SlideShare a Scribd company logo

Trusting the Unknown

Download as PPTX, PDF
Jesse Houwing, profile picture
Jesse Houwing

The document discusses security concerns regarding extensions in Azure DevOps pipelines, highlighting vulnerabilities and the need for cautious use of tasks sourced from public or private marketplaces. It provides guidance for extension authors, administrators, and users, emphasizing best practices for maintaining and updating extensions. Additionally, it outlines Microsoft's efforts to enhance security and offers resources for further information and tools related to Azure DevOps extensions.

Technology
Related topics:
Azure DevOps EssentialsContinuous Integration
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Trusting the Unknown - Ensuring Safe & Secure Extension Use in CI/CD Workflows
Of extensions contain some vulnerability
Of extensions owned by Microsoft
With a ⭐ rating
Of extensions updated in the last 3 months
Of Node based Azure Pipelines tasks
Of PowerShell Azure Pipeline Tasks…
That’s unfair But it’s also a bit true…
Trusting the Unknown
Jesse Houwing Chief Trainer & Tinkerer xpirit.com/jesse jessehouwing jessehouwing jessehouwing hachyderm.io/jessehouwing +31 6 41 81 333 8
Trusting the Unknown
Trusting the Unknown
Extensions in the context of Azure Pipelines Manifests Marketplace pritties Tasks And potentially tabs and context menu actions…
So what is a task? Loads of dependencies At least azure-pipelines-task-lib Frozen at time of publish Another Manifest The actual custom code More pretties
Or… using PowerShell A lot fewer dependencies at least VstsTaskSdk Another Manifest The actual custom code More pretties
An extension can contain more than 1 tasks Task A Task A v1
Where do these tasks come from? • They’re “built-in” tasks • Automatically updated by Microsoft in Azure DevOps • Manually updated through Microsoft Update packs in Azure DevOps Server • Manually updated by administrator through sideloading (see below) • They’re from an extension from the public marketplace • Installed through marketplace.visualstudio.com • Automatically updated in Azure DevOps and Azure DevOps Server • They’re from an extension from the private marketplace • Manually uploaded to Azure DevOps Server • They’re sideloaded directly • Manually uploaded to Azure DevOps or Azure DevOps Server
2 problems with task updates By default, the agent: 1. Pins the major version to the one you selected 2. Updates to the latest minor version available
Where do these tasks come from?
So how do we know we can trust these tasks? You don’t.
How do you know? Well… I downloaded 700GB of vsix files from the Azure DevOps marketplace Extracted them and scanned them
So how do we know we can trust them? Trusted publisher? Verification? Rating? Number of issues and pull-requests? Metadata provided by the author? Recently updated? Looks nice?
Is it really that bad? Maybe not…
All of these potential security issues Do not mean there is a known exploit chain
But it’s not pretty!
It’s not just the updates you should worry about
So what’s the risk we’re running • Some of these extensions turn off TLS security • Some might overwrite arbitrary files • Some might be used to send data to the outside world • Some install things directly from npmjs. • Others download 100’s of MB, extract it and execute without verification • Often on a host with admin permissions There is a lot of potential
Trusting the Unknown
Why is PowerShell so much better? It might not be but… • Many of the dependencies are automatically updated through Windows Update • PowerShell relies on the .NET framework for most functionality • There are a lot fewer dependencies to worry about
What is Microsoft doing? • They’ve introduced a new Node 16 handler for Azure Pipelines • They’re deprecating Node 6 and Node 10 for Azure Pipelines tasks. • They’re updating all the built-in tasks for Azure DevOps. • They’re updating all the built-in tasks for Azure DevOps Server 2022? • They’ve added the ability to turn off Node 6 on the Pipelines Agent. • They’re adding warnings to every workflow that runs uses Node 6 (and later 10).
