API testing documenation

Author: David Curwin

articles/defender-for-cloud/defender-partner-applications.md

@@ -10,11 +10,11 @@ ms.date: 11/15/2023
 
 # Partner applications in Microsoft Defender for Cloud for API security testing (preview)
 
-Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines).
+Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including source code repositories & CI/CD pipelines).
 
 ## Overview
 
-The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud. This support enables full lifecycle API security, and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production.
+The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from partner solutions with Microsoft Defender for APIs. This support enables full lifecycle API security, and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production.
 
 The security scan results from partner applications are now available within Defender for Cloud, ensuring that central security teams have visibility into the health of APIs within the Defender for Cloud recommendation experience. These security teams can now take governance steps that are natively available through Defender for Cloud recommendations, and extensibility to export scan results from the Azure Resource Graph into management tools of their choice.
 
@@ -29,13 +29,15 @@ This feature requires a GitHub connector in Defender for Cloud. See [how to onbo
 | Release state | Preview <br> The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.|
 | Required/preferred environmental requirements | APIs within source code repository, including API specification files such as OpenAPI, Swagger.                                                      |
 | Clouds                                          |  Available in commercial clouds. Not available in national/sovereign clouds (Azure Government, Microsoft Azure operated by 21Vianet).                                                 |
-| Source code management systems                  |  GitHub-supported versions: GitHub Free, Pro, Team, and GitHub Enterprise Cloud. This also requires a license for GitHub Advanced Security (GHAS). |
+| Source code management systems                  |   [GitHub Enterprise Cloud](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-github-enterprise-cloud). This also requires a license for GitHub Advanced Security (GHAS). <br> <br > [Azure DevOps Services](https://azure.microsoft.com/products/devops/)  |
 
 ## Supported applications
 
-| Logo | Partner name | Description                                                                                                                                                                                    | Enablement Guide |
-|----------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
-| :::image type="content" source="media/defender-partner-applications/42crunch-logo.png" alt-text="42Crunch logo.":::         | [42Crunch](https://aka.ms/APISecurityTestingPartnershipIgnite2023)         | Developers can proactively test and harden APIs within their CI/CD pipelines through static and dynamic testing of APIs against the top OWASP API risks and OpenAPI specification best practices. | [42Crunch onboarding guide](onboarding-guide-42crunch.md)                 |
+| Partner name | Description                                                                                                                                                                                    | Enablement Guide |
+|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
+| [42Crunch](https://aka.ms/APISecurityTestingPartnershipIgnite2023)         | Developers can proactively test and harden APIs within their CI/CD pipelines through static and dynamic testing of APIs against the top OWASP API risks and OpenAPI specification best practices. | [42Crunch onboarding guide](onboarding-guide-42crunch.md)                 |
+| [StackHawk](https://aka.ms/APISecurityTestingPRStackHawk) | StackHawk is the only modern DAST and API security testing tool that runs in CI/CD, enabling developers to quickly find and fix security issues before they hit production. | [StackHawk onboarding guide](https://aka.ms/APISecurityTestingOnboardingGuideStackHawk) |
+| [Bright Security](https://aka.ms/APISecurityTestingPRBrightSecurity) | Bright Security’s dev-centric DAST platform empowers both developers and AppSec professionals with enterprise grade security testing capabilities for web applications, APIs, and GenAI and LLM applications. Bright knows how to deliver the right tests, at the right time in the SDLC, in developers and AppSec tools and stacks of choice with minimal false positives and alert fatigue. | [Bright Security onboarding guide](https://aka.ms/APISecurityTestingOnboardingGuideBrightSecurity) |
 
 ## Next steps
 

articles/defender-for-cloud/media/onboarding-guide-42crunch/azure-devops-recommendation.png

@@ -4,7 +4,7 @@ description: Learn how to use 42Crunch with Microsoft Defender.
 ms.date: 11/15/2023
 author: dcurwin
 ms.author: dacurwin
-ms.topic: overview
+ms.topic: how-to
 ---
 
 # 42Crunch technical onboarding guide
@@ -26,17 +26,23 @@ Because the quality of the API specification largely determines the scan coverag
 
 Through relying on the 42Crunch [Audit](https://42crunch.com/api-security-audit) and [Scan](https://42crunch.com/api-conformance-scan/) services, developers can proactively test and harden APIs within their CI/CD pipelines through static and dynamic testing of APIs against the top OWASP API risks and OpenAPI specification best practices. The security scan results from 42Crunch are now available within Defender for Cloud, ensuring central security teams have visibility into the health of APIs within the Defender for Cloud recommendation experience, and can take governance steps natively available through Defender for Cloud recommendations.
 
-## Connect your GitHub repositories to Microsoft Defender for Cloud
+## Connect your DevOps environments to Microsoft Defender for Cloud
 
-This feature requires a GitHub connector in Defender for Cloud. See [how to onboard your GitHub organizations](quickstart-onboard-github.md).
+This connecting your DevOps environment to Defender for Cloud.
+
+See [how to onboard your GitHub organizations](quickstart-onboard-github.md).
+
+See [how to onboard your Azure DevOps organizations](quickstart-onboard-devops.md).
 
