Digital transformation and cloud adoption have shifted infrastructure and configuration management to developers, significantly expanding their security scope beyond just application code.
Integrating security tools like static analysis and software composition analysis early in the development process reduces costs and keeps pace with agile iterations.
A significant portion of vulnerabilities are introduced through transitive dependencies, which developers are often unaware of but must now manage.
Attackers compromise developers using methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.
The popularity of VS Code and its vast, often open-source, extension marketplace create a large and under-researched attack surface for compromising developers.
A custom pipeline was built to download, extract, and run static and dynamic analysis on all extensions from the VS Code marketplace.
The Instant Markdown extension contained a path traversal vulnerability in its local web server, allowing an attacker to read arbitrary files from the user's machine.
An attacker can bypass browser CORS policy by tricking a user into downloading a malicious file and then using a path traversal vulnerability to trigger XSS on localhost, enabling file exfiltration.
The LaTeX Workshop extension allowed remote code execution by exploiting an insecure API call through its WebSocket server after brute-forcing the server port.
Developers can mitigate risks by using popular, maintained extensions, while maintainers should follow security best practices and promptly fix disclosed vulnerabilities.
49:00Marc Backes
44:11Raul Onitza-Klugman & Kirill Efimov
41:43Alexander Lichter
44:31Rob Richardson
41:22Daniel Roe
51:10Laurie Voss
36:39Thomas Konrad
54:44Marc Backes
Jobs that call for the skills explored in this talk.
Head-on Solutions GmbH
Nürnberg, Germany
Speech Processing Solutions
Vienna, Austria
