All Azure DevOps REST APIs now get a granular Personal Access Token (PAT). The goal of this change, cheered in the cybersecurity community, is to minimize the potential damage of compromised PAT credentials.
Announcing the news via an Azure DevOps blog post, product manager Barry Wolfson said that prior to the change, “organizations faced a significant security risk due to the potential for access to source code, production infrastructure, and other valuable assets.”
“Previously, many Azure DevOps REST APIs were not associated with a PAT scope, which sometimes resulted in customers using the full-scope PAT to consume these APIs.” The wide range of permissions associated with these is cause for concern.
While Wolfson didn’t go into specifics, others have speculated that the change appears to have occurred after Praetorian researchers used the REST API to PAT into other companies’ corporate networks.
One of them, the Microsoft-owned website GitHub, was compromised due to a leaked PAT. The company is currently trialing fine-grained PAT in its public beta to address this issue.
Now, Wolfson recommends that DevOps teams should make changes sooner rather than later. “If you are currently using a full-scope PAT to authenticate to one of your Azure DevOps REST APIs, consider migrating to a PAT with specific scopes accepted by the API to avoid unnecessary access,” he said.
He added that the granular PAT ranges supported by a given REST API can be found in the Security – Scopes section of the REST API documentation page.
Additionally, these changes should enable customers to restrict how wide-scope PATs are created through control plane policy.
“We look forward to continuing to deliver improvements to help customers secure their DevOps environments,” concluded Wolfson.
pass: register (opens in a new tab)