Posted February 6, 20232 yr **We want to hear from you! If you have tested Microsoft Defender for DevOps, please fill out this survey to provide feedback on the Pull Request Annotations feature.** Written by: Lara Goldstein, Safeena Begum Lepakshi, Charles Oxyer Introduction: It is no secret that security and development teams operate in silos. Security administrators often struggle with getting developers to remediate vulnerabilities in code because they are not able to provide remediation guidance and feedback directly within the tools are most familiar with (e.g., GitHub and Azure DevOps). Additionally, for developers that embrace the practice of DevOps, they are used to moving quickly and automating as many processes as possible, causing security to struggle to keep up with the speed of development. To simplify the remediation process, reduce time to remediation, and help security teams build stronger relationships with developers, Microsoft Defender for DevOps can expose security findings as annotations in Pull Requests (PR) within Azure DevOps and GitHub Enterprise. Why Use Pull Request Annotations: Vulnerabilities and misconfigurations are detected too late in the development cycle, often when code is already deployed. Not only does this make the deployed code a target for bad actors, but it also makes it more expensive to fix the issue. By using PR annotations, security teams can shift left in the development lifecycle and empower developers to remediate security vulnerabilities in their pre-production code. With PR annotations, get surfaced back to the source code management system as a given line in the Pull Request. Each annotation has the following information: Severity of the issue A message about what the issue is A description on how to fix the issue End-to-End Scenario of using Pull Request Annotations: An example of a common use-case for Pull Request Annotations is as follows: Security Persona configures Pull Request annotations for an Azure DevOps repository within Microsoft Defender for Cloud in the DevOps Security Blade. To learn more about enabling PR annotations, see this document. Developer commits file within Azure DevOps that contains secrets. In this scenario, the developer committed an AWS Secret Access Key Developer creates Pull Request to merge the file into the appropriate branch. Microsoft Defender for DevOps scans the Pull Request for any security issues using the Microsoft Security DevOps extension. Developer gets notified that the file contained a secret through an automated comment on the Pull Request coming from Microsoft Defender for DevOps. In the comment, the developer can see the exact line of code where the secret is located. In this example, the AWS Secret Access Key was discovered in Line 2. Developer fixes issue using the guidance provided in the annotations. In this case, the guidance was to validate that the file containers secrets, remove and rotate the secret, and use an approved key store, such as AWS Key Management Service or Azure Key Vault. Developer changes the status of the comment from Active to Resolved to reflect that the issue has been fixed. Summary: This blog discussed why Pull Request Annotations are useful for automating security in DevOps environments and provided an example of a common scenario. More Information: Microsoft Defender for DevOps - the benefits and features | Microsoft Learn Enable pull request annotations in GitHub or in Azure DevOps | Microsoft Learn Defender for DevOps FAQ | Microsoft Learn We want to hear from you! If you have tested Microsoft Defender for DevOps, please fill out this survey to provide feedback on the Pull Request Annotations feature. Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.