Skip to content

DevSecOps with Microsoft Defender for DevOps 

Microsoft Defender for DevOps is latest Microsoft DevSecOps product, that extends the Defender for Clouds threat detection capabilities to Azure DevOps resources. It assesses your Azure DevOps resources according to Azure DevOps specific security recommendations and the results are then added into your Defender security score.

How to Enable DevOps Security

The feature can be enabled from Azure Portal / Microsoft Defender For Cloud. If you haven’t enable the Defender for Cloud, you will get notification about upgrading the plans, but you can skip that. The upgraded plans are not required for DevOps Security. The DevOps Security menu option can be found at left menu.

Click devOps security from left menu
Left menu has new option “DevOps Security”

First step in configuration is to connect our Defender for Clouds into Azure DevOps project. That is done by clicking the Add environment button on top.

Add new environment at top
Add connection to Azure DevOps

Currently the service is only available at Central US, so you cannot select any other region.

Feature is only available at central US
Keep the default Region setting.

After resource is created, hit refresh button in your browser and navigate back to DevOps Security page. Now we have the feature up and running and it can show the scan results of selected repositories for OSS vulnerabilities, exposed secrets etc.

Security Overview after feature is enabled for Example CI Build project

How it works then?

DevOps Security runs scans (specific task at pipeline) against your Azure DevOps repositories and searches for security issues. All the findings are reported into Defender for Cloud. Currently the feature is not visible at Azure DevOps, which means that it cannot for example block the PR completion that is adding secrets into code base. It can trigger alarms about it, but not prevent it.

The DevOps Security can trigger Logic Apps which can then post messages into your Teams or Slack channels about the found security issues. The feature is all about monitoring not about preventing.

Empty findings page...
Secret scanning find out something… which is not reported at Findings.

Testing Pull Request Analysis

I wanted to test the Pull Request Analysis by creating pull request, that adds fake secrets into master. To run the test I had to add new task into build pipeline, which creates security report from build. Microsoft has added new “Run Microsoft Defender for DevOps” task, that needs to be added into build pipeline which is used as pull request gate (if you don’t have pr gate, you can add it through branch policies). The task can be run with default settings, but if you want to, you can tweak the scan by using config file. The full documentation of task is found at GitHub. For this test I just used the default values.

Add new Microsoft defender for devops task
Run Microsoft Defender for DevOps task is required.

After adding the build task, I created new pull request, which tries to add fake connection string.

Pull request with fake connection string
Pull request with fake connection string

When the pull request is created, it will automatically raise an alert at Defender for Cloud. It reports the file and the category of alert. In this case it was identified as “ODBC connection string”.

Alert is raised automatically
Alert at Defender for Cloud

The alert is also shown at security overview page and it shows, that I have 1 exposed secrets alert active.

Overview page has 1 active exposed secrets alert

Summary

The Microsoft Defender for DevOps is a huge leap in DevSecOps. DevOps pipelines can now be easily integrated as part of security operations at Azure Defender for Cloud. GitHub have had this feature for months, so it is nice to see it finally coming into Azure DevOps too. Setting up is easy and the dashboard gives really nice overview of situation. We can react into alerts by calling Logic Apps and post security detections easily into Teams and Slack.

I think the tool is great addition into security practices and you should definitely try it out and see if it fits into your security processes.