Salvato in:
Dettagli Bibliografici
Autori principali: Edirimannage, Shehan, Elvitigala, Charitha, Don, Asitha Kottahachchi Kankanamge, Daluwatta, Wathsara, Wijesekara, Primal, Khalil, Ibrahim
Natura: Preprint
Pubblicazione: 2024
Soggetti:
Accesso online:https://arxiv.org/abs/2411.07479
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866929588916977664
author Edirimannage, Shehan
Elvitigala, Charitha
Don, Asitha Kottahachchi Kankanamge
Daluwatta, Wathsara
Wijesekara, Primal
Khalil, Ibrahim
author_facet Edirimannage, Shehan
Elvitigala, Charitha
Don, Asitha Kottahachchi Kankanamge
Daluwatta, Wathsara
Wijesekara, Primal
Khalil, Ibrahim
contents With the wave of high-profile supply chain attacks targeting development and client organizations, supply chain security has recently become a focal point. As a result, there is an elevated discussion on securing the development environment and increasing the transparency of the third-party code that runs in software products to minimize any negative impact from third-party code in a software product. However, the literature on secure software development lacks insight into how the third-party development tools used by every developer affect the security posture of the developer, the development organization, and, eventually, the end product. To that end, we have analyzed 52,880 third-party VS Code extensions to understand their threat to the developer, the code, and the development organizations. We found that ~5.6\% of the analyzed extensions have suspicious behavior, jeopardizing the integrity of the development environment and potentially leaking sensitive information on the developer's product. We also found that the VS Code hosting the third-party extensions lacks practical security controls and lets untrusted third-party code run unchecked and with questionable capabilities. We offer recommendations on possible avenues for fixing some of the issues uncovered during the analysis.
format Preprint
id arxiv_https___arxiv_org_abs_2411_07479
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Developers Are Victims Too : A Comprehensive Analysis of The VS Code Extension Ecosystem
Edirimannage, Shehan
Elvitigala, Charitha
Don, Asitha Kottahachchi Kankanamge
Daluwatta, Wathsara
Wijesekara, Primal
Khalil, Ibrahim
Cryptography and Security
Software Engineering
With the wave of high-profile supply chain attacks targeting development and client organizations, supply chain security has recently become a focal point. As a result, there is an elevated discussion on securing the development environment and increasing the transparency of the third-party code that runs in software products to minimize any negative impact from third-party code in a software product. However, the literature on secure software development lacks insight into how the third-party development tools used by every developer affect the security posture of the developer, the development organization, and, eventually, the end product. To that end, we have analyzed 52,880 third-party VS Code extensions to understand their threat to the developer, the code, and the development organizations. We found that ~5.6\% of the analyzed extensions have suspicious behavior, jeopardizing the integrity of the development environment and potentially leaking sensitive information on the developer's product. We also found that the VS Code hosting the third-party extensions lacks practical security controls and lets untrusted third-party code run unchecked and with questionable capabilities. We offer recommendations on possible avenues for fixing some of the issues uncovered during the analysis.
title Developers Are Victims Too : A Comprehensive Analysis of The VS Code Extension Ecosystem
topic Cryptography and Security
Software Engineering
url https://arxiv.org/abs/2411.07479