>
All Azure DevOps REST APIs now get granular Personal Access Tokens (PAT). The purpose of the change, which has been met with enthusiasm in the cybersecurity community, is to minimize the potential harm from a leaked PAT credential.
Product manager Barry Wolfson announced the news via an Azure DevOps blog post, saying that prior to the change, there was a “significant security risk to organizations given the potential to gain access to source code, production infrastructure, and other valuable assets.”
“Previously, some Azure DevOps REST APIs were not associated with a PAT scope, so customers sometimes used these APIs with full PATs.”
Praetorian trigger
While Wolfson didn’t give details, others have speculated that the change appears to have come after Praetorian researchers used REST API PATs to get into other companies’ corporate networks.
One of these was Microsoft’s website, GitHub, which was compromised thanks to a leaked PAT. The company is currently testing the use of fine-grained PATs in its public beta to resolve the issue.
Now, Wolfson suggests DevOps teams should make the change sooner rather than later. “If you are currently using a full-scope PAT to authenticate to one of the Azure DevOps REST APIs, consider migrating to a PAT with the specific scope accepted by the API to avoid unnecessary access,” he said .
The supported detailed PAT scope(s) for a given REST API can be found in the Security – Scopes section of the REST API documentation pages, he added.
In addition, the changes should allow customers to limit how full PATs are created, through a control plane policy.
“We look forward to continuing to deliver enhancements that will help customers secure their DevOps environments,” concluded Wolfson.
Through: The register (opens in new tab)