TL;DR – Yes, we are getting there, and we ❤️ them already!
Web-based IDEs such as GitHub & Visual Studio Codespaces (originally Visual Studio Online), Gitpod based on Eclipse Theia are now offering a desktop-quality development environment entirely in a web browser. Developers and Security analysts can now work with different applications and even multiple versions of the same applications as browser tabs on their tablets or Chromebooks.
This idea of having development workspaces in the cloud is not new, though. Data scientists and engineers are used to having their Jupyter notebooks and SageMaker experiments in the cloud (Remember cloud9?). Cloud workspaces increase productivity by offering:
- scalable and on-demand computing power
- reduced setup time with error-free repetition
- ability to share and collaborate with teams effortlessly
In this blog, let’s look at some barriers that affect the wider adoption of cloud workspaces and identify areas where the cloud and security vendors like ShiftLeft could work together to help address these concerns.
Cloud computing has an unfortunate reputation of being too expensive (and insecure which is the next section). I have heard horror stories from a number of CIOs and CTOs about cloud computing mistakes and failed cloud migration programs — those that end up being 2–3x more expensive than their legacy data-center based IT requiring creative cover-ups or layoffs. So, naturally, offering cloud workspaces to all developers and architects should not make financial sense right?
Let’s look at three personas on a typical product team:
- a hard-working DevOps personnel who work for 6 hours every working day on technical things and the rest on meetings and discussions
- a lead engineer or a security analyst who spends an average of 3 hours per day on technical reviews and tests
- an architect or a product owner who spends less than an hour per day
Assuming a person needs 2 or 3 such workspaces in parallel, it is immediately evident that for occasional use cases such as peer reviews or security analysis, cloud workspaces are far cheaper than offering corporate laptops such as ThinkPads and Macs.
To add some further perspective, I am writing this blog on a 16" MacBook Pro that cost upwards for $4,000! My role as the Lead Architect at ShiftLeft simply doesn’t require such an expensive hardware. Sorry!
Prices are still significant (even with the new Visual Studio Codespace pricing) for engineers and DevOps requiring full-time access. Gitpod has a professional edition for teams at €23 per month per user — which is a bit on the higher end for occasional users. The cheaper personal edition is quite nice but lacks enterprise features.
In short, the cost barrier needs some thinking from the vendors. Perhaps, gitpod could reduce the price and the usage hours and pitch it as a security feature?
Ease of deployment/rollout
Gitpod supports GitHub OAuth-based integration for free and personal users. For enterprises, there is support for repositories such as GitHub Enterprise and GitLab. In addition, any public repo can be enabled by simply prefixing https://gitpod.io/#. Visual Studio, on the other hand, utilizes the Azure subscription and single sign-on and hence is a bit easier for self-registration as long as the organizational policies permit the use of Visual Studio Online.
Base editor environments offered are quite featured and comes pre-installed with useful extensions and support for multiple languages. Configuration of workspaces is a bit involved though — they are repo specific and use vendor specific configuration. For Visual Studio Online .devcontainer.json is used with broad support for container images. Gitpod uses `.gitpod.yml` configuration with a limited number of supported Linux images — alpine and Ubuntu/Debian images for now.
Deployment options for a workspace creation and organizational rollout are quite mature and straight-forward with both Codespace and Gitpod.
Finally, we have the dirty S word! There are two kinds of security most enterprises would be quite keen on. Securing the workspace against unauthorized access and ensuring security of the code that gets developed in this fashion — security of the workspace and security in the workspace.
Security of the workspace could be enhanced by:
- Blocking access from unknown IP or countries
- Mandating MFA for private repositories
- Alerts and monitoring support for administrators
Both Visual Studio and Gitpod offer a free self-hosted option that offers the convenience of a cloud workspace with some peace of mind for regulated industries. The ability to specify timeout as well as delete workspaces is both a security and cost-saving feature if it can be enforced at the organization level.
Security in the workspace implies providing confidence to the development and security team by proving that the developer did not take any shortcuts or knowingly used vulnerable logic and dependencies while working using a cloud workspace. In short, proving that a secure development process was followed irrespective of the IDE used. This is something ShiftLeft can help with our expertise in building AppSec and DevSecOps products.
In short, security features and controls being offered are quite basic and need further improvements to gain wider adoption.
Call for collaboration
At ShiftLeft, we are big fans of cloud workspaces and have been following the space quite keenly. Well, as a modern security company and being the experts in building application security products that integrate seamlessly with the DevOps workflow this shouldn’t come as a surprise. After publishing the Visual Studio Code extension for the ShiftLeft scan platform, we immediately started focusing on porting our extension to Visual Studio Online and even Gitpod. Below is an early update to our fans and to the respective workspace teams at Microsoft and Gitpod.
We have made good progress in making Scan work with Visual Studio Codespace. Most of the flagship features from Scan such as the CodeLens and the ability to navigate to the source code from the result window is working.
There are some features that are not working quite well yet. We would love to work with the codespace and Gitpod teams to get these issues resolved!
What about Gitpod support?
ShiftLeft scan currently works on a read-only mode with the ability to display results produced from a terminal-based invocation. Eclipse Theia, despite being a version 1.0, already has immense potential to become a great IDE by focusing on developer experience and performance.
With more developers, engineers, and security analysts working from home and using the public internet, the need for securing and monitoring the dev aspects such as code commits and downloads are clear. By bringing a great secure development experience right into the IDE and cloud workspaces, we continue to pursue our mission to secure every single code, pull requests, and application. With the right collaboration and support from the cloud vendors and from the community, we can make both the cloud workspaces and the applications developed using them secure.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Prabhu Subramanian. Read the original post at: https://blog.shiftleft.io/are-we-ready-for-cloud-workspaces-cc1f4c17593a?source=rss----86a4f941c7da---4