Tightly control access to your Azure Repos
The following is a best practice guideline from our series of 8 Azure Repos security best practices
3. Tightly control access to your Azure Repos
Here in the UK, when it gets really, really hot (read: mildly warm) us Brits tend to open all the windows in the house to make sure that it doesn’t turn into a sauna. However when we leave our houses, we double lock the front door, often leaving many of the windows partially open to keep the airflow moving. Of course this makes no sense, as anyone wanting to break in won’t try to break in through the front door! They’ll look for a less obvious way in, perhaps by climbing through one of the conveniently opened windows.
We often take a similar approach to securing our applications. We focus very hard on the more complex attack vectors, but fail miserably against some of the simplest. For instance, it only takes one developer to leave their password on a sticky note, hanging off their monitor for an attacker to gain access. We must ensure our basic settings and practices are adhered to, both on the Azure Repos platform as well as in general. Mandate the following basic practices for your contributors:
- Never let Azure Repos users share accounts/passwords.
- Any laptops/devices with access to your source code must be properly secured.
- Repository administrators should manage team access to data. Only give contributors access to the data they need to do their work.
- Azure Repos accounts may be personal accounts, and do not naturally disappear when users leave the company. Make sure you diligently revoke access from Azure Repos users who are no longer working with you.
Continue reading the list of 8 Azure Repos security best practices:
- Never store credentials as code/config in Azure Repos
- Remove sensitive data in your files and Azure Repos history
- Tightly control access
- Add a SECURITY.md file
- Use Personal Access Tokens
- Provide granular permissions and groups for users
- Add security testing to Pull Requests
- Rotate SSH keys and personal access tokens
If you haven’t done so yet, make sure you download this cheat sheet now and pin it up, so your future decisions are secure decisions!