{"id":65846,"date":"2022-10-12T04:59:49","date_gmt":"2022-10-12T12:59:49","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=65846"},"modified":"2022-10-12T07:12:49","modified_gmt":"2022-10-12T15:12:49","slug":"integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops\/","title":{"rendered":"Integrate security into your developer workflow with GitHub Advanced Security for Azure DevOps"},"content":{"rendered":"<p>Exciting things are in store for Azure DevOps in the coming year! We\u2019re planning deep investments in security as well as broad investment across the product. Read on for more information, and then be sure to check out our updated roadmap at <a href=\"https:\/\/aka.ms\/AzureDevOpsRoadmap\">https:\/\/aka.ms\/AzureDevOpsRoadmap<\/a>.<\/p>\n<h2>Deep investments in security<\/h2>\n<p>First, we are super excited about bringing GitHub Advanced Security and Microsoft Defender for Cloud\u2019s new Defender for DevOps capabilities to Azure DevOps customers! Additionally, two other major security initiatives are planned for Azure DevOps over the coming year. The first is focused on minimizing the risks associated with credential theft; the second, on making it easier to harden Azure DevOps organization configuration.<\/p>\n<h3>GitHub Advanced Security<\/h3>\n<p>Customers using Azure Repos and Azure Pipelines have up to now been unable to take advantage of GitHub Advanced Security&#8217;s industry leading capabilities. We&#8217;re pleased to announce that GitHub Advanced Security for Azure DevOps will bring these capabilities to Azure DevOps, natively integrated into Azure Repos and Azure Pipelines. This brings the same secret scanning, dependency scanning, and CodeQL code scanning capabilities of GitHub Advanced Security right into the Azure DevOps environment that these teams are already familiar with.<\/p>\n<ul>\n<li><strong>Secret Scanning<\/strong>: Exposed credentials are implicated in over 80% of security breaches. GitHub Advanced Security for Azure DevOps can not only help you find secrets that have already been exposed in Azure Repos, but also help you prevent new exposures by blocking any pushes to Azure Repos that contain secrets.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/secret-scanning.gif\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/secret-scanning.gif\" alt=\"image showing secret scanning\" width=\"1920\" height=\"1062\" class=\"aligncenter size-full wp-image-65809\" \/><\/a><\/p>\n<ul>\n<li><strong>Dependency Scanning<\/strong>: Open-source supply chain attacks such as the \u201cLog4Shell\u201d incident are on the rise. GitHub Advanced Security identifies the open-source packages used in your Azure Repos \u2013 both direct and transitive dependencies \u2013 and provides straightforward guidance from the GitHub Advisory Database on how to upgrade those packages to mitigate vulnerabilities.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/GHAS-in-AzDO.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/GHAS-in-AzDO.png\" alt=\"Image showing dependency scanning natively integrated into Azure DevOps\" width=\"1248\" height=\"471\" class=\"aligncenter size-full wp-image-65855\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/GHAS-in-AzDO.png 1248w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/GHAS-in-AzDO-300x113.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/GHAS-in-AzDO-1024x386.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/10\/GHAS-in-AzDO-768x290.png 768w\" sizes=\"(max-width: 1248px) 100vw, 1248px\" \/><\/a><\/p>\n<ul>\n<li><strong>Code Scanning<\/strong>: GitHub Advanced Security uses the industry-leading CodeQL static analysis engine to detect hundreds of code security vulnerabilities such as SQL injection and authorization bypass across a wide range of languages including C#, C\/C++, Python, JavaScript\/TypeScript, Java, Go and more. GitHub Advanced Security for Azure DevOps enables you to run CodeQL scans directly from Azure Pipelines on code from Azure Repos and act on the results without ever having to leave your Azure DevOps environment. <\/li>\n<\/ul>\n<p>GitHub Advanced Security for Azure DevOps will ship to limited private preview customers in early November 2022. To be considered for future preview programs, please visit <a href=\"https:\/\/aka.ms\/advancedsecurity-signup\" rel=\"noopener\" target=\"_blank\">https:\/\/aka.ms\/advancedsecurity-signup<\/a>.<\/p>\n<h3>Defender for Cloud<\/h3>\n<p>In addition to helping developers find and fix vulnerabilities by integrating alerting and remediation guidance directly into the Azure DevOps experiences they already use every day, GitHub Advanced Security will also integrate with Microsoft Defender for Cloud\u2019s new <a href=\"https:\/\/aka.ms\/DfDevOps\" rel=\"noopener\" target=\"_blank\">Defender for DevOps<\/a> capabilities to empower security managers and leaders to unify DevOps security posture visibility across multiple pipelines and help strengthen security from development to runtime.