[New article]: How to safely run third-party code #43966
Labels
discussion
Indicates issues that are being discussed
doc-idea
Indicates issues that are suggestions for new topics [org][type][category]
Pri3
⌚ Not Triaged
Not triaged
Proposed topic or title
Executing Customer Code
Location in table of contents.
docs/core/tutorial? Not sure
Reason for the article
The easiest and most common way to hack a company is to convince someone with company credentials to do something risky. One example of that is following provided repro steps without fully understanding them, notably if they include downloading user code. This doc would provide information on how to stay safe while learning about customers' scenarios to help with their issues.
Article abstract
When customers discover issues with the .NET SDK, we often need more information to see how exactly their scenarios differ from the (presumably working) mainline scenarios. This additional information often takes the form of a 'repro' or set of steps by which we can see the error ourselves and walk through what is happening as their scenario plays out and how it ultimately diverged from our expectations.
Blindly executing unvetted customer code can be a security hazard, however, not just for the machine executing the code but for any machine on the same network and any service accessible using credentials they can access through those machines. In this way, a malicious actor can exfiltrate sensitive Microsoft data, including information about other Microsoft employees, proprietary code, or private customer data. They may even be able to take down a service or introduce further security bugs in shipping products. Indeed, the most common vector hackers use to gain access is through compromising one or more individual users with employee credentials. At Microsoft where security is paramount, we want to prevent such hacks.
This document contains recommended best practices on how to securely test users' code. They are arranged in order or security with the most secure at the top. This should also be the priority you should use to stay secure when executing code.
Relevant searches
I didn't do any searches, but I did make a PR here in the SDK repo that we'd ultimately like to bring to dotnet/docs if possible:
dotnet/sdk#45456
The text was updated successfully, but these errors were encountered: