Waydev announcements

https://app.waydev.co

Compare Developers Improvement

We've added the option to compare engineer stats with team average stats using the Developer Compare feature. This will help you spot underperformers and identify coaching opportunities. Comparing engineer stats with team average stats can also help you discover top performers and recognize their wins.

PR Stats for Team and Developer Compare, Hide Developer Names, and Azure DevOps Server integration

We've added PR stats in the Team Compare and the Developer Compare features. Learn more about Team Compare and Developer Compare.

If you want to hide developers' names from other users in the platform, you can do it by following this guide.

We've just launched our integration with Azure DevOps Server. Learn more about integrating Azure DevOps Server here.


GitHub & GitLab OAuth - security update

-- (July 7, 2020, 5 am PST update)

July 2, 2020, 11:20 am PST

We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token. The security of your data is our highest priority. Therefore, as a precautionary measure to protect your account, we revoked all GitHub OAuth tokens.

July 3, 2020, 9:45 am PST

Our Security team, along with the Bit Sentinel team (independent company), identified that between June 10, 2020, and July 03, 2020, attackers:

  • performed multiple attacks over an AJAX call;
  • performed exploratory activities;
  • launched automated scanners;

July 3, 2020, 12:45 pm PST

The Waydev team fixed the issues and eliminated any potential threats supposedly linked to the incident.

July 6, 2020, 11 pm PST

We learned from the GitHub Security Team that the attacker might have cloned repositories from the users who connected via GitHub OAuth. Due to GitHub's privacy policy, they will inform the affected users personally.

July 7, 2020, 1 am PST

Here are the latest updates regarding our ongoing security investigation:
  • The attackers managed to retrieve personal details, such as emails, first and last names, but they did not retrieve any passwords.
  • There is a possibility that the attackers cloned different GitHub & GitLab projects. We have no evidence that the attackers managed to clone projects from any other Git providers.
  • There is a possibility that the attackers gained access to our source code. At this moment, we are in the process of a full code review and we will solve any issues that we identify.
  • We are working closely with teams of legal, technical, and communications specialists. We are in the process of notifying law enforcement authorities regarding our investigation.
 The security measures that we recommend our users to take are:
  1. Check for any suspicious activity in your GitHub & GitLab account.
  2. Perform a review over your codebase and change all the passwords, private keys, API secret keys, etc. We recommend using a tool like DumpsterDiver or truffleHog, which can perform high entropy search to help you discover all of these within the code.
  3. Enable a web application firewall such as Cloudflare, mod_security, or any other WAF solution.
  4. Perform a code review to identify any potential vulnerabilities that an attacker may exploit (static or dynamic code analysis), or a manual security code review, and fix all the critical vulnerabilities discovered during the engagement.
  5. Check for any error logs to any of your main services (eg. web service, database service,  application level logs etc).
  6. If you have any suspicious activity or you think your database was exposed, contact a cyber security company to assist you with an incident response plan and other technical forensics capabilities. Be ready to reset user passwords.
  7. Enable logging (including POST data). Create a benchmark of the user’s traffic, for example, total number of requests/IP and analyze any suspicious activity for high traffic users to check for potential exploitation attempts.
For example, you can run the following command to (for apache only):
  • Sort your most popular IP addresses based on number of logs generated in apache: awk '{ print $1 }' *access*log | sort -n | uniq -c | sort -nr | head -50
  • Find the most popular users based on number of POST requests and see what they are doing
  • Find most popular users based on unique suspicious user agents and see what they are doing: awk -F'"' '{print $6}' access.log | sort | uniq -c | sort -rg | head
  • Find most popular users based on number of error generated (non 200-response codes, especially 4XX or 5XX) and understand what they are doing
Our Indicator of Compromise are:
a. IP Addresses of the hacker: 193.169.245.24, 185.230.125.163, 66.249.82.0, 185.220.101.30, 84.16.224.30, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226.217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx
b. User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
c. Email addresses:
i. saturndayc@protonmail.com
ii. ohoussem.bale6@sikatan.co
iii. 5abra.adrinelt@datacoeur.com
iv. 4monica.nascimene@vibupis.tk

If you need any technical assistance, please let us know and we will introduce you to our security team.

The investigation is still in progress and we will post updates whenever we have any relevant information. If you have any other questions regarding this topic, do not hesitate to contact us at security@waydev.co.

-- (July 2, 2020, 11:20 am PST)

We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token.
 
The security of your data is our highest priority. Therefore, as a precautionary measure to protect your account, we revoked all GitHub OAuth tokens. However, no other suspicious activity was identified during our initial analysis.
 
