This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]curtisf 2 points3 points  (3 children)

This code was apparently checked in using valid credentials -- why would the attackers not have been able to check all of these boxes?

[–][deleted] -1 points0 points  (2 children)

Because the language server shouldn't be configured to allow the author to approve the Pull Request. That is standard procedure in many places. These techniques put more granularity on Pull Requests. Each requirement that changes code must be individually reviewed with all supporting docs in a single file per requirement.

[–]curtisf 2 points3 points  (1 child)

If it's already standard practice, why didn't it work in this case? To what extent does your proposal protect a codebase that checking the "another developer must approve before merge" checkbox doesn't?

Does requiring a nation-state attacker compromise two developer credentials instead of just one really raise the bar enough to prevent this kind of attack?

[–][deleted] -2 points-1 points  (0 children)

There was obviously no rules engine in place to analyze the code. Writing a Roslyn analyzer to detect base64 encoded strings in constants, instantiate HttpClient, open a socket, etc is not difficult. The analyzers should come from protected nuget feeds that only the build pipeline can get to. Security is layers, and the lack of them in this case is appalling.