{"id":234007,"date":"2021-08-17T07:00:35","date_gmt":"2021-08-17T14:00:35","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/visualstudio\/?p=234007"},"modified":"2021-08-16T22:09:53","modified_gmt":"2021-08-17T05:09:53","slug":"improving-developer-security-with-visual-studio-2022","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/visualstudio\/improving-developer-security-with-visual-studio-2022\/","title":{"rendered":"Improving developer security with Visual Studio 2022"},"content":{"rendered":"

Software developers are increasingly being targeted by malware. Recent incidents include Nobelium<\/a>, Octopus Scanner<\/a>, and ZINC<\/a>. To reduce the risk of open-source library adoption in the face of such attacks, developers need a toolchain that assists them in evaluating untrusted content.<\/p>\n

In Visual Studio 2022 we’ve been focused on developer and team productivity. Key to this is how the IDE can help developers evaluate the level of trust for code. Visual Studio Code recently introduced Workspace Trust<\/a>, and today we\u2019ll discuss how Visual Studio 2022 is also redesigning it\u2019s trust settings functionality, starting in Visual Studio 2022 Preview 3.<\/p>\n

The new Trust Settings functionality aims to raise awareness about the risks in handling unfamiliar code and helps protect against malicious actors, who are targeting scenarios ranging from opening content (e.g., repositories, solutions, projects and\/or files) to building and running applications with Visual Studio.<\/p>\n

While you will benefit from these security improvements out of the box, we\u2019ve made it a priority to provide organizations with the tools to centrally manage the experience to their needs.<\/p>\n

A trip down memory lane<\/strong><\/h2>\n

To provide the feature rich experience of the Visual Studio IDE, a project system first needs to evaluate the contents you are about to open. This process \u2013 based on design-time builds<\/a> \u2013 helps us identify the project structure and its dependencies, and is essential for many of the great features we offer such as code navigation and IntelliSense.<\/p>\n

However, from a threat evaluation perspective, building code is equivalent to execution. This means that a malicious actor could create a scenario where simply<\/em> opening<\/em> content inside Visual Studio could become an attack vector to compromise you or your company.<\/p>\n

Back in Visual Studio 2002, we introduced a content trust prompt. When you attempted to open a project from a location that was not previously trusted, the warning dialog would let you know and mention the implications of opening untrusted code.<\/p>\n

\"Graphical<\/p>\n

In Visual Studio 2015, we extended the trust coverage to items outside the project scope and leveraged the \u201cmark of the web\u201d attribute, as a trust indicator for those items. While at the time it was a good decision, inconsistent usage of the \u201cmark of the web\u201d attribute, led to problems for designs that relied on it.<\/p>\n

With the widespread adoption of open-source software, there\u2019s been a shift in how most developers obtain and consume project samples. While this allowed us to create great new experiences, it also brought new security considerations.<\/p>\n

With Visual Studio 2022, we want to help you safely browse and edit code no matter the source or author. To that end, we have overhauled our Trust Settings functionality and will provide an additional layer of security when trying to open content (e.g., solutions, projects, files, or folders) that wasn\u2019t previously defined as trusted. Our new functionality consists of two main components: trusted locations<\/em> & restricted mode<\/em>.<\/p>\n

Trusted locations<\/strong><\/h2>\n

For Visual Studio 2022 Preview 3<\/a>, you\u2019ll have to manually enable the \u201ctrusted locations\u201d feature. Once enabled, Visual Studio will detect if you are attempting to open untrusted content and will show a new dialog that warns you about the security implications:<\/p>\n

\"A<\/p>\n

After enabling the feature, all content opened inside Visual Studio 2022 is considered untrusted until you or your organization (via Group Policy) adds it to the list of “trusted locations”. You can trust a folder location, a git repository or a git repository owner directly from the trust dialog or the trust settings dialog:<\/p>\n

<\/p>\n

Security and usability are frequently at odds. Each developer views that tradeoff differently. For that reason, we are providing multiple workflow optimizations to reduce the amount of trust related prompts and thus help minimize unnecessary distractions to your workflow.<\/p>\n

For example, when you open a repository, the trust dialog will allow you to trust at the repository or repository owner level. This means that if you fully trust the owner of the repository (e.g., a repository developed by a trusted colleague or your organization), you can choose that option and never be prompted again when opening repositories from that owner. As a benefit of the Visual Studio sign in experience, repository settings will roam with your account, helping streamline your experience regardless of where you use Visual Studio.<\/p>\n

We are excited about these new capabilities and are putting the final touches towards enabling them by default in the next preview. In the meantime, you can enable them via Tools<\/strong> > Options<\/strong> > Trust Settings<\/strong> and checking the \u201cRequire a trust decision before opening content\u201d option:<\/p>\n

\"Graphical<\/p>\n

\nRestricted mode<\/strong><\/h2>\n

Making a trust decision about source code is hard and frequently entails manual code inspection. To assist in this scenario, we are introducing a Visual Studio mode to browse and edit untrusted code.<\/p>\n

\"Graphical<\/p>\n

While this mode won\u2019t include features that require design time builds (e.g., code analyzers, visual designers, etc.), it will allow you to open and inspect untrusted code safely (e.g., without the risk of remote code execution), and help you make an informed decision towards trusting content and enabling the full Visual Studio experience.<\/p>\n

While restricted mode is not yet available in Visual Studio 2022 previews, its coming very soon and we will share more information shortly.<\/p>\n

\nEnterprise management<\/strong><\/h2>\n

We\u2019ve made it our priority to provide organizations with the means to centrally manage their experience via the Windows group policy functionality. For example, an organization could decide to limit Visual Studio usage to only a pre-approved list of trusted repositories, and disallow the ability to trust and open content outside of those boundaries.<\/p>\n

\"Graphical<\/p>\n

This functionality is already available in Visual Studio 2022 Preview 3 and we\u2019ll go over the details in a future blog post.<\/p>\n

Wrapping up:<\/strong><\/h2>\n

We are excited about these new features and can\u2019t wait till they\u2019re all available for you to try out!<\/p>\n

Let us know what you think about the experience, what new features you would like to see supported and how we can further improve things to better fit your workflow! Send us your feedback via the Developer Community<\/a> portal, or via the Help<\/strong> > Send Feedback<\/strong> feature inside Visual Studio.<\/p>\n","protected":false},"excerpt":{"rendered":"

Software developers are increasingly being targeted by malware. Recent incidents include Nobelium, Octopus Scanner, and ZINC. To reduce the risk of open-source library adoption in the face of such attacks, developers need a toolchain that assists them in evaluating untrusted content. In Visual Studio 2022 we’ve been focused on developer and team productivity. Key to […]<\/p>\n","protected":false},"author":1092,"featured_media":234012,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[155],"tags":[1402,6831,6830,6828,6829,6815],"class_list":["post-234007","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-visual-studio","tag-enterprise","tag-group-policy","tag-restricted-mode","tag-security","tag-trust","tag-visual-studio-2022"],"acf":[],"blog_post_summary":"

Software developers are increasingly being targeted by malware. Recent incidents include Nobelium, Octopus Scanner, and ZINC. To reduce the risk of open-source library adoption in the face of such attacks, developers need a toolchain that assists them in evaluating untrusted content. In Visual Studio 2022 we’ve been focused on developer and team productivity. Key to […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/posts\/234007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/users\/1092"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/comments?post=234007"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/posts\/234007\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/media\/234012"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/media?parent=234007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/categories?post=234007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-json\/wp\/v2\/tags?post=234007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}