You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste - 2 years ago
Developers are becoming targets of choice for threat actors: by compromising a single developer, software backdoors and supply chain attacks can lead to the compromise of high-profile organisations. For instance, a recent campaign attributed to North Korea targeted prominent developers with malicious Visual Studio projects and browser exploits. At the same time, IDEs offer increasingly advanced features and deep integration in ecosystems, sometimes at the cost of basic security measures. They tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), whose design led to a cat-and-mouse game to restrict access to sensitive attack surfaces while keeping most features available by default. In this talk, we present the state of the art of Visual Studio Code's security. We show its various attack surfaces and will demonstrate how they are impacted by real-world vulnerabilities. You will now think twice before opening third-party code in your IDE!
Newest jobs

Senior Digital Product Manager (m/w/d)
Hoffmann Group
·
today
München, Germany
Hybrid

Lead Architect eCommerce (x|f|m)
Sartorius
·
today
Göttingen, Germany
Hybrid

Senior C++ Engineer for our Ruby Agent team (m/f/x)
Dynatrace
·
today
Linz, Austria
Hybrid

Senior Code Module (.NET) Engineer (m/f/x)
Dynatrace
·
today
Linz, Austria
Hybrid
Related Videos