Microsoft Defender for DevOps is latest Microsoft DevSecOps product, that extends the Defender for Clouds threat detection capabilities to Azure DevOps resources. It assesses your Azure DevOps resources according to Azure DevOps specific security recommendations and the results are then added into your Defender security score.
How to Enable DevOps Security
The feature can be enabled from Azure Portal / Microsoft Defender For Cloud. If you haven’t enable the Defender for Cloud, you will get notification about upgrading the plans, but you can skip that. The upgraded plans are not required for DevOps Security. The DevOps Security menu option can be found at left menu.
First step in configuration is to connect our Defender for Clouds into Azure DevOps project. That is done by clicking the Add environment button on top.
Currently the service is only available at Central US, so you cannot select any other region.
After resource is created, hit refresh button in your browser and navigate back to DevOps Security page. Now we have the feature up and running and it can show the scan results of selected repositories for OSS vulnerabilities, exposed secrets etc.
How it works then?
DevOps Security runs scans (specific task at pipeline) against your Azure DevOps repositories and searches for security issues. All the findings are reported into Defender for Cloud. Currently the feature is not visible at Azure DevOps, which means that it cannot for example block the PR completion that is adding secrets into code base. It can trigger alarms about it, but not prevent it.
The DevOps Security can trigger Logic Apps which can then post messages into your Teams or Slack channels about the found security issues. The feature is all about monitoring not about preventing.
Testing Pull Request Analysis
I wanted to test the Pull Request Analysis by creating pull request, that adds fake secrets into master. To run the test I had to add new task into build pipeline, which creates security report from build. Microsoft has added new “Run Microsoft Defender for DevOps” task, that needs to be added into build pipeline which is used as pull request gate (if you don’t have pr gate, you can add it through branch policies). The task can be run with default settings, but if you want to, you can tweak the scan by using config file. The full documentation of task is found at GitHub. For this test I just used the default values.
After adding the build task, I created new pull request, which tries to add fake connection string.
When the pull request is created, it will automatically raise an alert at Defender for Cloud. It reports the file and the category of alert. In this case it was identified as “ODBC connection string”.
The alert is also shown at security overview page and it shows, that I have 1 exposed secrets alert active.
Summary
The Microsoft Defender for DevOps is a huge leap in DevSecOps. DevOps pipelines can now be easily integrated as part of security operations at Azure Defender for Cloud. GitHub have had this feature for months, so it is nice to see it finally coming into Azure DevOps too. Setting up is easy and the dashboard gives really nice overview of situation. We can react into alerts by calling Logic Apps and post security detections easily into Teams and Slack.
I think the tool is great addition into security practices and you should definitely try it out and see if it fits into your security processes.