Security | Page 2 of 4 | Azure DevOps Blog

Introducing Search service authentication to make communications with TFS more secure

Subrahmanya Srinivas September 13, 2018 Sep 13, 2018 09/13/18

Basic authorization is now enabled on the communication between the TFS and Search services to make it more secure.

A Microsoft DevSecOps Static Application Security Testing (SAST) Exercise

Michael C. Fanning August 21, 2018 Aug 21, 2018 08/21/18

Static Application Security Testing (SAST) is a critical DevSecOps practice. As engineering organizations accelerate continuous delivery to impressive levels, it’s important to ensure that continuous security validation keeps up. To do so most effectively requires a multi-dimensional application of static analysis tools. The more customizable the tool, the better you can shape it to your actual security risk.

Revoking potentially impacted tokens from ESLint vulnerability

Justin Marks August 8, 2018 Aug 8, 2018 08/8/18

On the 24th of July 2018, we notified some customers via e-mail and on this blog about a planned action that we would start taking in relation to the malicious ESLint NPM package incident. This action is now underway.

Enabling administrators to revoke VSTS access tokens

Justin Marks July 24, 2018 Jul 24, 2018 07/24/18

As promised in the Protecting our users from the ESLint NPM package breach blog post last week, we have deployed new REST APIs to allow administrators of Visual Studio Team Services (VSTS) accounts to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their accounts. We've reviewed our system ...

Protecting our users from the ESLint NPM package breach

Rajesh Ramamurthy (MSFT) July 18, 2018 Jul 18, 2018 07/18/18

On the 12th of July 2018, malicious code was detected in two popular open-source NPM packages, eslint-scope (version 3.7.2) and eslint-config-eslint (version 5.0.2). As a result, developers who downloaded and installed these packages may have had credentials stored in their .npmrc file compromised. This may include credentials required to ...

If I am a VSTS Stakeholder, can I also be an Admin?

Paris Morgan July 5, 2018 Jul 5, 2018 07/5/18

Today, we’re excited to announce that users with the Stakeholder access level can now be administrators in Visual Studio Team Services (VSTS). With these upcoming changes, Stakeholders can administer access levels, permissions, and settings – if they have been granted permissions to do so. Previously, they were only able to invite users ...

Remediating the May 2018 Git Security Vulnerability

Edward Thomson May 29, 2018 May 29, 2018 05/29/18

The Git community has disclosed an industry-wide security vulnerability in Git that can lead to arbitrary code execution when a user operates in a malicious repository. This vulnerability has been assigned CVE 2018-11235 by Mitre, the organization that assigns unique numbers to track security vulnerabilities in software. Git 2.17.1 was ...

VSTS Public Projects Limited Preview

Jamie Cool April 27, 2018 Apr 27, 2018 04/27/18

Visual Studio Team Services (VSTS) offers a suite of DevOps capabilities to developers including Source control, Agile planning, Build, Release, Test and more. But until now all these features require the user to first login using a Microsoft Account before they can be used. Today, we’re starting a limited preview of a new capability that...

Deadline extended for connecting VSTS accounts to AzureAD

Justin Marks March 28, 2018 Mar 28, 2018 03/28/18

On January 5, 2018, I announced that Visual Studio Team Services will no longer allow creation of new MSA users with custom domain names backed by AzureAD. While most customers agree with the direction of this change, I got clear feedback that they could not connect their VSTS to AzureAD by the March 31 deadline. Based on this feedback, we...

Supporting AzureAD Conditional Access Policy across VSTS

Justin Marks January 30, 2018 Jan 30, 2018 01/30/18

In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy (CAP). One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP. As I discussed previously, many VSTS administrators gave us feedback that they need a ...

Azure DevOps Blog