News

Microsoft Bolsters Azure DevOps Security in Limited Private Preview

• By David Ramel
• 10/13/2022

At this week's big Ignite 2022 tech conference, Microsoft announced multiple efforts to bolster security for Azure DevOps, including a limited private preview of GitHub tech.

That tech would be GitHub Advanced Security for Azure DevOps, which will ship early next month to those accepted into the preview. It will be augmented by and integrated with Microsoft's own public preview of Defender for DevOps, new to the company's Microsoft Defender for Cloud. The latter is described as a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for Azure, on-premises and multicloud (Amazon AWS and Google GCP) resources.

"Customers using Azure Repos and Azure Pipelines have up to now been unable to take advantage of GitHub Advanced Security's industry leading capabilities," Microsoft said in an Oct. 12 blog post. "We're pleased to announce that GitHub Advanced Security for Azure DevOps will bring these capabilities to Azure DevOps, natively integrated into Azure Repos and Azure Pipelines. This brings the same secret scanning, dependency scanning, and CodeQL code scanning capabilities of GitHub Advanced Security right into the Azure DevOps environment that these teams are already familiar with."

CodeQL is GitHub's semantic code analysis engine that allows for querying code as though it were data.

GitHub Advanced Security for Azure DevOps provides three types of scanning:

• Secret Scanning: Noting that exposed credentials have been implicated in more than 80 percent of security breaches, Microsoft said the GitHub-based security product can help organizations find secrets that have already been exposed in Azure Repos, while also helping to prevent new exposures by blocking any pushes to Azure Repos that contain secrets.

  

• Dependency Scanning: GitHub Advanced Security identifies open source packages used in Azure Repos -- in both direct and transitive dependencies -- which Microsoft said can help address increasingly common open source supply chain attacks such as Log4Shell. Organizations can also consult the GitHub Advisory Database for guidance on upgrading those packages to mitigate vulnerabilities.
• Code Scanning: The CodeQL static analysis engine can detect hundreds of code security vulnerabilities -- including SQL injection and authorization bypass -- across many programming languages such as C#, C/C++, Python, JavaScript/TypeScript, Java, Go and more. "GitHub Advanced Security for Azure DevOps enables you to run CodeQL scans directly from Azure Pipelines on code from Azure Repos and act on the results without ever having to leave your Azure DevOps environment," Microsoft said.

GitHub also weighed in on the announcement its own blog post. "GitHub Advanced Security provides a native application security solution within the developer workflow, enabling organizations to manage open-source dependencies, custom code, and secrets across the software lifecycle," the company said. "Automated security checks are run with every push and every pull request. Identified security issues are shared with developers immediately, with context, in their familiar workflow to empower them to fix vulnerabilities in minutes, not months."

Interested organizations can go here to apply for the preview. That site contains this message: "We invite you to apply for early access to GitHub Advanced Security for Azure DevOps security features. GitHub Advanced Security for Azure DevOps brings the same GitHub secret scanning, dependency scanning and code scanning solutions (powered by CodeQL) and natively integrates them into Azure DevOps to protect your Azure Repos and Pipelines. We'd like to invite you to apply to join a private preview group where you will get early access to GitHub Advanced Security for Azure DevOps features and provide us with feedback on your experiences."

Microsoft also noted that more initiatives are on tap over the coming year to further bolster Azure DevOps security, one focusing on minimizing the risks associated with credential theft, while the second is designed to make it easier for organizations to harden Azure DevOps organization configuration.

More information about Azure DevOps can be found in the Azure DevOps Roadmap.