All Azure DevOps REST APIs now get accurate Personal Access Tokens (PAT). The change, which has been greeted happily in the cybersecurity community, is intended to reduce the potential harm of leaked PAT credentials.
News announcement via Azure DevOps blogpost, product manager Barry Wolfson said that prior to the change, there was “a significant security risk for organizations, due to access to source code, production infrastructure, and other valuable assets.”
Previously, a number of Azure DevOps REST APIs were not bound to scoped PATs, which sometimes resulted in customers using these APIs with full scoped PATs.
Imperial Trigger
While Wolfson did not give details, others have speculated that the change came after Praetorian researchers used REST API PATs to enter the corporate networks of other companies.
One of those was Microsoft’s GitHub, which was hacked thanks to the PAT leak. The company is currently experimenting with micro PATs in its public beta to address the issue.
Now, Wolfson is suggesting that DevOps teams make the change sooner rather than later. “If you’re currently using full-scope PAT to authenticate to an Azure DevOps REST API, consider migrating to a PAT with the specific scope the API accepts to avoid unnecessary access,” he said.
Added that the supported granular PAT scope(s) for a given REST API can be found in the Security – Scopes section of the REST API documentation pages.
In addition, the changes should enable customers to restrict how full-scale PATs are created, through a control level policy.
“We look forward to continuing to deliver improvements that will help customers secure their DevOps environments,” concluded Wolfson.
Across: record (Opens in a new tab)
