Microsoft's security roadmap: Protect secrets in Azure DevOps
You can’t steal what you can’t access ... we hope
Microsoft has vowed to bulk up security around its Azure DevOps cloud services developers use to build their applications and manage their software projects.
The security enhancements are part of the larger roadmap for Azure DevOps that the cloud giant laid out this week that also includes additions to Azure Boards – for tracking ideas throughout the development lifecycle – and Azure Pipelines to automatically build and test code.
The changes also come as Microsoft bolsters its Entra suite of cloud-based identity and access services, not only by ditching the Azure AD name in favor of Entra ID – a move not fully embraced by all users – but also through its first offerings in the fast-growing security services edge (SSE) space.
One focus for Redmond is the GitHub code repository, which like other code bases – such as NPM and the Python Package Index (PyPI) – has become a target for criminals in supply chain attacks aimed at getting developers to inadvertently dropping malicious code into their applications.
GitHub Advanced Security (GHAS) for Azure DevOps is a suite of tools developers can use to protect their Azure Repos repositories and Pipelines. These include secret scanning to detect such secrets as credentials already in Azure Repos and ways to keep developers from accidentally pushing new secrets and dependency scanning, so they can find known vulnerable open-source packages and fix any problems.
Also in GHAS – which is in public preview and integrated into Azure DevOps – is code scanning, which uses GitHub's CodeQL semantic analysis engine to identity app security flaws in the source code.
Authentication on the menu
Identity and authentication also will factor heavily in what Microsoft does through at least the rest of the year. The vendor for several years has banged the drum for improved authentication tools – such as ModernAuth and passkeys – as identity becomes a key focus for cyber-attackers.
In Azure DevOps, a key risk is credential theft.
"Azure DevOps supports many different authentication mechanisms, including basic authentication, personal access tokens (PATs), SSH, and Azure Active Directory access tokens," the company wrote. "These mechanisms are not created equal from a security perspective, especially when it comes to the potential for credential theft."
- Miscreants exploit five Microsoft bugs as Windows giant addresses 130 flaws
- Microsoft keeps quiet amid talk of possible DDoS attack against Azure
- Microsoft's Azure mishap betrays an industry blind to a big problem
- This typo sparked a Microsoft Azure outage
Criminals can use leaked credentials like PATs to get into organizations using Azure DevOps and access source code, launch supply chain attacks, or compromise the infrastructure.
Microsoft will also release Workload Identity federation for Azure Deployments, first in public preview in the third quarter and then generally by the end of the year. Developers are wary of storing secrets like passwords or certificate in Azure DevOps because they become vulnerable to theft when service connections in Azure DevOps are updated.
Protection through federation
Azure will use the Open ID Connect protocol to support workload identity federation and create service connections in Azure Pipelines that don't access secrets and which are backed by managed identities with federated credentials in Azure AD.
"As part of its execution, a pipeline can exchange its own internal token with an AAD token, thereby gaining access to Azure resources," Microsoft wrote. "Once implemented, this mechanism will be recommended in the product over other types of Azure service connections that exist today."
Microsoft also will support granular scopes to limit the operations of Azure AD OAuth applications, such as viewing source code or configuring pipelines, when connecting to Azure DevOps.
Also by the end of 2023, Microsoft will let applications use managed identities and service principals when integrating with Azure DevOps through REST APIs and client libraries. Most applications now integrate through PATs.
"This highly requested feature offers Azure DevOps customers a more secure alternative to PATs," Redmond wrote. "And Managed Identities offer the ability for applications running on Azure resources to obtain Azure AD tokens without needing to manage any credentials at all."
Microsoft takes to SSE
All this comes the same week Microsoft made changes in its Entra suite. The first, as we've documented, was the name change from Azure AD to Entra. Another key one was the rollout into public preview of Entra Internet Access and Entra Private Access, Redmond's first SSE offerings.
Secure Access Service Edge (SASE) hit the scene several years ago when enterprises, faced with having to manage security and identity wirelessly, wanted vendors to converge software-defined WAN and network security functions, such as zero trust, firewall-as-a-service (FWaaS), and cloud access security broker (CASB), into a cloud service.
SSE emerged during the pandemic, essentially ditching the SD-WAN functions and unifying CASB, zero trust, and secure web gateway (SWG) into a service. Microsoft is coming into this space late, with vendors like Cisco, Zscaler, and Palo Alto Networks, among others, already a year or two ahead.
However, Microsoft's sheer gravitational pull will help it gain market share, as shown by the drop in share prices of Cloudflare, Palo Alto, and Zscaler right after Microsoft announced its SSE move. ®