Share via

Can we get clarity on risks surrounding Azure DevOps extensions?

Bolster, Yorick 0 Reputation points
2024-09-25T06:49:14.4866667+00:00

There is no clarity on risks surrounding Azure DevOps extensions. We have scanned some open source extensions and found that they have vulnerabilities. There was no information about this present on the extension page.

Some questions

  1. Does Microsoft monitor the quality and safety of the extensions in any way?
  2. Do these vulnerabilities translate to security risks when the extension is installed in an organisation, or are extensions limited in some way so that (some) security risks are mitigated?
  3. Can we get an overview of the vulnerabilities that extensions have on the extension page?
  4. Is it possible that an extension with vulnerabilities can expose our data or processes to the outside world?

There is not a lot of information on this subject and we we do need this information to create criteria that keep us safe from harmful extensions without unnecessarily harming our productivity by rejecting extensions that pose no threat.

Community Center | Not monitored
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmaranS 7,270 Reputation points Microsoft External Staff
    2024-09-25T09:31:01.06+00:00

    Hi Bolster, Yorick,

    Thank you for taking time to post this issue in Microsoft Q&A forum.

    Azure DevOps is currently not supported in the Microsoft Q&A forums, the supported products are listed over here: https://docs.microsoft.com/en-us/answers/products/

    For the related questions about Azure DevOps, you can post on our Developer Community – Azure DevOps.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.