Our Security Specialists are currently investigating this alongside GitHub's Security Team to understand how we can prevent events like this from happening. Even though there is no evidence of any data breach, we are working hard to strengthen our defenses.
 
You can now reconnect through GitHub OAuth, but for security purposes, we strongly recommend you to connect through GitHub Personal Access Token.
 
If you have any other questions regarding this topic, do not hesitate to contact us.

July 10, 2020, 5:50 pm PST

GitHub sent an email to all the users that connected Waydev GitHub application, which included users affected and non-affected users. Please check the GitHub logs in the last period to see if you were affected or not.

Below are Waydev's IPs from where we pull data: 

  • 142.93.239.72
  • 167.99.223.224
  • 134.209.196.25
If you need any technical assistance, please let us know and we will introduce you to our security team.

The investigation is still in progress and we will post updates whenever we have any relevant information. If you have any other questions regarding this topic, do not hesitate to contact us at security@waydev.co.

July 24, 2020, 1 am PST

In the last period, Waydev didn't encounter any potential threats. 

What we can tell you right now is that we treat this situation very seriously, we managed to identify the vulnerability right away and applied a fix immediately. Moreover, we enabled stronger monitoring and defense mechanism and with the help of a professional third party company, we actively monitor all our assets to make sure no other issues are in place. 

We decided to perform a full manual security code review with the help of a professional third-party company and fix all threats. After this initial audit, we will continue performing incremental security audits after each major change or every month on changes.

What other actions we've taken for improving our security:
  • Manual access - It is now impossible to create an account without approval from our security team;
  • Monitoring all the activity;
  • Tokens resetting two times a day;
  • Reported the incident to authorities.
We will keep a better level of security monitoring over our assets for any suspicious activity and improve our security policies and procedures based on this event to prevent situations like this from happening but also to improve our overall attack detection capabilities.

If you were affected by the attackers please contact us at security@waydev.co in order to connect you with the authorities.

June Updates

The Time Card feature now displays the time zone used for the stats.

We added Throughput, Productive Throughput, and Commits/ Active Day in Targets. Learn more about Targets.



You can now view more than 5 engineers in the Work Log, using the 'Per Page' filter.

You can now sort individual engineer stats in the Dashboard. You can do this by clicking on each metric's name.


We created a new Role Management permission - 'Assign all repos'. Providing this permission automatically assigns any newly added repos to users with this permission. Learn more about Role Management.

We’re live on Product Hunt

We’re thrilled to announce that Hiten Shah decided to hunt us on Product Hunt today! Since our last launch, we’ve managed to add Pull Request stats and Tickets stats using the integration with Jira and soon Azure.

Waydev 3.0 - Git Analytics platform for engineering managers | Product Hunt Embed

I would be delighted to have your upvote and know your feedback. Without feedback from our community, we wouldn’t have made it to this point. Thank you, Waydev Community!

NEW: Trendlines in Developers Stats, Teams Stats, and Repositories Stats

We've added trendlines that help you track the evolution for each metric in the Developers Stats, Teams Stats, and Repositories Stats reports. Click on any metric to display its trendlines.

Developer Summary Improvements

We redesigned the Developer Summary feature, adding new metrics and visual enhancements to improve usability. The new Developer Summary metrics include tt100, PRs Merged Without Review, PR Comments Addressed, and more. You can learn more about the new Developer Summary metrics here.

NEW: Pull Request Velocity Metrics

We've worked with our customers' feedback to develop metrics that reflect the Pull Request Velocity. You can now visualize the average duration for each step of the pull request cycle

We also built quantitative pull request metrics, such as the number of pull requests merged without rebasing, the number of pull requests merged without review, and more.

You can find the Pull Request Velocity metrics in the Developer Stats, Teams Stats, and Repositories Stats reports. Click on the Pull Requests Stats button to toggle the Pull Request Velocity metrics.

NEW: Pull Request Risk

Introducing Pull Request Risk - Monitor the probability of a pull request to cause problems. The Pull Request Risk metric aggregates multiple data points, among the number of commits, the size of the commits, the spread and depth of the changes.

You can visualize Pull Request Risk using the Work Log and the Review Workflow features.

Developer Stats, Teams Stats, and Repositories Stats Improvements

We added average values in the Developer Stats, Teams Stats, and Repositories Stats reports. Total values are now displayed between parentheses. Values that are greater than average are displayed in green, while values that are lower than average are displayed in blue.

Show Previous EntriesShow Previous Entries