Security begins with secure development environments
Conference: OWASP 20th Anniversary Event
2021-09-25
Authors: Vandana Verma, Steve Coochin
Summary
The presentation discusses the importance of secure development environments in the face of supply chain security incidents and vulnerabilities in open source code and containers.
- Open source code makes up a significant portion of an organization's codebase, and new packages are constantly being developed, leading to vulnerabilities and breaches.
- Containerization is important for keeping code and infrastructure clean, but vulnerabilities can still surface in containers.
- Developers' integrated development environments, such as Visual Studio Code, are also vulnerable to attacks.
- Secure development environments are crucial for protecting end users and require a shift left approach to security.
- The presentation includes a demonstration of a vulnerability in the Instant Markdown plugin for Visual Studio Code.
Abstract
We have been witnessing an ever-growing amount of supply chain security incidents in the wild. And now, those incidents are starting to extend to the place where developers spend most of their time: their integrated development environment, and specifically the Visual Studio Code IDE.Recently, Snyk has discovered and disclosed vulnerabilities that pose a real and imminent threat to developers who use these extensions. The potential compromise is so significantly severe that a remote code execution on a developer’s machine is possible by simply tricking the developer to click a link.
Materials:
Post a comment
Related work
Conference: Defcon 31
Authors: Thomas Chauchefoin Vulnerability Researcher @ Sonar, Paul Gerste Vulnerability Researcher @ Sonar
2023-08-01