All of Azure DevOps REST APIs are now getting granular Personal Access Tokens (PAT). The goal of the change, which was met with glee in the cybersecurity community, is to minimize the potential damage of a leaked PAT credential.
Announcing the news via an Azure DevOps blogpost, product manager Barry Wolfson said that prior to the change, there was a “significant security risk to organizations, given the potential to access source code, production infrastructure, and other valuable assets.”
“Previously, a number of Azure DevOps REST APIs were not associated with a PAT scope, which at times led customers to consume these APIs using full-scoped PATs.” The wide range of permissions associated with these were the cause for concern.
While Wolfson did not mention specifics, others have speculated that the change seems to have came after Praetorian researchers used REST API PATs to get into corporate networks of other companies.
One of those was the Microsoft-owned website GitHub, which was compromised thanks to a leaked PAT. The company is currently trialing the use of fine-grained PATs in its public Beta to remedy the issue.
Now, Wolfson is suggesting DevOps teams should make the change sooner, rather than later. “If you are currently using a full-scoped PAT to authenticate to one of the Azure DevOps REST APIs, consider migrating to a PAT with the specific scope accepted by the API to avoid unnecessary access”, he said.
The supported granular PAT scope(s) for a given REST API can be found in the Security – Scopes section of the REST API documentation pages, he added.
Additionally, the changes should enable customers to restrict how full-scoped PATs are created, via a control plane policy.
“We look forward to continuing to ship improvements which will help customers secure their DevOps environments,” Wolfson concluded.
Via: The Register (opens in new tab)