By David Fiser (Senior Cyber Threat Researcher)
Threat Modeling for Online Coding Platforms
Before cloud integrated development environments (IDEs) became an option, you, i.e., the developer, typically need to download and/or install everything you need onto your own workstations. However, as DevOps gained traction and cloud computing usage grew, you can now also code online. Convenient, yes, but are online IDEs secure? To answer this, we will focus on two popular cloud-based IDEs: AWS Cloud9 and Visual Studio Online.
In online coding, the IDE is rendered inside your browser, the browser JavaScript engine uses WebSockets to initiate an SSH (Secure Shell) connection in the background to your linked device [e.g. virtual private server (VPS)], providing you with the familiar terminal interface to execute commands. The environment — meaning the linked cloud VM/VPS or SSH-accessible device — includes tool configurations (like which tokens are included, or cloud configuration files), a copy of the source code, compilers, and other tools that you want to use.
Figure 1. Local versus cloud-based IDE
The difference between local and cloud-based coding platforms is where the bulk of the environment resides. In cloud IDEs, the environment is a virtual machine instance inside your cloud provider. In terms of security, this means you are delegating trust to the cloud provider but you are responsible for preventing the opening of “backdoors” or the introduction of misconfiguration issues to the VM. In the case of using your own device with AWS Cloud9, you are responsible for configuring the device securely.