What am I doing / have I done • I actively update all my extensions regularly • I automatically update my dependencies using Snyk, Dependabot and RenovateBot • I scan my code for vulnerabilities using Snyk Code and GitHub advanced Security • I maintain the Azure DevOps Extension Tasks to implement CI / CD for Azure DevOps extensions • I recently contributed to RenovateBot to add support for the Azure Pipeline Marketplace. Now doing the same for dependabot-core.
Guidance for deprecating an extension • Add a warning to all versions of your tasks • Timebomb the task to fail after today+X • Mark all tasks deprecated:true in the task.json • Add [DEPRECATED] to your task friendly name in the task.json • Add [DEPRECATED] to your extension name in the vss-extension.json • Publish this last version • Unpublish the extension • Archive the GitHub repository
Guidance for deprecating task version • Add both the old and the new version of the task to your extension • Update the old version’s friendlyName and add [DEPRECATED] in task.json • Add a warning / error to the implementation to warn you users
What should Extension authors do? • Employ secure password practices and use 2FA • Deprecate extensions you’re no longer maintaining • Update your existing extensions to Node 16 and latest dependencies • Enable DependaBot to automatically keep your dependencies up-to- date • Enable GitHub Advanced Security to detect issues in *your* code • Implement CI / CD to ship new versions with ease • Add repo metadata to their extension manifests
What should Azure DevOps admins do • Disable insecure extensions • Implement RenovateBot to automatically suggest updates to installed Azure Pipelines tasks • Disable Node 6 support on the Azure Pipelines Agent • Do not install every extension in the marketplace without thought • Provide Hosted Agents or ephemeral Scale- set agents
What should Azure DevOps admins do • Run Endpoint Security on your Azure Pipelines Agents • For DevOps Server • Upgrade to Azure DevOps Server 2022 and stay current • Migrate to Azure DevOps Service • Manually upgrade “built-in” tasks • Be careful with internal marketplace
Overwrite a built-in task npm install -g tfx-cli tfx build tasks upload --task-zip-path Task.guid-version.zip --service-url https://yourtfs.com/tfs/DefaultCollection . ./script/install-task.ps1 -CollectionUrl https://yourtfs.com/tfs/DefaultCollection -TaskZip Task.guid-version.zip Delete all versions of a task npm install -g tfx-cli tfx build tasks delete --task-id ad884ca2-732e-4b85-b2d3-ed71bcbd2788 --service-url https://yourtfs.com/tfs/DefaultCollection
Trusting the Unknown
What should Azure Pipelines authors do? • Consider whether you actually need an extension. • Keep your pipelines current. Update your major task versions and resolve any issues. • Use Azure Pipelines YAML • Pin the exact version of your tasks • Use RenovateBot to automatically keep your pipelines up to date • Use Hosted Agents / Ephemeral Scale-set agents whenever possible
What should the community do? • Sponsor the authors of extensions you rely on. • Submit pull requests to improve extensions. • Submit pull requests to upgrade extensions to Node 16. • Leave reviews on the marketplace and update them.
Useful resources
Useful Resources • Azure DevOps Marketplace Scan https://github.com/jessehouwing/azure-devops-marketplace-scan https://jessehouwing.net/security-state-of-the-azure-devops- marketplace/ • Hardening guidelines for Azure Pipelines https://learn.microsoft.com/en- us/azure/devops/organizations/security/security-best- practices?view=azure-devops#secure-azure-pipelines
Useful resources • Azure Pipelines Tasks Zips https://github.com/jessehouwing/azure-pipelines-tasks-zips • RenovateBot for Azure Pipelines https://jessehouwing.net/azure-pipelines-enable-renovatebot/ • Azure DevOps Extension tasks https://marketplace.visualstudio.com/items?itemName=ms- devlabs.vsts-developer-tools-build-tasks

More Related Content

PPTX
Azure DevOps Extensions
Christian Waha
 
DOCX
What are the key features of Azure DevOps and how are they beneficial to the ...
kzayra69
 
PPSX
The new way to extend VSTS Build and Release
Jesse Houwing
 
PDF
Azure DevOps Interview Questions PDF By ScholarHat
Scholarhat
 
PPTX
Introduction to Azure DevOps
Lorenzo Barbieri
 
PPTX
Azure DevOps in Action
Callon Campbell
 
PPTX
Azure dev ops
Vishwas N
 
PPTX
Azure DevOps työkalut - Roundtable 14.3.2019
Janne Mattila
 
Azure DevOps Extensions
Christian Waha
 
What are the key features of Azure DevOps and how are they beneficial to the ...
kzayra69
 
The new way to extend VSTS Build and Release
Jesse Houwing
 
Azure DevOps Interview Questions PDF By ScholarHat
Scholarhat
 
Introduction to Azure DevOps
Lorenzo Barbieri
 
Azure DevOps in Action
Callon Campbell
 
Azure dev ops
Vishwas N
 
Azure DevOps työkalut - Roundtable 14.3.2019
Janne Mattila
 

Similar to Trusting the Unknown (20)

PDF
Secure Your Code Implement DevSecOps in Azure
kloia
 
PPTX
Migrating my Azure DevOps Pipeline Release Notes Extension to GitHub Actions ...
bysbrahim
 
PPTX
AzureDevOps
Udaiappa Ramachandran
 
PPTX
Tour of Azure DevOps
Callon Campbell
 
PDF
DevOps and compliance and security
Kazushi Kamegawa
 
PPTX
Azure DevOps for JavaScript Developers
Sarah Dutkiewicz
 
PPTX
Azure DevOps
Michael Jesse
 
PDF
Azure DevOps - Azure Guatemala Meetup
Guillermo Zepeda Selman
 
PPTX
Azure DevOps
Omnia Ismail
 
PPTX
Azure_DevOps_Customer1212121_201903.pptx
Ganesh Shirsat
 
PPTX
PowerShell and Azure DevOps
Matteo Emili
 
PDF
[JAZUG Tohoku Azure DevOps] Azure DevOps
Naoki (Neo) SATO
 
PDF
Azure DevOps Day - Trivandrum
Amal Dev
 
PPTX
Fail fast, recovery quickly using Azure DevOps Services
RavneetArora
 
PDF
Azure DevOps Engineer Roadmap PDF By Scholarhat.pdf
Scholarhat
 
PPTX
Intro to DevOps using Azure DevOps
TJTurner6
 
PPTX
Getting Started with Azure Artifacts
Callon Campbell
 
PPTX
Drive business outcomes using Azure Devops
Belatrix Software
 
PDF
Azure DevOps Day - Kochi
Amal Dev
 
PPTX
Azure dev ops
Swaminathan Vetri
 
Secure Your Code Implement DevSecOps in Azure
kloia
 
Migrating my Azure DevOps Pipeline Release Notes Extension to GitHub Actions ...
bysbrahim
 
AzureDevOps
Udaiappa Ramachandran
 
Tour of Azure DevOps
Callon Campbell
 
DevOps and compliance and security
Kazushi Kamegawa
 
Azure DevOps for JavaScript Developers
Sarah Dutkiewicz
 
Azure DevOps
Michael Jesse
 
Azure DevOps - Azure Guatemala Meetup
Guillermo Zepeda Selman
 
Azure DevOps
Omnia Ismail
 
Azure_DevOps_Customer1212121_201903.pptx
Ganesh Shirsat
 
PowerShell and Azure DevOps
Matteo Emili
 
[JAZUG Tohoku Azure DevOps] Azure DevOps
Naoki (Neo) SATO
 
Azure DevOps Day - Trivandrum
Amal Dev
 
Fail fast, recovery quickly using Azure DevOps Services
RavneetArora
 
Azure DevOps Engineer Roadmap PDF By Scholarhat.pdf
Scholarhat
 
Intro to DevOps using Azure DevOps
TJTurner6
 
Getting Started with Azure Artifacts
Callon Campbell
 
Drive business outcomes using Azure Devops
Belatrix Software
 
Azure DevOps Day - Kochi
Amal Dev
 
Azure dev ops
Swaminathan Vetri
 
Ad

More from Jesse Houwing (10)

