Secure IDEs in the software supply chain

Secure IDEs in the software supply chain

At the JFrog SwampUp conference, Iben snagged some time with Coder to check out their developer IDE. After joking that “Oh ho, a sales guy doing a demo!” Iben got into 

– “Why do I need this? I just run VS Code on my laptop…” 

Imagine you hire a new developer — “Consider the FNG” as Lane taught me — do you trust this new person to build their own dev environment as part of your secure software supply chain?

Do you understand the threat vector to your software supply chain? Managed, secure IDEs are an essential part of your secure software supply chain.

Table of Contents

I don't need a secure, managed IDE -- do I?

We’ve all worked with that guy that has his desk ordered, cleaned, and you can’t touch anything. It’s his. This is also how some developers see their coding environment. When they move jobs, they lift-and-shift their environment. It’s their virtual desk. The order, or disorder, is key to their “flow” and their productivity.

Imagine hiring ten developers… you’ll have ten different coding environments. Integration becomes a significant cost of code. Politics and religion have nothing on the passion for tabs and spaces.

 

SJULTRA Coder Home page features

Ok, how does it work?

Iben learned the following key points:

  1. Coder allows running full VS Code in a browser, but most engineers prefer local IDEs for full keyboard shortcut support and access to the VS Code marketplace.
  2. Coder provides more compute power in the cloud compared to local machines, significantly speeding up build times.
  3. If the network connection is lost, data is still preserved in the workspace and you can reconnect without losing work.
  4. Coder integrates with JFrog to enable scanning for security issues directly in the workspace itself.
  5. Coder pricing model is $600 per user per year, with discounts for volume.
  6. The main target market is large enterprises who want self-hosted, secure solutions with data staying in their own environment.

Point #4 about the JFrog integration is key for our secure software supply chain.

If your developer IDEs are insecure and umanaged, then your software supply chain is not secure.

Coder and JFrog = Secure Software Supply Chain

We know that security is about people. process, technology, and architecture — but if we just focus on the tools/tech bit, this is what works.

Managing your developer IDE/environments is part of your secure software supply chain: if you don’t have managed, secure IDEs, then us security auditor types @SJULTRA are going to knock points off your score.

The other key is to integrate something like Code with something like JFrog Artifactory and X-Ray. 

They “mark your homework” and they also never sleep. 

How can I try Coder?

The first thing to know about Coder is that it’s open source. You can host it yourself, on the cloud, or use their managed service.

You can kick Coder’s tyres here –> 

What is this secure software Supply chain?

The answer to this, and the picture we can paint, depends upon your perspective. 

  1. If you’re an investor… you’d expect your investments to have a secure software supply chain: but do you actively interrogate them on this? 
  2. If you’re an insurer… if you provide cybersecurity insurance, which paragraph in your policy dictates requirements about software supply chain?
  3. If you’re an executive leader of a software company, when was the last time you spoke about secure software supply chains and “upstream bad actors”? What did you say?
  4. If you’re a developer, what do you do daily to secure the software supply chain?
  5. If you’re an open source library — what are you doing and what assurances do you give to downstream consumers?

People are often dismissive of SBOMs and other tools and techniques for securing the software supply chain: but this is real. The damage is bad. 

Can you consciously say you did your bit to secure the software supply chain?

And was it your use of Code and a secure IDE?

Iben's chat with Coder at SwampUp