Part Three: Integrating DevSecOps with CNAPPs for Cloud-Native Security

Why shifting left is critical in today’s cloud-driven world and how CNAPPs can help

Introduction

Securing your DevOps environments is no longer optional—attackers are shifting left too. By integrating security early in the development cycle, you can harden your development environment and software supply chain.

In a previous posts, I explored the value of Cloud Security posture management (CSPM) and Cloud Native Application Protection Platforms (CNAPPs) highlighting the capabilities of Microsoft Defender for Cloud, a market-leading CNAPP solution for end-to-end cloud security. In this post, we’ll focus on a critical pillar of CNAPPs: DevOps security. This aspect of platforms like Defender for Cloud provides end-to-end protection for code-based deployments across multi-cloud environments, integrating seamlessly with source code repositories like GitHub and Azure DevOps.

Why is DevSecOps important and how does it differ from traditional DevOps?

In today’s cloud-driven environment, modern enterprises heavily rely on DevOps platforms like Azure DevOps and GitHub to deploy cloud native applications. These platforms manage both continuous integration and delivery (CI/CD) pipelines, as well as the environments where developers work.

However, while the CI/CD pipeline streamlines software development, it also introduces security risks at every stage. Traditional security methods, which focus on protecting applications after deployment, struggle to defend against vulnerabilities that emerge during development and pipeline execution.

This is where DevSecOps comes in. By embedding security into every stage of the CI/CD pipeline, DevSecOps addresses vulnerabilities early, ensuring a more secure and agile development process from the ground up. Each phase of the CI/CD process—source code management, building, testing, and deployment—has its own weaknesses, making it essential to incorporate proactive security measures.

Pipelines and production environments are particularly attractive to attackers because they typically require high-level access credentials and when compromised, those credentials provide broad and powerful access, potentially leading to serious breaches.

CI/CD Pipeline

DevSecOps or shifting left is the practice of embedding security into every stage of the software development lifecycle (SDLC). It evolved from DevOps to address security in a proactive, agile way (integrating security continuously, rather than at the end of development), leaving it as an afterthought to deal with later (as was the case in traditional DevOps).

This shift ensures that security vulnerabilities are identified and mitigated early, significantly reducing risk and improving the overall security posture of applications. While DevSecOps refers to prioritising security in the entire software development & delivery process, a DevSecOps pipeline focusses on ensuring that CI/CD pipelines in particular are secure and not compromised to outside threats.

Achieving this shift requires tools that not only integrate into development workflows but also provide continuous visibility and automated protection across the entire application stack.

This is where Cloud Native Application Protection Platforms (CNAPPs) like Microsoft Defender for Cloud come into play.

DevSecOps LifeCycle

The data

According to the 2024 State of Multicloud Security Report of the code repositories analysed:

• A whopping 40% contained supply chain vulnerabilities

• 65% contained source code vulnerabilities

• 23% had exposed company secrets, including passwords and API keys

• CVEs remained in code for 58 days on average and could take anywhere from 57 to 64 days to resolve. This leaves a large window of time for attackers to capitalise on a vulnerability, given that 25% of high-risk CVEs are exploited within 24 hours of being published.

Transitioning from DevOps to DevSecOps

Modern security threats including: Dependency chain abuse , Poisoned Pipeline Execution (PPE) , Insufficient Credential Hygiene and Multi vector attack require developers and security teams to work inline and incorporate security from the very start and shift left. Shifting left will include adding more security measures and practices on top of standard development practices these include:

• Static application security testing (SAST) examines source code for potential security vulnerabilities without executing the program.

• Dynamic application security testing (DAST) assesses applications during runtime, simulating external attacks to identify vulnerabilities.

• Software composition analysis (SCA) tools audit codebases for open-source components and their dependencies to identify known security vulnerabilities, licensing issues, and outdated libraries.

• Infrastructure as code (IaC): is the process of provisioning and managing resources in public clouds such as AWS, GCP, and Azure via a set of machine readable and editable definition files that describe how and where infrastructure resource configurations are deployed.

• Compliance as code: Compliance as code is the practice of coding regulatory and policy requirements into automated checks within the CI/CD pipeline.

How can CNAPPs help

CNAPP (Cloud Native Application Protection Platform) helps integrate DevSecOps by integrating security throughout the cloud-native application lifecycle. It enables shift-left security by embedding checks early in development, automates vulnerability scanning and compliance management, and continuously monitors workloads in production. By providing broad visibility across cloud environments and facilitating collaboration between development, security, and operations teams, CNAPP ensures security is scalable and seamlessly integrated without slowing down innovation. I explain CNAPPS in more details in part one of this series The value of a Cloud Native Application Protection Platform (CNAPP).

Defender for Cloud DevSecOps features

Given the increasing complexity and risks associated with DevOps, tools like Microsoft Defender for Cloud are crucial in helping organisations secure their DevOps processes and development pipelines.

Microsoft Defender for Cloud secures your development pipelines across multi-cloud environments, helping security and development teams collaborate more closely to deliver innovative apps at full DevOps speed. By leveraging Defender for Cloud DevSecOps capabilities, you can address several common challenges early:

• Delayed Security Discovery: Detect vulnerabilities earlier in the development cycle.

• Increased Time to Fix Issues: Reduce time and cost of remediation.

• Inconsistent Security Practices: Standardize security across projects.

• Manual Security Checks: Automate testing and monitoring.

• Compliance Challenges: Maintain continuous compliance with regulations.

• Slow Development Cycles: Keep development fast while integrating security from the start.

Defender for Cloud provides a centralised console that offers visibility into your multi-pipeline environments, including Azure DevOps, GitHub, and GitLab. Security recommendations, combined with other contextual insights, prioritise code remediation. This fosters better collaboration between development and security teams.

