Kevin Beaumont7h ago

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Show threadConan7h ago

@GossiTheDog

They recently added a feature to control what publishers are allowed

https://code.visualstudio.com/docs/enterprise/policies

Centrally manage VS Code settings with policies

Enterprise policies in Visual Studio Code enable organizations to centrally manage settings for their development teams. This reference details the available policies and how to implement them.

Show threadEpic Null
@ConanChiles @GossiTheDog And here I am just thinking "An open repository system where you add allowed sources would have allowed for better control from the start"
2:06pmWeb