hello everyone and welcome back to the security repo podcast in this episode we're going to be touching on a subject that's really been affecting everyone lately and that's remote work particularly remote development environments since the pandemic nearly everyone has gone remote and even though that pandemic is hopefully in the past a lot of people aren't returning back to the work so what security implications does working from anywhere actually create and more importantly what can we do about it this is the exact topic that we're going to be covering with the next guests on our podcast veteran and Thomas are from code anywhere code anywhere is a cloud integrated development environment but that as you've got to find out means a whole lot more than just moving Visual Studio or whatever IDE you use into your browser and it introduces some security benefits that are particularly relevant in this new remote work world today we are joined by two guests first is veteran the CTO and co-founder of code anywhere he started working on this company alongside with their CEO and co-founder Ivan 12 years ago and they were the first in the cloud development environment market so they really have experience doing this long before anyone would have predicted the pandemic to happen and while code anywhere has really made some leaps and strides they are still working to bring their absolute Vision into reality vigrant is joined by Toma who is a very impressive individual and at the young age of just 22 is one of the lead developers and in charge of all the business to business Integrations at code anywhere but don't let that young number fool you Thomas is full with amazing knowledge that far surpasses his age and if I'm completely honest makes me feel quite adequate but without further Ado I want to dive straight into the conversation with myself my co-host Dwayne McDaniel Thomas edvarden I think everyone listening to this has some familiarity with local development environments and you're getting your local spun up uh that's not what y'all do you're from code anywhere why don't you just give us a very high level overview of like what is code anywhere yeah sure so code anywhere started as basically a browser ID 12 years ago I think and yeah whether or not here is the CTO and co-founder of code anywhere and his idea basically was to just allow everyone anyone to code anywhere so you could connect via FTP or SSH into your basically production servers then and then just code using the browser ID but their Vision was basically to allow anything you want to be coded in the cloud and their Vision actually shifted a bit because it now isn't just a browser ID and the browser ID is just a commodity would say uh the main like power before behind our platform is the actual Cloud development environments because Cloud development environments allow you to actually run any kind of code in the cloud and you can connect to that cloud development environment via any ID that can support SSH so for example jetbrains IDs and vs code out of the box support SSH connections and the browser ID is just there for convenience would say so we don't really rely lie so much on the browser let's say programming component but we actually emphasize the power of your code running in the cloud in the security basically of of your code running in the cloud um I want to dig into something said out uh there because I think that's a little bit of confusion in the market right now uh you made a distinction between a cloud development environment and a cloud IDE um can you define that a little bit better yeah sure so it actually is one of the main I'd say like blurry lines between just a cloud ID and just and the cloud development environment so the ID part of it is just the interface it's just an ID with I don't know file explorer type in your code and that's it save a file and the cloud development environment part of it is where the actual code lives and where it's executed so the difference being is that you could have have a browser-based ID connected to your local file system I guess but the cloud-based development environment is much more powerful in a sense that you can have any code executed remotely in the cloud environment but as I said the cloud or browser-based ID is a commodity in a sense that you don't need it to code in the cloud development environment you could also code as I said in jetbrains and vs code as well and you wouldn't say that jetbrains and vs code are cloud IDs because they're basically local local programs so it's very important to have the distinction between a cloud ID and the cloud development environment or CDs it's now basically popularly called so you're defining the IDE as the interface where you type where yeah actually interact with the code versus um like what's actually running bash behind it what's actually executing the well the executable you're writing yeah yeah definitely yeah yeah so the ID just an interface the development environment everything behind it's everything that's running the code does this kind of help solve the problem too of the typical it worked on my machine issues I mean one of the one of the main reasons why everyone should be moving towards uh you know a cloud development environment what are the benefits compared to running it yeah so I'm actually glad you phrased it that way because I I had a series of talks last year that conference is called solved but it works in my machine problem with cdes so uh actually CDs are I'd say the most powerful tool to battle the it works on my machine problem uh because the it works on my machine problem stems from from the fact that your machine and my machine are very very different you might have I don't know Java 10 installed I might have Java 12 but we need Java 11 to run the project so it's a matter of how how you configure your development environment did you correctly configure it and can you run any other project and with CDs basically what they allow you to do is to have a development environment specifically tailored and configured for that specific project and not just the project the specific commit or feature that you're developing will have its own development environment so for example if you want to migrate your code from java 10 to Java 11 for example you don't want to uh break everyone's environment you just create a feature Branch for example and then in that feature Branch you would code on Java 11 and make the migration but if you want to code back again on the feature branch that has Java 10 it's pretty hard to configure that locally right you have to again uninstall 11 or configure again your environment to use 10 with Cloud development environments is just a matter of clicking a button and when you click the button we add basically code anymore what we do is we take the configuration of that environment and we spin up the environments tailored to that point of your project and the important thing here is actually to mention infrastructure as code so I know in in your blog post you talked a lot about IAC and how that's becoming more and more popular now and I see as a concept can be well translated into Cloud development environments where you you have a configuration that describes everything your project needs to be able to run on the cloud development environment so for example in this case we have I we would declare in the configuration that you need Java 10 for example and Java 10 I don't know postgres redis and anything you might need to run the project and then when you create the environment you are guaranteed that the environment will have Java 10 and redis and postgres so uh that basically eliminates the but it works on my machine problem completely because each developer is guaranteed to work on the same machine it's just a matter of that the machine is not on your machine it's on the cloud actually running so that's the uh something I run into time and time again back in my days when I was working with uh JavaScript a lot more the node the NVM problem of what version am I in did I remember to switch I'm starting to write bash scripts to tell me to switch As I switch branches it's starting to get really really really complicated uh so every time I'm getting a situation like that I'm like okay I just need to spin up a cloud environment and I'm really grateful for you guys um you know full transparency I've been a code anywhere fan for many years so I'm very excited to talk to you here today uh but this is a security podcast so I do want to steer the conversation in that direction um of course we talk about the benefits of all of this all day and yes definitely IAC um crossover that may be a good entry point in the security conversation but what are are there Security benefits to this approach versus the traditional local environment push into Dev environment honestly so I'd say that security is one of the main benefits uh two CDs along with the but it works on my machine problem elimination so security especially in large Enterprises that are very security heavy I I'd say that CDs are much more secure than your local environment so for example when running CDs there's no need for anyone's machine to have any git credentials any repo access any pipeline access from your local machine because all the code is executed and basically lives in the cloud all the credentials are stored inside the inside the CD so that means that there's no security risk in I don't know I leave my laptop for example in a cafe and someone steals it and goes through my laptop there's no code actually no company code ever touching my machine locally so another thing is that you can configure the security T of the CDs running inside the company to anything you like you can throw vpns on it firewalls whatever you want you can allow your employees to only access the CD inside a VPN inside the company so security is much more configurable and much more manageable when everything is running in the company cloud in the company infrastructure because then the company itself is responsible and can make all the security decision it can whereas where you have code living locally on your machine there's I think much more threat to and I don't know some malicious takeovers from phishing or for for example stuff like that just to play The Devil's Advocate a little bit here are there any additional security risks that this will bring and the one that kind of where my brain goes into this is that it sounds like we have a bit more of a central point of failure in the sense that developers have become real big targets for attackers we know that they're really targeting repositories or source code because they're secrets and other sensitive information in there I understand the points of configuration but are there any risks that this could introduce with companies wanting to adopt it in terms of misconfigurations or Central points of failure we're now an attacker compromise the developer account but has access to you know everything yeah so I I add on that there is definitely a additional security uh risk that is um not present in traditional development environments that are on a physical computers and there is a blessed radius if someone compromises the cluster where all of those development environments are so as Thomas said there is a security benefit of not having anything locally but again if security is not adopted in the company's Cloud then there is a blast radius that that is much higher or larger than on a traditional development environments living locally I'd say that also I didn't mention that the benefit of CDs are also real-time collaboration where you can share the running CD instantly with anyone so for example I want to develop a feature that requires attention from the QA the PM and I don't know some designers you can instantly share your progress by enabling them to view a preview link for example of the running code or actually jump in real-time collaboration session really easily because then you could just connect the same CD and have real-time synchronization of files and code and such and with that I'd say that that can pose a more significant security threat if that isn't managed correctly if you allow developers to share the environment with anyone you can you can expose the their environments to some outside access it isn't isn't intentional so in that sense that's like the most direct I'd say security threat but as veteran mentioned if someone were to gain access to the entire cluster where the CDs reside it could pose a threat to Secrets being exposed from from users using that cluster oh right on so it sounds like if the security team is on top of it and they are already in uh using best practices and already implementing the right approaches this is going to help them spread those approaches to everyone consistently across the board but the downside is a misconfiguration once is now in this configuration for all uh I'd say that that is much more manageable because then you know that if your security team has everything covered you should be covered it lessens the risk of individual developers to to leak any secrets and such and I I'd say that there is one more point to all of this that tightens the security even more uh if you have this deployed inside your cluster you can actually restrict uh users from using any Docker images that are integrated from security you can only enable I don't know you can use Docker image from this tag because it has been completely vetted by security so that's another point that can reduce the maliciousness of code running in the CDs yeah I mean it's just it's just a comment is that of course I mean you're never going to have anything that eliminates all security considerations but if you centralize security you and you're trusting the security people with security and infrastructure people with infrastructure you know then that's a better situation then I think where a lot of organizations are if they're honest which is they're trusting their developers with security for a lot of things um so I think that I think that the approach is is definitely good but but of course we have to play devil Devil's Advocate so I'm glad I asked my questions left philosophy of uh that's just let the developer do it let's put them in charge uh the other thing um benefit I see uh is one of the bigger problems in code leakage out there that you know we know from our reports like state of secret sprawl um is people eventually push the wrong repo to the wrong remote sometimes that just happens this seems like it would cut that down significantly because you're no longer like using the git transport method to get from your computer to the other environment because you're already in the other environment do you see so I guess it's a question there kid you still multiple remote from there and or would just make more sense from a code anywhere thing just like all right this is where this one goes if you put it that way then developer can really do whatever he would do on his local computer so if if the security team for example restricts access to other git repositories then the probability that he will do such a thing uh is is less significant um but in in a way if a developer has access to other remotes he he can do that as well so the cloud environment doesn't restrict the developer in that in that sense again as Thomas said since the security centralized then it is much easier to restrict access to certain um certain systems that are not approved or undesirable so at the uh just to change it up a little bit at the start of this episode you mentioned that you're going to be talking about some products that are actually in in beta so I guess taking the opportunity now is what what's what's new on the horizon at code anywhere what what do you have in the lab that's uh ready to make its way into the world yeah so this new uh platform that we're releasing is heavily focused on these business to business cases because we believe that CDs should be become the number one standard for all software companies and not just software companies any company that has software developers inside because of the security implications because of the it works on my machine a problem elimination and because of actually cost efficiency because we we've seen that it's much more cost efficient to run these Cloud development environments than to let's say pay for the top of the line uh top of the line computers for develop developers and also this product is heavily get Centric I don't think we mentioned it so it's your repository is the central uh source of Truth for all the code that you have and the environments are spun up from the Repository uh and it's heavily based on IAC as we mentioned so not IEC like infrastructure as code but the IEC concept where you define everything as code translated into that configuration uh enabling the CDs to adapt to the to the project yeah yeah uh kind of yeah but we what we emphasize here is with the product is that we just want to make your local development better or just move the local development into the cloud and make the developer as efficient as possible we want to eliminate all the setup requirements all the time wasted for onboarding and stuff like that but to keep the the git flow the same as it was you push to get and then they get CI takes care of the rest but the development process is much much more efficient than before right on and so as we're wrapping things up here um I do have kind of a lengthier question because really two parts uh that's what I ask you since we have here about the onboarding process there's two sides of that equation from what I can see there is the onboarding a new employee into a company that's adopted Cloud CD Cloud development environments sort of got a fire truck outside give me a second um no worries so there's the first part which is uh onboarding employees to a company that's already fully adopted Cloud development environments like the benefits there we already talked about them a little bit but I'd just love to hear you enumerate it and the second one is how do you get started with this like what's the is there a path is there a Best practice you would say like I am new to Cloud development environments I would love to get involved and like make that start making that transition or at least put my toe in the water um so just talk about onboarding in general yeah so the first point of onboarding new employees into quote-unquote CD companies uh so onboarding here is really really easy and that's what we aim to offer with the platform where you just need to give repo access to the new employee and that's it they just need to push a button or paste the paste the URL into the platform and they get the environment set up right away and they can actually start coding right away whereas with the previous approach without CDs you have to get get them get credentials they have to read through pages of readme and documentation what they need to install locally and stuff like that so the process of like coming into the company to start encoding is just as simple as giving git credentials and pushing a button whereas with the previous approaches give get credentials read through the readme set try to set it up ask for help and then it goes on for a couple of days so the onboarding into CDs is really efficient and really really fast for new employees and for companies that want to adopt the CDE approach what we do we tend to do with our business to business Integrations is we ask for them to just dip a toe in the water give give access to one of the teams that has a containerized project already uh because we didn't actually mention it before code anywhere as a platform is based on dev containers from Microsoft and Dev containers are heavily based on Docker and Docker compose so if you have a containerized application it really will make the process of in of transitioning into CD is actually a lot faster so just give it to one team they can play around try to set it up if it works out for them you scale it up to the rest of the company if if it's not your cup of tea we then try to communicate with the team and with the company was what went wrong and can we help to adapt it but most of the companies we've reached out to and the companies that reached out to us were really really satisfied with the onboarding of new employees and with the efficiency it brings because once you get used to it you just don't go back because it's so so efficient and fast we're coming to the end of of the podcast here it's been it's been really fascinating but I did have one last question to start wrapping it up is you called code from anywhere so I'm curious whereabouts are you guys coding from uh at the moment so we're actually both in Croatia I'm in Zagreb currently and Veteran is in Split uh so because it's code anywhere we actually tried to code from anywhere so there's no Central HQ where it's scattered all around the world so we actually code from anywhere a quick follow-up on that do you guys keep stats on um where people are phoning home from like oh what's the strangest place you've seen someone like code from I don't think we actually we could could actually find a metric for that that wasn't the question that's been raised from our side but I'd say the the interest an interesting anecdote from my side is that a couple of months ago I had to send my laptop to for a keyboard fix so I just plug my phone into a monitor and coded from code anywhere for a couple of days so I think that's a that's a cool feature of having your browser ID and connect it into a CD that that I think should be a story on your front page code yeah all right well thanks so much for being a part of the security repo podcast um I sure learned something today and yeah if you're out there thinking about making this jump and especially if you're in the process of migrating to Cloud this seems like a perfect fit and a perfect time to start embracing the future because well this isn't really the future this is the now um doing things locally in those manual setups that just seems kind of dated at this point so thanks for being part or tell us about this exciting future and for being here thank you for having us thank you for having us