All Azure DevOps REST APIs now receive Detailed Personal Access Tokens (PATs). The goal of the change, which has been welcomed by the cybersecurity community, is to minimize the potential damage from a PAT credential leak.
Announcing the news via an Azure DevOps blog post, product manager Barry Wolfson said there was a “significant security risk to the organization prior to the change, given the potential for access to source code, production infrastructure and other valuable resources.”
“Previously, many Azure DevOps REST APIs were not tied to a PAT scope, which sometimes resulted in customers using these APIs using full PAT scopes.” The wide range of powers associated with them was a cause for concern.
Praetorian Trigger
While Wolfson didn’t mention specifics, others speculated that the switch happened after Praetorian researchers used the REST API PAT to get into third-party corporate networks.
One of them was the Microsoft-owned GitHub site that was compromised thanks to the PAT leak. The company is currently testing the use of fine-grained PATs in its public beta to address this issue.
Now Wolfson suggests that DevOps teams should implement the change sooner rather than later. “If you are currently using a full-scoped PAT to authenticate to one of the Azure DevOps REST APIs, consider migrating to a PAT with a specific API-accepted scope to avoid unnecessary access,” he said.
He added that the supported detailed PAT ranges for a given REST API can be found in the Security – Scopes section of the REST API documentation pages.
In addition, the changes should allow customers to restrict how PATs are created to the full extent through control plane policies.
“We look forward to continuing to deliver enhancements that will help customers secure their DevOps environments,” concluded Wolfson.
By: Register (opens in a new tab)
