Skip to content

Latest commit

 

History

History
80 lines (61 loc) · 7.94 KB

mitigations.md

File metadata and controls

80 lines (61 loc) · 7.94 KB

Mitigation Strategies Analysis for adobe/brackets

Mitigation Strategy: Regular Dependency Auditing and Updating (Within Brackets and Extensions)

  • Description:

    1. Identify Dependencies: Examine the package.json file in the Brackets source code (and any installed extensions' package.json files) to list all dependencies and their versions. This is done within the Brackets installation directory.
    2. Check for Updates: Use npm outdated (or yarn outdated, if applicable) in the Brackets source directory and each extension directory to identify newer versions of dependencies. This command is run within the context of the Brackets installation.
    3. Prioritize Updates: Focus on updating dependencies with known security vulnerabilities (CVEs). Use resources like the National Vulnerability Database (NVD) or Snyk's vulnerability database to research vulnerabilities.
    4. Test Thoroughly: After updating any dependency within Brackets or an extension, thoroughly test Brackets and all extensions to ensure no functionality is broken. This testing is done using the modified Brackets installation.
    5. Document Changes: Keep a record of all dependency updates, including the versions before and after, the reason for the update (e.g., CVE number), and the results of testing. This documentation should be associated with the specific Brackets installation.
    6. Repeat Regularly: Perform this audit and update process on a regular schedule (e.g., monthly, or before each major release).

  • Threats Mitigated:

    • Dependency Vulnerabilities (High Severity): Exploitation of known vulnerabilities in outdated dependencies within Brackets or its extensions. Attackers can use publicly available exploits to gain control of Brackets, potentially leading to code execution, data exfiltration, or further system compromise.
    • Supply Chain Attacks (Medium to High Severity): Malicious code injected into a compromised dependency of Brackets or one of its extensions.

  • Impact:

    • Dependency Vulnerabilities: Significantly reduces the risk. Regular updates address known vulnerabilities, making exploitation much harder.
    • Supply Chain Attacks: Reduces the risk, but doesn't eliminate it. SCA tools can help detect known compromised packages.

  • Currently Implemented: (Hypothetical) Partially. Basic npm outdated checks are performed sporadically, but no formal process or SCA tool is used. Testing after updates is inconsistent. Documentation is minimal.

  • Missing Implementation:

    • Formal, documented process for dependency auditing and updating specifically within the Brackets installation and its extensions.
    • Use of a dedicated SCA tool.
    • Comprehensive testing (including automated tests) after each dependency update within Brackets.
    • Centralized vulnerability tracking and remediation related to the Brackets installation.

Mitigation Strategy: Strict Extension Vetting and Management (Within Brackets)

  • Description:

    1. Establish a Policy: Create a written policy that defines acceptable sources for Brackets extensions (e.g., only from the official Brackets registry, or only from specific, trusted GitHub repositories). This policy governs what extensions are allowed to be installed into Brackets.
    2. Source Code Review: Before installing any extension into Brackets, download its source code and manually review it. This review is performed before the extension is added to the Brackets installation. Look for:
      • Network Requests: Identify any external network connections the extension makes.
      • Dependencies: Examine the extension's package.json (if present) and apply the "Dependency Auditing and Updating" strategy to the extension itself, before installation.
      • Code Quality: Look for obvious security flaws.
      • Permissions: Does the extension request any unusual or excessive permissions within Brackets?
    3. Minimal Installation: Only install extensions that are absolutely necessary for the development workflow into the Brackets installation.
    4. Regular Review: Periodically review the list of installed extensions within Brackets and remove any that are no longer needed. This is done within the Brackets Extension Manager.
    5. Disable Auto-Update: If possible, disable automatic updates for extensions within the Brackets Extension Manager. Manually review updates before applying them to the Brackets installation.

  • Threats Mitigated:

    • Malicious Extensions (High Severity): Extensions with intentionally malicious code installed into Brackets.
    • Vulnerable Extensions (Medium to High Severity): Extensions with unintentional security vulnerabilities installed into Brackets.
    • Supply Chain Attacks (via Extensions) (Medium to High Severity): A compromised extension repository or a compromised dependency within an extension that is installed into Brackets.

  • Impact:

    • Malicious Extensions: Significantly reduces the risk by preventing the installation of untrusted extensions into Brackets.
    • Vulnerable Extensions: Reduces the risk by identifying and avoiding extensions with obvious vulnerabilities before they are installed in Brackets.
    • Supply Chain Attacks (via Extensions): Reduces the risk, but manual code review is not foolproof.

  • Currently Implemented: (Hypothetical) Partially. Developers are generally cautious about installing extensions, but there's no formal policy or code review process.

  • Missing Implementation:

    • Written extension policy governing installations into Brackets.
    • Formal code review process for all extensions before installation into Brackets.
    • Regular review of installed extensions within the Brackets Extension Manager.
    • Disabling of automatic extension updates (if possible) within the Brackets Extension Manager.

Mitigation Strategy: Live Preview Precautions (Within Brackets)

  • Description:

    1. Disable for Untrusted Code: When working with code from external, untrusted sources, disable the Live Preview feature within Brackets. This is a setting within the Brackets application.
    2. Use Alternative Preview Methods: Instead of Brackets' Live Preview, use a separate browser window to manually open and view the HTML files. This avoids running the code within the context of Brackets.
    3. Educate Developers: Ensure all developers are aware of the risks associated with Brackets' Live Preview and understand when and how to use it safely.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) via Live Preview (Medium to High Severity): Malicious JavaScript code in the project being previewed could potentially execute within Brackets, leading to data theft or other compromises.
    • Other Code Execution Vulnerabilities via Live Preview (Medium to High Severity): Vulnerabilities in the way Brackets handles Live Preview could be exploited by malicious code in the project.

  • Impact:

    • XSS via Live Preview: Significantly reduces the risk by preventing the execution of untrusted code within Brackets' Live Preview context.
    • Other Code Execution Vulnerabilities via Live Preview: Reduces the risk.

  • Currently Implemented: (Hypothetical) Partially. Developers are generally aware of the risks but may not always disable Live Preview for untrusted code.

  • Missing Implementation:

    • Formal policy and training on safe Live Preview usage within Brackets.
    • Clear guidelines on when to disable Live Preview within Brackets.