Skip to content

docs(devsecops): expand IDE extension verification guidance #466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ElliotFriedman wants to merge 1 commit into
base: develop
Choose a base branch
from
+14 −2
Open

docs(devsecops): expand IDE extension verification guidance #466

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions docs/pages/devsecops/integrated-development-environments.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ tags:
- Engineer/Developer
- Security Specialist
- DevOps
contributors:
- role: wrote
users: [mattaereal, fredriksvantes, ElliotFriedman]
---

import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
Expand All @@ -20,8 +23,17 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr
Integrated Development Environments (IDEs) are essential tools for developers, but they also need to be secured.
Consider implementing the following best practices:

1. Ensure IDEs are configured securely, with plugins and extensions only installed from trusted sources. Some IDEs have
features that allow for automated execution of files in folders. Use restricted mode if you don't fully trust a project.
1. Install plugins and extensions only from trusted sources, and verify each one through multiple independent channels
before installing:
- Confirm the publisher matches the expected organization — typosquats and lookalike publishers are common.
- Cross-reference the extension's source repository on GitHub; skim recent commits, open issues, and any security
advisories.
- Check install counts and verified-publisher badges, and prefer signed / officially-published releases over
sideloaded builds.

Due diligence on extensions is typically low, which is precisely why threat actors target this vector: a single
malicious or compromised extension can exfiltrate source, secrets, and session tokens across every project on the
machine. Use restricted mode if you don't fully trust a project.
2. Keep IDEs and their plugins/extensions up-to-date to protect against vulnerabilities.
3. Integrate static code analysis tools within the IDE to catch security issues early in the development process.
4. Configure IDEs to follow the principle of least privilege, limiting access to sensitive information and systems.
Expand Down
Loading