Open Source Summit Europe 2024

For several years now we’ve heard the mantra of shifting left to move security as early as possible in the development process. The aim is to enable developers to understand and produce secure code right away. The primary method to support developers is to enhance their IDE with extensions which can identify security issues, highlight insecure code practices and handle integration with external services. VSCode is one of the most popular IDEs with a flourishing community of extensions for data manipulation, theming, programmatic language features and additional debugging functionality. There is a great deal of trust placed in these extensions so what would happen if an extension turned against you? This talk explores the supply chain risks associated with VSCode extensions, what is required to get an extension included in the marketplace and how simply we hand over control to an unknown third party. We will demonstrate what an adversary can achieve with a malicious extension and how it represents a future red team target from enumeration, persistence and execution.Lastly we’ll offer advice on how to prevent common attack paths.