|
|
|
|
|
|
by Terretta
736 days ago
|
|
|
> Please don't be a dev with access to things my security depends on. Devs just want “Do Anything Now mode”, who doesn't? :) I doubt at most shops VSCode extension security is considered differently from any extensions or libraries used throughout the codebase. Almost nobody reads every line of their includes. (Sadly, but obviously.) If all your includes can come only from an artifact depot or mirror because your build system can't reach the Internet, and those only get there with a PR and code review, you're on a good start. Operationalizing that to stay current with zero day fixes and the like, starts to be "a thing", which is why there's so much energy in software-supply chain security, through industry efforts like SLSA and GUAC and firms like https://www.kusari.dev/. Read a decent checkpoint and overview on this emerging ecosystem here (from 2022): https://security.googleblog.com/2022/10/announcing-guac-grea... |
|
|