CRLF injection found in popular Python dependency, urllib3

On April 18, 2019 a CRLF injection vulnerability was found in the popular Python library, urllib3. The urllib3 library is an HTTP client for Python that includes valuable features such as thread safety, connection pooling, client-side SSL/TLS verification, and more. It is used widely in the Python ecosystem, including within requests, another popular library. In […]

May 15, 2019

JVM Ecosystem Survey 2019

We’re excited to launch the new JVM Ecosystem Survey 2019. The goal of this survey is to understand the lay of the land across the entire JVM ecosystem and Java in particular. Once we get all of your wonderful responses we’re going to turn them into a beautiful report that you can read, printout, turn […]

May 14, 2019

A Denial of Service vulnerability discovered in the Axios JavaScript package – affecting all versions of the popular HTTP client

Affected versions of axios are vulnerable to Denial of Service (DoS) because content continues to be processed from requests even after maxContentLength is exceeded, causing increased I/O and CPU usage.

May 6, 2019

8 Azure Repos Security Best Practices

In this cheat sheet we’ll cover how you can be more secure as an Azure Repos user or contributor. Some of it is specific to Azure Repos, but a lot of it is also useful for other Git and non-Git repositories as well. DOWNLOAD THE CHEAT SHEET! So let’s get started with our list of […]

May 6, 2019

Never store credentials as code/config in Azure Repos

Having team-wide rules that prevent credentials from being stored as code is a great way to police bad actions in the existing developer workflow. There are internal tools like Azure Key Vault

May 6, 2019

Remove sensitive data in your files and Azure Repos history

If you find sensitive data in your Azure Repos repository, you need to do a number of things to recover. First of all you'll need to invalidate the tokens and passwords that were once public. Once a secret is public on the internet, you should assume it's in the hands of attackers and react accordingly.

May 6, 2019

Tightly control access to your Azure Repos

The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 3. Tightly control access to your Azure Repos Here in the UK, when it gets really, really hot (read: mildly warm) us Brits tend to open all the windows in the house to make […]

May 6, 2019

Add a SECURITY.md file to your Azure Repos

The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 4. Add a SECURITY.md file to your Azure Repos It’s natural for most project owners and maintainers to add a README.md for their repository. In fact, these days it’s expected and it’s quite frowned […]

May 6, 2019

Use Personal Access Tokens with Azure Repos

Two-Factor Authentication (2FA) adds an additional level of security to your account by requiring not just a username and password, but also a unique code from an authenticator application or sent to you by SMS. This ensures that even if your password is compromised, an attacker can't login to your account without also having your cell phone.

May 6, 2019

Add security testing to pull requests in Azure Repos

By adding Snyk’s native integration with Azure Repos, each pull request will be tested to ensure new vulnerabilities aren’t introduced into the code base. Policies can be defined to configure the severity level of a vulnerability that fails the merge. The following image displays a failed PR due to new vulnerabilities that it would have added:

May 6, 2019

Rotate Azure Repos SSH keys and personal access tokens

Azure Repos access is typically done using SSH keys or personal access tokens (in lieu of a password). But what happens if those tokens are stolen and you didn’t know? Be sure to refresh your keys and tokens periodically, mitigating any damage caused by keys that leaked out.

May 6, 2019