Let’s break it down the dashboard gives you insights into:

• The total number of security findings across your DevOps environment and pipelines (code, secrets, dependency, infrastructure-as-code) are grouped by severity. This allows teams to address high-severity findings first, systematically improving security posture and reducing potential attack surfaces.

• DevOps environment posture management recommendations, Highlights high-severity findings and affected resources, helping in resource allocation and risk management. Recommendations include security best practices, vulnerability patching, compliance measures, access controls, and monitoring enhancements.

• Connected DevOps Environments: Offers visibility into the number of connected environments and the coverage of advanced security features. This ensures consistent security across Azure DevOps, GitHub, and GitLab environments, making it easier to manage and secure resources.

The Integration between Defender for cloud, Azure DevOps, GitLab and Github:

Defender for Cloud integrates seamlessly with Azure DevOps, GitHub, and GitLab, embedding advanced security features directly into your development processes. The availability of features depends on the DevOps platform and the Defender plan you’re using. Here’s an easy to understand breakdown of feature availability across the three DevOps platforms:

To view the full list of features and associated defender plans for each platform click here

The recommendations you can expect

Once you connect your Azure DevOps, GitHub, or GitLab DevOps environment to Microsoft Defender for Cloud, you’ll see a range of recommendations tailored to your specific resources and configuration. These recommendations aim to enhance the security posture of your development pipelines and code repositories. Here’s a glimpse of what you might see:

• Azure DevOps:

  • Enable GitHub Advanced Security: Enhance security by detecting secrets, vulnerabilities, and dependency issues.

  • Resolve Secret Scanning Findings: Address and remediate secrets found in your repositories to prevent breaches.

  • Prevent Unauthorized Access: Ensure that sensitive data like secure files and variable groups are restricted to authorized pipelines only.

• GitHub:

  • Activate Secret and Code Scanning: Identify and fix secrets and vulnerabilities in your repositories.

  • Use Dependabot Alerts: Stay informed about vulnerabilities in your code dependencies.

  • Set Branch Protection Policies: Implement policies to prevent unauthorized changes to critical branches.

• GitLab:

  • Fix Secret Scanning Issues: Remediate secrets detected in your projects to secure your codebase.

  • Address Code and Dependency Vulnerabilities: Resolve vulnerabilities and issues in your code and dependencies.

  • Correct Infrastructure as Code Issues: Address security configuration issues in your template files.

The Defender for Cloud DevOps recommendations appear under two sections in the recommendations pane first “Remediate vulnerabilities“ and “Enable Enhanced Security Features“ The full list of recommendations can be found here you can also read more about recommendations here.

The Defender for Cloud DevOps recommendations

What you can do with recommendations

Once Microsoft Defender for Cloud generates recommendations for your DevOps environment, you can take immediate action. Each recommendation comes with a detailed description, severity rating, and direct links to affected resources, along with step-by-step remediation guidance. Some recommendations even include pre-built Logic Apps to automate fixes, or you can create custom Logic Apps for more tailored automation. This allows security and development teams to quickly address vulnerabilities, improving security posture without disrupting development workflows.

Defender for Cloud automate remediation

Microsoft DevOps Security Matrix

The Microsoft DevOps Security Matrix, integrated with Defender for Cloud, is a comprehensive framework designed to protect DevOps environments by identifying and mitigating threats across the development lifecycle. Leveraging DevOps posture management, it helps organisations discover and remediate harmful misconfigurations in their DevOps platforms, such as pipeline vulnerabilities, secret exposures, and insecure access controls.

By mapping potential attack techniques—ranging from unauthorized access to pipelines to tampering with dependencies—the matrix equips security teams with actionable insights to build resilient, zero-trust DevOps environments.

The mindset shift behind integrating Security with DevOps practices

Integrating security into DevOps, known as DevSecOps, is crucial for building secure systems. However, achieving complete security is impossible. As former CIA Director Michael Hayden said,, “Fundamentally, if somebody wants to get in, they're getting in... accept that.” The key is to continuously evolve and enhance security practices. DevSecOps requires a mindset shift—not only to prevent breaches but also to prepare for and respond to them. This shift involves:

• Recognizing that security is ongoing and requires attention from everyone involved.

• Understanding that breaches are inevitable and focusing on mitigation and response strategies.

• Starting as soon as possible planning and implementing DevSecOps practices as soon as possible. Addressing any resistance and building consensus on the importance of security.

Adopt Key Strategies

• Prevention and Assumption of Breaches: Develop threat models, conduct regular code reviews, and continuously test your security measures.

• Strategies to mitigate threats: Keep dependencies updated, manage secrets in vaults, remove local admin accounts, and enforce multi-factor authentication.

• War game exercises: Simulate real-world attacks by organising red and blue teams to test the security posture and readiness of the system.

TL;DR: Integrating security into DevOps, particularly in cloud environments, is an ongoing, journey. This evolution doesn’t end with adopting new technologies, it’s about ingraining a security mindset into every aspect of development and operations. The integration of security into DevOps, with the support of tools like Defender for Cloud, is crucial for maintaining the security and integrity of your cloud and development environments.

---

More on the DevSecOps mindset shift and security best practices

To learn more about CI/CD pipelines and how they work, check out this blog post by Palo Alto’s Unit 42.

Learn more about securing DevOps

Microsoft DevOps threat matrix

Full list of Defender for Cloud DevOps recommendations

OWASP Top 10 CI/CD Security Risks

---

Have blog ideas, want to engage on a topic, or explore collaboration? Let’s take it offline reach out on LinkedIn. I’d love to connect and continue the conversation!