[kangabru]

I've been gradually improving my dev setup security over the past few months based on continuous reports like this. Here are things I'm trying out to improve my setup: - Use VSCode dev containers for development [1a]. Once you've created one once then they're quite easy to use and you don't need much Docker knowledge - it just needs to be installed. It's perfect for spinning up web/console apps but I had trouble with other stuff like Flutter and Electron. - Similarly I got familiar with GitHub Codespaces for smaller projects [1b]. I've done live coding in an interview before (where I had to modify a simple Node project) and I would absolutely use containers/codespaces for anything like that these days [2]. You can spin one up straight from any GitHub repo page and they're easy to work with. - Read the OWASP guidelines regularly for things like npm, Node, and Docker best practises. e.g. for Docker use the smallest image you can (Alpine) and use explicit Docker image tags [3]. - Review npm/python packages before installing them using socket.dev - it shows a full dependency security overview for things like env variable access, network calls, supply chain attacks, recent code ownership changes etc. You can also disable postinstall scripts globally as suggested by OWASP [4].

[1a] https://code.visualstudio.com/docs/devcontainers/create-dev-... [1b] https://github.com/codespaces [2] https://www.welivesecurity.com/en/eset-research/lazarus-luri... [3] https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker... [4] https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_...