PPTX
Azure DevOps Extension Tools
Jesse Houwing
 
PPTX
Ohh shit git
Jesse Houwing
 
PPTX
Ohh sh*t git
Jesse Houwing
 
PPTX
Dress up my VSTS
Jesse Houwing
 
PPSX
When scrum goes bad
Jesse Houwing
 
PPTX
Scrum workshop for Project Managers
Jesse Houwing
 
PPTX
Let's get agile: An Agile Talk About Agile
Jesse Houwing
 
PPTX
Techdays 2012 - Better code through reviews and tools
Jesse Houwing
 
PPTX
Techdaysnl - code review features in tfs vnext
Jesse Houwing
 
PPSX
Growing great (agile) teams
Jesse Houwing
 
Azure DevOps Extension Tools
Jesse Houwing
 
Ohh shit git
Jesse Houwing
 
Ohh sh*t git
Jesse Houwing
 
Dress up my VSTS
Jesse Houwing
 
When scrum goes bad
Jesse Houwing
 
Scrum workshop for Project Managers
Jesse Houwing
 
Let's get agile: An Agile Talk About Agile
Jesse Houwing
 
Techdays 2012 - Better code through reviews and tools
Jesse Houwing
 
Techdaysnl - code review features in tfs vnext
Jesse Houwing
 
Growing great (agile) teams
Jesse Houwing
 
Ad

Recently uploaded (20)

PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 

Trusting the Unknown

  • 1. Trusting the Unknown - Ensuring Safe & Secure Extension Use in CI/CD Workflows
  • 2. Of extensions contain some vulnerability
  • 3. Of extensions owned by Microsoft
  • 4. With a ⭐ rating
  • 5. Of extensions updated in the last 3 months
  • 6. Of Node based Azure Pipelines tasks
  • 7. Of PowerShell Azure Pipeline Tasks…
  • 8. That’s unfair But it’s also a bit true…
  • 10. Jesse Houwing Chief Trainer & Tinkerer xpirit.com/jesse jessehouwing jessehouwing jessehouwing hachyderm.io/jessehouwing +31 6 41 81 333 8
  • 13. Extensions in the context of Azure Pipelines Manifests Marketplace pritties Tasks And potentially tabs and context menu actions…
  • 14. So what is a task? Loads of dependencies At least azure-pipelines-task-lib Frozen at time of publish Another Manifest The actual custom code More pretties
  • 15. Or… using PowerShell A lot fewer dependencies at least VstsTaskSdk Another Manifest The actual custom code More pretties
  • 16. An extension can contain more than 1 tasks Task A Task A v1
  • 17. Where do these tasks come from? • They’re “built-in” tasks • Automatically updated by Microsoft in Azure DevOps • Manually updated through Microsoft Update packs in Azure DevOps Server • Manually updated by administrator through sideloading (see below) • They’re from an extension from the public marketplace • Installed through marketplace.visualstudio.com • Automatically updated in Azure DevOps and Azure DevOps Server • They’re from an extension from the private marketplace • Manually uploaded to Azure DevOps Server • They’re sideloaded directly • Manually uploaded to Azure DevOps or Azure DevOps Server
  • 18. 2 problems with task updates By default, the agent: 1. Pins the major version to the one you selected 2. Updates to the latest minor version available
  • 19. Where do these tasks come from?
  • 20. So how do we know we can trust these tasks? You don’t.
  • 21. How do you know? Well… I downloaded 700GB of vsix files from the Azure DevOps marketplace Extracted them and scanned them
  • 22. So how do we know we can trust them? Trusted publisher? Verification? Rating? Number of issues and pull-requests? Metadata provided by the author? Recently updated? Looks nice?
  • 23. Is it really that bad? Maybe not…
  • 24. All of these potential security issues Do not mean there is a known exploit chain
  • 25. But it’s not pretty!
  • 26. It’s not just the updates you should worry about
  • 27. So what’s the risk we’re running • Some of these extensions turn off TLS security • Some might overwrite arbitrary files • Some might be used to send data to the outside world • Some install things directly from npmjs. • Others download 100’s of MB, extract it and execute without verification • Often on a host with admin permissions There is a lot of potential
  • 29. Why is PowerShell so much better? It might not be but… • Many of the dependencies are automatically updated through Windows Update • PowerShell relies on the .NET framework for most functionality • There are a lot fewer dependencies to worry about
  • 30. What is Microsoft doing? • They’ve introduced a new Node 16 handler for Azure Pipelines • They’re deprecating Node 6 and Node 10 for Azure Pipelines tasks. • They’re updating all the built-in tasks for Azure DevOps. • They’re updating all the built-in tasks for Azure DevOps Server 2022? • They’ve added the ability to turn off Node 6 on the Pipelines Agent. • They’re adding warnings to every workflow that runs uses Node 6 (and later 10).
  • 31. What am I doing / have I done • I actively update all my extensions regularly • I automatically update my dependencies using Snyk, Dependabot and RenovateBot • I scan my code for vulnerabilities using Snyk Code and GitHub advanced Security • I maintain the Azure DevOps Extension Tasks to implement CI / CD for Azure DevOps extensions • I recently contributed to RenovateBot to add support for the Azure Pipeline Marketplace. Now doing the same for dependabot-core.
  • 32. Guidance for deprecating an extension • Add a warning to all versions of your tasks • Timebomb the task to fail after today+X • Mark all tasks deprecated:true in the task.json • Add [DEPRECATED] to your task friendly name in the task.json • Add [DEPRECATED] to your extension name in the vss-extension.json • Publish this last version • Unpublish the extension • Archive the GitHub repository
  • 33. Guidance for deprecating task version • Add both the old and the new version of the task to your extension • Update the old version’s friendlyName and add [DEPRECATED] in task.json • Add a warning / error to the implementation to warn you users
  • 34. What should Extension authors do? • Employ secure password practices and use 2FA • Deprecate extensions you’re no longer maintaining • Update your existing extensions to Node 16 and latest dependencies • Enable DependaBot to automatically keep your dependencies up-to- date • Enable GitHub Advanced Security to detect issues in *your* code • Implement CI / CD to ship new versions with ease • Add repo metadata to their extension manifests
  • 35. What should Azure DevOps admins do • Disable insecure extensions • Implement RenovateBot to automatically suggest updates to installed Azure Pipelines tasks • Disable Node 6 support on the Azure Pipelines Agent • Do not install every extension in the marketplace without thought • Provide Hosted Agents or ephemeral Scale- set agents
  • 36. What should Azure DevOps admins do • Run Endpoint Security on your Azure Pipelines Agents • For DevOps Server • Upgrade to Azure DevOps Server 2022 and stay current • Migrate to Azure DevOps Service • Manually upgrade “built-in” tasks • Be careful with internal marketplace
  • 37. Overwrite a built-in task npm install -g tfx-cli tfx build tasks upload --task-zip-path Task.guid-version.zip --service-url https://yourtfs.com/tfs/DefaultCollection . ./script/install-task.ps1 -CollectionUrl https://yourtfs.com/tfs/DefaultCollection -TaskZip Task.guid-version.zip Delete all versions of a task npm install -g tfx-cli tfx build tasks delete --task-id ad884ca2-732e-4b85-b2d3-ed71bcbd2788 --service-url https://yourtfs.com/tfs/DefaultCollection
  • 39. What should Azure Pipelines authors do? • Consider whether you actually need an extension. • Keep your pipelines current. Update your major task versions and resolve any issues. • Use Azure Pipelines YAML • Pin the exact version of your tasks • Use RenovateBot to automatically keep your pipelines up to date • Use Hosted Agents / Ephemeral Scale-set agents whenever possible
  • 40. What should the community do? • Sponsor the authors of extensions you rely on. • Submit pull requests to improve extensions. • Submit pull requests to upgrade extensions to Node 16. • Leave reviews on the marketplace and update them.
  • 42. Useful Resources • Azure DevOps Marketplace Scan https://github.com/jessehouwing/azure-devops-marketplace-scan https://jessehouwing.net/security-state-of-the-azure-devops- marketplace/ • Hardening guidelines for Azure Pipelines https://learn.microsoft.com/en- us/azure/devops/organizations/security/security-best- practices?view=azure-devops#secure-azure-pipelines
  • 43. Useful resources • Azure Pipelines Tasks Zips https://github.com/jessehouwing/azure-pipelines-tasks-zips • RenovateBot for Azure Pipelines https://jessehouwing.net/azure-pipelines-enable-renovatebot/ • Azure DevOps Extension tasks https://marketplace.visualstudio.com/items?itemName=ms- devlabs.vsts-developer-tools-build-tasks