 ## Configure 42Crunch Audit service
 
 The REST API Static Security Testing action locates REST API contracts that follow the OpenAPI Specification (OAS, formerly known as Swagger) and runs thorough security checks on them. Both OAS v2 and v3 are supported, in both JSON and YAML format.
 
 The action is powered by [42Crunch API Security Audit](https://docs.42crunch.com/latest/content/concepts/api_contract_security_audit.htm). Security Audit performs a static analysis of the API definition that includes more than 300 checks on best practices and potential vulnerabilities on how the API defines authentication, authorization, transport, and request/response schemas.
 
-Install the 42Crunch API Security Audit plugin within your CI/CD pipeline through completing the following steps:
+### For GitHub environments
+
+Install the 42Crunch API Security Audit plugin within your CI/CD pipeline by completing the following steps:
 
 1. Sign in to GitHub.
 1. Select a repository you want to configure the GitHub action to.
@@ -69,7 +75,7 @@ To create a new default workflow:
 
 You now verified that the Audit results are showing in GitHub Code Scanning. Next, we verify that these Audit results are available within Defender for Cloud. It might take up to 30 minutes for results to show in Defender for Cloud.
 
-## Navigate to Defender for Cloud
+**Navigate to Defender for Cloud**:
 
 1. Select **Recommendations**.
 1. Select **All recommendations**.
@@ -80,12 +86,65 @@ The selected recommendation shows all 42Crunch Audit findings. You completed the
 
 :::image type="content" source="media/onboarding-guide-42crunch/api-recommendations.png" alt-text="Screenshot showing API summary." lightbox="media/onboarding-guide-42crunch/api-recommendations.png":::
 
+### For Azure DevOps environments
+
+1. Install the [42Crunch Azure DevOps extension](https://marketplace.visualstudio.com/items?itemName=42Crunch.42c-cicd-audit-freemium) on your organization.
+1. Create a new pipeline in your Azure DevOps project. For a tutorial for creating your first pipeline, see [Create your first pipeline](/azure/devops/pipelines/create-first-pipeline).
+1. Edit the created pipeline, by copying in the following workflow:
+
+   ```yml
+   trigger:
+   branches:
+      include:
+         - main
+
+   jobs:
+   - job: run_42crunch_audit
+      displayName: 'Run Audit'
+      pool:
+         vmImage: 'ubuntu-latest'
+      steps:
+         - task: UsePythonVersion@0
+         inputs:
+            versionSpec: '3.11'
+            addToPath: true
+            architecture:  x64
+         - task: APISecurityAuditFreemium@1
+         inputs:
+            enforceSQG: false
+            sarifReport: '$(Build.Repository.LocalPath)/42Crunch_AuditReport.sarif'
+            exportAsPDF: '$(Build.Repository.LocalPath)/42Crunch_AuditReport.pdf'
+         - task: PublishBuildArtifacts@1
+         displayName: publishAuditSarif
+         inputs:
+            PathtoPublish: '$(Build.Repository.LocalPath)/42Crunch_AuditReport.sarif '
+            ArtifactName: 'CodeAnalysisLogs'
+            publishLocation: 'Container'
+   ```
+
+1. Run the pipeline.
+1. To verify the results are being published correctly in Azure DevOps, validate that *42Crunch-AuditReport.sarif* is being uploaded to the Build Artifacts under the *CodeAnalysisLogs* folder.
+1. You have completed the onboarding process. Next we verify that the results show in Defender for Cloud.
+
+**Navigate to Defender for Cloud**:
+
+1. Select **Recommendations**.
+1. Select **All recommendations**.
+1. Filter by searching for **API security testing**.
+1. Select the recommendation **AzureDevOps repositories should have API security testing findings resolved**.
+
+The selected recommendation shows all 42Crunch Audit findings. You completed the onboarding for the 42Crunch Audit step.
+
+:::image type="content" source="media/onboarding-guide-42crunch/azure-devops-recommendation.png" alt-text="Screenshot showing Azure DevOps recommendation." lightbox="media/onboarding-guide-42crunch/azure-devops-recommendation.png":::
+
 ## Configure 42Crunch Scan service
 
 API Scan continually scans the API to ensure conformance to the OpenAPI contract and detect vulnerabilities at testing time. It detects OWASP API Security Top 10 issues early in the API lifecycle and validates that your APIs can handle unexpected requests.
 
 The scan requires a nonproduction live API endpoint, and the required credentials (API key/access token). [Follow these steps](https://github.com/42Crunch/apisecurity-tutorial) to configure the 42Crunch Scan.
 
+Refer to the **azure-pipelines-scan.yaml** in the tutorial for the ADO specific tasks.
+
 ## FAQ
 
 ### How does 42Crunch help developers identify and remediate API security issues?