<\/p>\n<h3>Minimizing risks from credential theft<\/h3>\n<p>Azure DevOps supports many different authentication mechanisms, including basic authentication, personal access tokens (PATs), SSH, and Azure Active Directory access tokens. These mechanisms are not created equal from a security perspective, especially when it comes to the potential for credential theft. For example, unintended leakage of credentials like PATs can let malicious actors into Azure DevOps organizations where they can gain access to critical assets like source code, pivot toward supply chain attacks, or even pivot toward compromising production infrastructure.<\/p>\n<p>Over the past year, Azure DevOps has been investing in strengthening protections around the usage of PATs, including Azure AD-Tenant-scoped <a href=\"https:\/\/docs.microsoft.com\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators\" rel=\"noopener\" target=\"_blank\">policies<\/a> around allowable PAT scopes and lifetimes; <a href=\"https:\/\/docs.microsoft.com\/rest\/api\/azure\/devops\/tokens\/\" rel=\"noopener\" target=\"_blank\">APIs<\/a> to help automate PAT creation, revocation, and rotation; and <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/release-notes\/2022\/sprint-210-update#all-public-rest-apis-support-granular-pat-scopes\" rel=\"noopener\" target=\"_blank\">association of all Azure DevOps APIs with appropriate PAT scopes<\/a> to minimize the need for &#8220;full-scoped&#8221; PATs with no limitations on their use beyond the permissions of their underlying user.<\/p>\n<p>Beyond these efforts to reduce the risk of PAT usage, we are also focused on reducing the need for PATs in the first place. An example of this is the work we did with our partners at GitHub to enable support for <a href=\"https:\/\/github.com\/GitCredentialManager\/git-credential-manager\/blob\/main\/docs\/azrepos-users-and-tokens.md\" rel=\"noopener\" target=\"_blank\">Microsoft identity OAuth tokens<\/a> in Git Credential Manager (GCM) when connecting to Azure Repos repositories. Up next is support in Azure DevOps for Azure Service Principals and Managed Identities to reduce the need for PATs in application integration scenarios. <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/fundamentals\/service-accounts-principal#service-principal-authentication\" rel=\"noopener\" target=\"_blank\">Service Principals<\/a> offer several security benefits beyond PATs \u2013 when used with Certificate authentication, their secrets cannot accidentally be embedded in code; they can be stored in Azure Key Vault and optionally auto-rotated; and so forth. Managed Identities go a step further by removing the need to manage secrets altogether.<\/p>\n<p>Similarly, while Azure Pipelines today support secret-free deployments into Azure using <a href=\"https:\/\/docs.microsoft.com\/azure\/devops\/pipelines\/library\/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-to-a-vm-with-a-managed-service-identity\" rel=\"noopener\" target=\"_blank\">Managed Identity service connections<\/a> from self-hosted agents, Microsoft-hosted agents are limited to using Service Principals \u2013 often with client secrets rather than certificates. These secrets are comparatively easy to steal, and therefore must be protected, rotated, and so forth to ensure they do not become an attack vector. We&#8217;re working now on support for secret-less deployments from Microsoft-hosted agents that leverage federated credentials using OpenID Connect (OIDC), similar to the capability that exists today in <a href=\"https:\/\/docs.github.com\/actions\/deployment\/security-hardening-your-deployments\/configuring-openid-connect-in-cloud-providers\" rel=\"noopener\" target=\"_blank\">GitHub Actions<\/a>.<\/p>\n<p>Longer term, we are deepening our integration with Azure Active Directory (Azure AD) and embracing Azure AD access tokens as the primary authentication method in Azure DevOps. This will enable us to better support a variety of security controls provided by Azure AD such as Conditional Access Policies, proof of possession to prevent token theft, and continuous access evaluation to respond more quickly to policy violation and security issues. As part of this, we\u2019ll also provide a set of new policies and controls to help reduce and eventually phase out the use of less secure authentication mechanisms.<\/p>\n<p>We\u2019ll adopt all these security investments within Microsoft along the way, both to better secure our own assets and to help ensure we make the transitions and adoption as simple as possible.<\/p>\n<h3>Hardening Azure DevOps organization configuration<\/h3>\n<p>Over the past couple of years, we\u2019ve introduced many new security-relevant configuration settings. While we\u2019ve always followed \u201csecure by default\u201d principles and enabled these settings for newly created organizations\/projects, we\u2019ve not enabled them for existing organizations\/projects to avoid disruptive impacts.<\/p>\n<p>For example, we\u2019ve introduced several improvements to the security posture of Azure Pipelines, including restricting the default scope of the pipeline identity from the entire organization down to the project, restricting the resources that can be accessed by a pipeline to those which it explicitly references, and more. Collectively, these changes prevent malicious actors from using pipelines to move laterally within an organization and gain access to resources to which they personally lack permissions. These settings are all enabled by default in new organizations and projects. But because enabling them in existing organizations and projects can cause existing pipelines to start failing, we\u2019ve left it to administrators to explicitly enable them.