In the previous articles, we discussed different angles of secure DevOps for Microsoft Azure cloud solutions. Having a stable infrastructure management process utilizing the Infrastructure as a Code approach, and having workloads deployments automated provides many benefits and enables fast, and predictable deployments to the Azure cloud. However, it is crucial to remember security at every stage of DevOps practices implementation. It is not only important to remember source code security but also about DevOps platforms security like Azure DevOps and GitHub. This is why in this article we are going to focus on improvements around the security of DevOps with helpful Azure security services that we use as practices included in our Formula5’s Modular DevSecOps framework.
Holistic look into DevOps platforms security with Microsoft Sentinel
Monitoring source code security and automation pipelines are important. We want to make sure that no secrets are committed to the source code repository and that no deployment can proceed without code review and proper acceptance. However, it can be challenging to keep an eye on each aspect of secure DevOps. Let’s list some examples to make it easier to understand where the challenge is:
- Verifying if there are no secrets in source code repositories owned by our organization
- Verifying whether vulnerable extensions are not installed
- Verifying if branch policies are enabled
- Being notified when the source code repository is deleted
- Being notified when there is activity from suspicious locations.
There can be even more challenges. This is where Microsoft Sentinel can be helpful. Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. It provides intelligent security analytics and threat intelligence, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Microsoft Sentinel can be used to monitor DevOps platforms’ security and for auditing purposes.
With Microsoft Sentinel, we can collect data from the DevOps platforms like Azure DevOps or GitHub, detect threats, investigate them and respond to them quickly. Because Microsoft Sentinel utilizes Azure Log Analytics Workspace underneath, we can inject data from many different sources. There are also dedicated connectors that can be configured to start ingesting data into Microsoft Sentinel.
GitHub and Azure DevOps monitoring with Microsoft Sentinel
Let’s discuss Azure DevOps monitoring first. When Azure DevOps organizations are connected with Azure Active Directory, it is possible to enable auditing. Once enabled, Azure DevOps logs each action that occurs in each project under our organization:
All events can be streamed directly to Azure Log Analytics Workspace connected with Microsoft Sentinel. With such an approach, it is possible to define analytics rules in the Microsoft Sentinel to detect potential security threats in Azure DevOps.
It is possible to define many different analytics rules that can produce incidents in the Microsoft Sentinel for further investigation.
It is possible to monitor GitHub too. Microsoft Sentinel provides a dedicated data connector to ingest and analyze data from GitHub.
GitHub connector provides many useful analytics rules to detect potential security incidents when for instance source code repository is deleted or there are activities from a new country.
Based on the generated incidents, Microsoft Sentinel can automatically run a playbook. Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. For example, it is possible to send an e-mail to a specific person in the team with the information that the source code repository was deleted or a new extension was installed.
Monitoring security with Microsoft Defender for DevOps
Microsoft Defender for DevOps addresses the intersection of DevOps with the current threat landscape. It provides end-to-end security including visibility into code and code management systems and security capabilities that help prevent, detect, and respond to current threats. We can connect Microsoft Defender for DevOps with DevOps platforms like Azure DevOps or GitHub to detect security issues.
Once we connect GitHub or Azure DevOps with Defender for DevOps, we can easily check the security conditions of all repositories within our organization. For example, when there is a secret committed to the source code repository, we are informed with a comprehensive report.
It is also possible to enable scanning for the Azure infrastructure code so once there are security issues, we are immediately informed and can react properly.
Formula5’s DevSecOps modular framework starter pack
At Formula5 we understand that configuring everything that was mentioned above in the article can be challenging. This is why as part of our Formula5’s DevSecOps modular framework starter pack we offer help to our clients to configure both services, Microsoft Sentinel, and Defender for DevOps. We provide pre-defined templates for analytics rules and automation playbooks so once the services are configured, our clients can immediately start getting value from them. We have also dedicated guidance on how to handle security alerts generated by the above services and how to make sure that there is a consistent approach to DevOps security across the whole client’s organization.
With a comprehensive look into DevOps platforms’ security, we can implement secure DevOps practices from the source code repository up to the release pipeline deploying the solution to the production environment. Tools are important but they are not enough. The proper process of handling security incidents is important too. How to collect information about security events, how to analyze them, and how to react is also very important. This is why with our Formula5’s Modular DevSevOps framework we provide not only ready-to-use configuration templates but also guidance on the process so it can be learned and utilized consistently across the whole organization.
I also encourage you to watch the video where, in a more practical way, I present some of the above concepts.