I think what we will (need) to see in coming time is more security awareness wrt. development tooling and setup.
Like:
- always run all dev tools in a sandbox, including the compiler and language server
- proper secure (harden) developer systems
- don't install software outside of sandboxes which is known to be often less careful with security vulnerabilities, like steam (or games in general). Firewalls can help wrt. offline only games, but due to things like drm, invites, game updates etc. most modern game software is not offline only.
- split CI into components, make sure the part which builds (and potential deploys) artifacts doesn't run in the same sandbox as additional analysis tools. Potentially run different analysis tools in different sandboxes. Don't give CI sandboxes permissions to directly push to your repository etc. If a tool need to be able to push to git consider limiting it's access to a specific folder or if not possible sub-module (which tbh. are annoying).
- Limit internet access of CI sandboxes as far as possible.
Sadly some of this things are quite cumbersome or even impossible to setup with (at least non enterprise) github.
I think what we will (need) to see in coming time is more security awareness wrt. development tooling and setup.
Management at a former employer quite rightly freaked out when they realised that their devs on a certain subcontinent were routinely pasting their code into external web-based prettifiers to format it nicely...
Ha. I bet if you were so inclined you could harvest a gold mine of sensitive information by having a public website which did:
1. JSON prettifying
2. JWT decoding/verification (bonus for "paste your signing key and we will generate JWTs for you too!")
3. PEM <-> DER conversion
As per my sibling comment - we need easier/better CLI and/or offline GUI tools for simple stuff like this.
Yeah, I use bloop personally which is great for this stuff.
I've never heard of it. Is there a webpage or source repo?