Showing results for Security - Azure DevOps Blog

Jul 24, 2018
0
0

Enabling administrators to revoke VSTS access tokens

Justin Marks
Justin Marks

As promised in the Protecting our users from the ESLint NPM package breach blog post last week, we have deployed new REST APIs to allow administrators of Visual Studio Team Services (VSTS) accounts to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their accounts. We've reviewed our system telemetry and ...

DevOpsSecurityAdmin & Licensing
Jul 18, 2018
0
0

Protecting our users from the ESLint NPM package breach

Rajesh Ramamurthy (MSFT)
Rajesh Ramamurthy (MSFT)

On the 12th of July 2018, malicious code was detected in two popular open-source NPM packages, eslint-scope (version 3.7.2) and eslint-config-eslint (version 5.0.2). As a result, developers who downloaded and installed these packages may have had credentials stored in their .npmrc file compromised. This may include credentials required to access pa...

DevOpsSecurity
Jul 5, 2018
1
0

If I am a VSTS Stakeholder, can I also be an Admin?

Paris Morgan
Paris Morgan

Today, we’re excited to announce that users with the Stakeholder access level can now be administrators in Visual Studio Team Services (VSTS). With these upcoming changes, Stakeholders can administer access levels, permissions, and settings – if they have been granted permissions to do so. Previously, they were only able to invite users and assign ...

DevOpsSecurityAdmin & Licensing
May 29, 2018
0
0

Remediating the May 2018 Git Security Vulnerability

Edward Thomson
Edward Thomson

The Git community has disclosed an industry-wide security vulnerability in Git that can lead to arbitrary code execution when a user operates in a malicious repository. This vulnerability has been assigned CVE 2018-11235 by Mitre, the organization that assigns unique numbers to track security vulnerabilities in software. Git 2.17.1 was released t...

DevOpsSecurity
Apr 27, 2018
1
0

VSTS Public Projects Limited Preview

Jamie Cool
Jamie Cool

Visual Studio Team Services (VSTS) offers a suite of DevOps capabilities to developers including Source control, Agile planning, Build, Release, Test and more. But until now all these features require the user to first login using a Microsoft Account before they can be used.  Today, we’re starting a limited preview of a new capability that will ev...

DevOpsCI/CDOpen Source
Mar 28, 2018
0
0

Deadline extended for connecting VSTS accounts to AzureAD

Justin Marks
Justin Marks

On January 5, 2018, I announced that Visual Studio Team Services will no longer allow creation of new MSA users with custom domain names backed by AzureAD.  While most customers agree with the direction of this change, I got clear feedback that they could not connect their VSTS to AzureAD by the March 31 deadline.  Based on this feedback, we are ch...

DevOpsSecurityAdmin & Licensing
Jan 30, 2018
0
0

Supporting AzureAD Conditional Access Policy across VSTS

Justin Marks
Justin Marks

In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy (CAP).  One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP. As I discussed previously, many VSTS administrators gave us feedback that they need a way to e...

DevOpsSecurityAdmin & Licensing
Jan 29, 2018
1
0

VS Subscriptions and linking your VSTS account to AzureAD

Justin Marks
Justin Marks

A few weeks ago, I posted about a change coming to organizations managing their identities with Microsoft Accounts (MSAs); as of March 30th, you will no longer able to create new MSAs with a custom domain name that is linked to an Azure Active Directory tenant.  Many customers have reached out asking how this change affects their Visual Studio subs...

DevOpsSecurityAdmin & Licensing
Jan 5, 2018
0
0

VSTS will no longer allow creation of new MSA users with custom domain names backed by AzureAD

Justin Marks
Justin Marks

3-28-2018 UPDATE : The deadline listed below has been extended to the end of September.  Read my latest blog post for more information. On September 15, 2016, the Azure Active Directory (Azure AD) team blocked the ability to create new Microsoft accounts using email addresses in domains that are configured in Azure AD. Many VSTS customers expresse...

DevOpsSecurityAdmin & Licensing
Sep 22, 2017
0
0

Remembering How We Should Manage Open Source

Sam Guckenheimer
Sam Guckenheimer

A DevSecOps best practice is root cause analysis, so that we can learn from live site incidents and prevent their recurrence. Equifax made news recently with the exfiltration of data from half the US population. This is a sobering opportunity to look at the root cause. The Equifax attack used Apache Struts, a popular open source project for web ap...

DevOpsOpen SourceSecurity