurations. Defender for cloud will also proactively protect your multi-cloud and hybrid-cloud workloads by providing real time detection across a range of evolving threats. Why is this important? Well, according to Gartner, between now through to 2025, 99% of cloud security failures can be attributed to human error.

From a software engineering perspective and having used Microsoft Defender for Azure SQL for a while now, it is a great tool for ensuring peace of mind that our SQL data estate has been configured according to best practices and will be able to continuously detect against potential threats to our databases such as injectable queries and potential brute force attacks.

And naturally, my interest piqued when Defender for DevOps was recently announced as a preview from Microsoft Ignite 2022. Defender for DevOps promises the ability for IT admins to centrally manage DevOps security and provide unified visibility across multiple DevOps environment. It not only scans your code (source files, IaC, containers) for code and dependency vulnerabilities, but it will also provide recommendations for strengthening the security of your repos. The value proposition here is that it will surface up this data via a centralised Cloud Defender portal within the Azure Portal alongside the other defender services.

Keep in mind that it is still early days and Defender for DevOps is available only in public preview and in one region (Central US). However, it is free as part of the preview, so there is no better time than to go in there, learn more and provide feedback to the product teams. It is also worth noting that it currently only supports Azure DevOps and GitHub only, but I imagine support for other DevOps tooling such as Jenkins and GitLab would be not too far behind.

Connect to your Repo (GitHub)

To setup Cloud Defender for DevOps, go to your Cloud Defender resource in the Azure Portal and look for DevOps Security (Preview) where you will need to setup a connection to either Azure DevOps or GitHub.

I have already setup a connection to Azure DevOps so here, I will create one to my demo GitHub account. To do this, select + Add environment and select your DevOps platform i.e. GitHub.

Provide the standard details for your resource. As noted, only the Central US region will be selectable for the public preview. Select Next to continue.

Next, we will select a plan. For the public preview, you will only get to select one option which is free. Select Next to authorise the connection to GitHub which will allow Cloud Defender to connect to your GitHub account.

Select the Authorize button.

Sign into your GitHub account when prompted. Once signed in, you should have a green tick that indicates the connection has been authorized. Next, you need to install the Defender for DevOps app. Click on Install.

Here, you can specify which repos you would like to grant access to. Select Save once completed.

The MSDO (Microsoft Security DevOps) app is a command line application that leverages several open-source tools to perform static application security testing (SAST) on your application source code (source files, IaC, containers etc). You can read more about the MSDO app from the Microsoft website here. GitHub also supports secrets scanning if you are also licensed for GitHub Advanced Security (GHAS) which I will cover a little later. Click here to learn more about it.

Once you have two green ticks, you can click on Next to review and complete the creation process.

Enabling code and secret scanning (GitHub)

In order for the MSDO app to work it's magic to full potential, you will need to ensure your repo has code scanning and secret scanning turned on. If you don't, you will notice an error in your workflows similar to the one below.

What this means is that back in Cloud Defender, you will only see dependency / OSS (open-source software) vulnerabilities and not the full gambit of potential code vulnerabilities.

Code and secrets scanning does require GitHub advanced security (GHAS) so if you are scanning a private repo, you will need a license or setup a trial. For someone like me which doesn't have a license, I simply created a public repo which is not a problem as it's a demo GitHub account and the source code is cloned from a public repo. I obviously don't recommend doing this for any work or confidential projects.

Scanning your repo (GitHub)

In order to test out the capabilities of Defender for DevOps, I cloned the DVPWA - Damn Vulnerable Python Web Application which can be found here. It is a Python web application with numerous vulnerabilities so we should be able to pick up something without too much drama.

Once you have completed cloning the repo or have your own project ready, select Actions to create a workflow

Select New Workflow

We will start with a blank workflow so select set up a workflow for yourself.

I used a boiler plate example which was based predominantly from the MS Learn material here.

The workflow will trigger on either a push, pull request or can be manually triggered.

The Run Microsoft Security DevOps Analysis step will execute the MSDO app which in turn will also take care of:

• Installing the Microsoft Security DevOps CLI
• Installing the latest Microsoft security policy
• Installing the latest Microsoft and 3rd party security tools
• Automatic or user-provided configuration of security tools
• Executing a full suite of security tools mentioned earlier e.g. Bandit, ESLint, Terraform etc based on file-based application filters
• Normalize processing of results into the SARIF format
• Build breaks and more

There are a number of parameters which you can specify to fine tune the behaviour MSDO. Things you can do for example include specifying the languages, the tools to use and whether to break the build.

You can also request the GitHub team to evaluate onboarding additional open-source tools here.

Select Start commit to commit your changes.

Select Commit new file. This should kick off the workflow based on the trigger specified in the yml file.

The workflow will queue and should start running shortly.

Drilling into the details, we can see the Run MSDO stage starting to run and return some findings.

After a few minutes, the remaining steps of the workflow should be completed successfully. The last steps is responsible for setting an output variable to the path of the Sarif file and uploading it.

We can go to the security tab to find out more about the 34 vulnerabilities identified.

We can see there are 6 vulnerable dependencies.

And we can see there are 28 code vulnerabilities.

Cloud Defender Reporting

Going back to the Cloud Defender service in Azure Portal, we should now see things looking quite different. We will also see the number of code and dependency vulnerabilities will match those we saw earlier in the security tab of our repo in GitHub.

Note: if you have only recently created the connection to GitHub, it can take several hours before the findings will flow from GitHub to Cloud Defender.

As previously mentioned, one of the benefits of Cloud Defender in general is it's ability to provide recommendations for configuring and strengthening your security posture. To see a list of recommendations and findings, select the project you wish to analyse further.

In the next screen, we can see a list of actions which were recommended by Cloud Defender. These recommendations will also have a severity classification which is useful in assisting with prioritising on what to focus on first.

As we have already enabled code and secrets scanning, we can see the status is set to Healthy.

Because MSDO has identified various code and dependency vulnerabilities, we can also see some Unhealthy recommendations.

If you click on an Unhealthy recommendation, we are taken to a screen with the findings (vulnerabilities). Selecting an individual finding will surface additional information and context and can assist in the remediation of these issues.

As with any other alert in Cloud Defender, you will also have the ability to connect up a Logic App to trigger automated responses without code. This is useful if you want to for example, notify a team of an issue or to log these findings into a defect management system.

Cloud Defender for DevOps is an exciting addition to the Microsoft Defender for family. Because there is an abundance of open-source tooling already available today that can also output to the Sarif schema, I imagine the list of tooling which will be supported with MSDO will continue to grow in the future. In addition, I would be interested to learn more about the ability for other licensed SAST and SCA tools in the market and how they can also be integrated with Cloud Defender. I will need to test that out in the future.