On April 18, 2019 a CRLF injection vulnerability was found in the popular Python library, urllib3. The urllib3 library is an HTTP client for Python that includes valuable features such as thread safety, connection pooling, client-side SSL/TLS verification, and more. It is used widely in the Python ecosystem, including within requests, another popular library. In […]
We’re excited to launch the new JVM Ecosystem Survey 2019. The goal of this survey is to understand the lay of the land across the entire JVM ecosystem and Java in particular. Once we get all of your wonderful responses we’re going to turn them into a beautiful report that you can read, printout, turn […]
Affected versions of axios are vulnerable to Denial of Service (DoS) because content continues to be processed from requests even after
maxContentLength is exceeded, causing increased I/O and CPU usage.
In this cheat sheet we’ll cover how you can be more secure as an Azure Repos user or contributor. Some of it is specific to Azure Repos, but a lot of it is also useful for other Git and non-Git repositories as well. DOWNLOAD THE CHEAT SHEET! So let’s get started with our list of […]
Having team-wide rules that prevent credentials from being stored as code is a great way to police bad actions in the existing developer workflow. There are internal tools like Azure Key Vault
If you find sensitive data in your Azure Repos repository, you need to do a number of things to recover. First of all you'll need to invalidate the tokens and passwords that were once public. Once a secret is public on the internet, you should assume it's in the hands of attackers and react accordingly.
The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 3. Tightly control access to your Azure Repos Here in the UK, when it gets really, really hot (read: mildly warm) us Brits tend to open all the windows in the house to make […]
The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 4. Add a SECURITY.md file to your Azure Repos It’s natural for most project owners and maintainers to add a README.md for their repository. In fact, these days it’s expected and it’s quite frowned […]
Two-Factor Authentication (2FA) adds an additional level of security to your account by requiring not just a username and password, but also a unique code from an authenticator application or sent to you by SMS. This ensures that even if your password is compromised, an attacker can't login to your account without also having your cell phone.
By adding Snyk’s native integration with Azure Repos, each pull request will be tested to ensure new vulnerabilities aren’t introduced into the code base. Policies can be defined to configure the severity level of a vulnerability that fails the merge. The following image displays a failed PR due to new vulnerabilities that it would have added:
Azure Repos access is typically done using SSH keys or personal access tokens (in lieu of a password). But what happens if those tokens are stolen and you didn’t know? Be sure to refresh your keys and tokens periodically, mitigating any damage caused by keys that leaked out.