Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New article]: How to safely run third-party code #43966

Open
Forgind opened this issue Dec 13, 2024 · 3 comments
Open

[New article]: How to safely run third-party code #43966

Forgind opened this issue Dec 13, 2024 · 3 comments
Labels
discussion Indicates issues that are being discussed doc-idea Indicates issues that are suggestions for new topics [org][type][category] Pri3 ⌚ Not Triaged Not triaged

Comments

@Forgind
Copy link
Member

Forgind commented Dec 13, 2024

Proposed topic or title

Executing Customer Code

Location in table of contents.

docs/core/tutorial? Not sure

Reason for the article

The easiest and most common way to hack a company is to convince someone with company credentials to do something risky. One example of that is following provided repro steps without fully understanding them, notably if they include downloading user code. This doc would provide information on how to stay safe while learning about customers' scenarios to help with their issues.

Article abstract

When customers discover issues with the .NET SDK, we often need more information to see how exactly their scenarios differ from the (presumably working) mainline scenarios. This additional information often takes the form of a 'repro' or set of steps by which we can see the error ourselves and walk through what is happening as their scenario plays out and how it ultimately diverged from our expectations.

Blindly executing unvetted customer code can be a security hazard, however, not just for the machine executing the code but for any machine on the same network and any service accessible using credentials they can access through those machines. In this way, a malicious actor can exfiltrate sensitive Microsoft data, including information about other Microsoft employees, proprietary code, or private customer data. They may even be able to take down a service or introduce further security bugs in shipping products. Indeed, the most common vector hackers use to gain access is through compromising one or more individual users with employee credentials. At Microsoft where security is paramount, we want to prevent such hacks.

This document contains recommended best practices on how to securely test users' code. They are arranged in order or security with the most secure at the top. This should also be the priority you should use to stay secure when executing code.

Relevant searches

I didn't do any searches, but I did make a PR here in the SDK repo that we'd ultimately like to bring to dotnet/docs if possible:
dotnet/sdk#45456

@Forgind Forgind added the doc-idea Indicates issues that are suggestions for new topics [org][type][category] label Dec 13, 2024
@dotnetrepoman dotnetrepoman bot added the ⌚ Not Triaged Not triaged label Dec 13, 2024
@gewarren
Copy link
Contributor

@dotnet/docs Any thoughts on whether an article like this belongs in the .NET docs, and if so, where?

@adegeo
Copy link
Contributor

adegeo commented Dec 31, 2024

Feels like patterns and practices.

@adegeo adegeo added the discussion Indicates issues that are being discussed label Dec 31, 2024
@gewarren
Copy link
Contributor

gewarren commented Jan 7, 2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion Indicates issues that are being discussed doc-idea Indicates issues that are suggestions for new topics [org][type][category] Pri3 ⌚ Not Triaged Not triaged
Projects
None yet
Development

No branches or pull requests

3 participants