Portrait

The universe is change;
our life is what our thoughts make it.
- Marcus Aurelius

Secure Remote Development with VS Code

Microsoft recently released an exciting set of capabilities that allows a locally running instance of VS Code to attach to a remote VM or container that serves as the development environment. This allows the benefit of authoring code in a locally running instance of VS Code while moving the compute to a remote host providing the power and unique configuration settings for your project. Over the weekend I set up a VM in both Azure and DigitalOcean as a test for using the Remote - SSH extension. Microsoft's getting started instructions were clear and easy to follow, but a bit loose on security - notably leaving port 22 exposed publicly for SSH. This gave me the chance to try out Cloudflare Access and Argo Tunnel for zero-trust security with SSH.

Automated Dependency Updates with Renovate

Keeping project dependencies up to date helps ensure application security and reliability. Using Components with Known Vulnerabilities is the ninth of the OWASP Top 10 Application Security Risks, whose impact statement mentions "some of the largest breaches to date have relied on exploiting known vulnerabilities in components". According to Contrast Security, "applications commonly use 30 or more libraries, which can comprise up to 80% of the code in an application". A 2017 study by North Carolina State University found that "projects with automated pull requests made 60 percent more of the necessary upgrades than projects that didn't use incentives". Renovate Bot, a solution that enables this type of automation, was purchase by WhiteSource this week, who open sourced the tool for free 🍺. Yesterday I gave it a try and found it very easy to add to projects in Azure DevOps.