Microsoft Corporation Tel (425) 882-8080

One Microsoft Way Fax (425) 936-7329

Redmond, WA 98052-6399 Http://www.microsoft.com

Penetration Test Summary and Results

Azure DevOps conducted an internal vulnerability and security assessment of Azure DevOps hosted
services. This report provides a summary of the assessment as well as the findings from the assessment,
which was performed in November 2019.

The assessment identified some weaknesses in Pipeline security controls. However, the findings
identified are not causes of concern for our customers. No methods of obtaining data that belongs to
customer tenants were found during this review. Azure DevOps completely remediated all significant
findings.

Scope:

The scope of the security assessment included:

 Azure DevOps Pipelines

 GitHub Integration with Azure DevOps
 Blue Team/Security Incident Response

Test Methodology:

The assessment was conducted by a joint team composed of Software and Security Engineers, Security
Incident Managers from Azure DevOps and Office 365 Red Team. The assessment was conducted to
cover security risks included in the Open Web Application Security Project (OWASP).

Assessment:

Overall, Azure DevOps has fully embraced defense in depth to protect the service through the
implementation of layers of strong security monitoring and detection controls. However, there were
some issues identified dealing with Build tasks, Pipelines inheritance configurations, and queue and edit
permissions on Pipeline definitions. All the findings from the assessment have been investigated with
the appropriate engineering teams and remediations are either completed or in flight.

Summary:

Azure DevOps remains committed to providing strong information security controls which meet the
requirements laid out by the different legal, regulatory, and technical standards we adhere to. We
continue to make investments in the security of our service (e.g., Azure DevOps Bug Bounty) to protect
customer data and ensure we continue to earn the trust of our customers.