Thursday, 26 January 2023

Show HN: Coder Guard – Protect Your IDE from Malicious Extensions https://bit.ly/3kM4Gg8

Show HN: Coder Guard – Protect Your IDE from Malicious Extensions There is a growing problem with VSCode extensions: - they're not sandboxed (yet) - just like double-clicking an .exe file - they don't have a permission model - they auto update - they have built-in persistence - they are installed on developer machines with high-value credentials The recent CircleCI and LastPass incidents were both suspected to originate from a compromised developer machine - which is becoming every organization's Achilles heel in terms of cyber posture So I've been working on a way to help mitigate some of these risks Right now, only an MVP of a "CLI" is available: $ code --list-extensions --show-versions | curl --data-binary @- https://bit.ly/3Hzwhdt Which will list your installed extensions with some enriched information to vet their trustfulness But much more detailed threat intel will be shown in the upcoming website and extension, including - Behavioural data gathered from running the extension on an instrumented sandbox environment - The ability to define policies to allow or block extension installs/updates, based on your specific risk appetite For updates, sign up at https://bit.ly/3Hzwj55 or follow https://twitter.com/coderguard The reason I'm posting this now is because I'd like to get some feedback in order to course-correct to make sure what I build actually solves people's problems I'd be happy to read any comments, or answer any questions January 26, 2023 at 07:49AM

No comments:

Post a Comment