<\/p>\n<p>We\u2019ve listened to feedback from security-focused customers and Azure DevOps administrators, and we\u2019ll be focusing on making it easier for them to:<\/p>\n<ul>\n<li>Understand the recommended state of all the various settings within Azure DevOps,<\/li>\n<li>Find all the settings which are not in their recommended states, and<\/li>\n<li>Adopt the recommended settings while minimizing disruptive impacts within their organizations.<\/li>\n<\/ul>\n<p>We&#8217;ll start by ensuring that security-relevant settings all have clear recommendations in the product. Longer term we\u2019ll focus on enabling non-disruptive rollout of configuration hardening through audit modes, allow lists, and auto-mitigations. For the Pipelines settings discussed above, these changes will allow administrators to understand which settings are not in their recommended states and which pipelines will start failing when the settings are updated. Further, they will allow pipeline owners to easily understand and apply the changes required to keep their pipelines working.<\/p>\n<h2>Broad investments across the product<\/h2>\n<p>In addition to these deep investments, we\u2019ll also be making broad investments across all areas of Azure DevOps, focused on feedback and feature requests from our top customers.<\/p>\n<p>In <strong>Azure Pipelines<\/strong>, we\u2019ll be focused on three initiatives \u2013 service connection security, including the OpenID Connect work described above and multiple smaller items; YAML deployment improvements, including lots of work related to Checks; and dependency refreshes, including upgrading our agents to .NET 6 and upgrading our task runner to newer versions of Node.js (and laying the groundwork to keep up with the Node support lifecycle moving forward).<\/p>\n<p>In <strong>Azure Boards<\/strong>, we\u2019ll be focused on bringing the New Boards Hub (a refresh of the Boards user experience that brings improved performance, improved support for mobile browsers, improved accessibility, and a bunch of features that have shipped over the past several months) to general availability. Along the way, we\u2019ll continue delivering a steady stream of feature requests and experience improvements, including support for markdown fields, swimlane rules for Kanban boards, and more.<\/p>\n<p>In <strong>Azure Test Plans<\/strong>, we\u2019ll be reinvigorating our investments in manual and exploratory testing scenarios, starting with improvements to pause\/resume functionality. In automated testing space, we\u2019ll be focused on improvements to code coverage capabilities.<\/p>\n<p>In <strong>Azure Artifacts<\/strong>, we&#8217;ll be focused on expanding our support for additional protocols, beginning with support for the Cargo package manager for Rust. We will continue to invest in the security and reliability of the packaging platform so we have the right infrastructure to support a broader range of protocols. In the next 6 to 12 months, we plan to add native support for additional protocols based on the prioritized asks from customers.<\/p>\n<p>For more detail on all this and other investments across the rest of the product surface area, check out our updated public roadmap at <a href=\"https:\/\/aka.ms\/AzureDevOpsRoadmap\" rel=\"noopener\" target=\"_blank\">https:\/\/aka.ms\/AzureDevOpsRoadmap<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exciting things are in store for Azure DevOps in the coming year! We\u2019re planning deep investments in security as well as broad investment across the product. Read on for more information, and then be sure to check out our updated roadmap at https:\/\/aka.ms\/AzureDevOpsRoadmap. Deep investments in security First, we are super excited about bringing GitHub [&hellip;]<\/p>\n","protected":false},"author":181,"featured_media":65861,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,1,251],"tags":[],"class_list":["post-65846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-devops","category-security"],"acf":[],"blog_post_summary":"<p>Exciting things are in store for Azure DevOps in the coming year! We\u2019re planning deep investments in security as well as broad investment across the product. Read on for more information, and then be sure to check out our updated roadmap at https:\/\/aka.ms\/AzureDevOpsRoadmap. Deep investments in security First, we are super excited about bringing GitHub [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/65846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/181"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=65846"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/65846\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/65861"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=65846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=65846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=65846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}