Security in Workspaces
Overview of the Boltic Workspaces security architecture, with guidelines to help you maintain security and minimize the risk of attack
Overview of workspace security
Boltic Workspaces is designed to be security hardened by default. Consequently, you will need to ensure that your software development practices do not risk reducing the security posture of your workspace.
This guide describes the way Boltic Workspaces keeps your development environment secure and provides some of the good practices that will help maintain your security as you work. As with any development tool, remember that you should only open and work within repositories you know and trust.
Environment isolation
Boltic Workspaces is designed to keep your workspaces separate from each other, with each using its own virtual machine and network.
Isolated virtual machines
Each workspace is hosted on its own newly-built virtual machine (VM). Two workspaces are never co-located on the same VM.
Every time you restart a workspace, it's deployed to a new VM with the latest available security updates.
Isolated networking
Each workspace has its own isolated virtual network. We use firewalls to block incoming connections from the internet and to prevent workspaces from communicating with each other on internal networks. Workspaces are allowed to make outbound connections to the internet.
Authentication
You can connect to a workspace using a web browser or from VS Code.
Every time a workspace is created or restarted, it's assigned a new Boltic token with an automatic expiry period. This period allows you to work in the workspace without needing to reauthenticate during a typical working day, but reduces the chance that you will leave a connection open when you stop using the workspace.
Workspace connections
You can connect to your workspace using the TLS encrypted tunnel provided by the Boltic Workspaces service. Only the creator of a workspace can connect to a workspace. Connections are authenticated with Boltic.
Good security practices for your workspaces
Workspaces are designed to be security hardened by default. To help maintain this posture, we recommend that you follow good security practices during your development procedures:
- As with any development tool, remember that you should only open and work within repositories you know and trust.
- Before you add new dependencies to the workspace, check whether they are well-maintained, and if they release updates to fix any security vulnerabilities found in their code.
Additional good practices
There are some additional good practices and risks that you should be aware of when using Boltic Workspaces
Granting access through features
Certain development features can potentially add risk to your environment. For example, commit signing, secrets injected into environment variables, authenticated registry access, ect., can all present potential security issues. We recommend that you only grant access to those who need it and adopt a policy of being as restrictive as possible.
Using extensions
Any additional VS Code extensions that you've installed can potentially introduce more risk. To help mitigate this risk, ensure that the you only install trusted extensions, and that they are always kept up to date.
Using the terminal
The terminal in Boltic Workspaces is a powerful tool that can be used to install packages, run scripts, and more. However, it can also be used to run malicious code. We recommend that you only run commands that you trust, and that you avoid running commands from untrusted sources.