Jaa


Best practices for security in VSPackages

Applies to: yesVisual Studio noVisual Studio for Mac

Note

This article applies to Visual Studio 2017. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here

To install the Visual Studio SDK on your computer, you must be running in a context with administrative credentials. The basic unit of security and deployment of a Visual Studio application is the VSPackage. A VSPackage must be registered by using Visual Studio, which also requires administrative credentials.

Administrators have full permissions to write to the registry and file system, and to run any code. You must have these permissions to develop, deploy, or install a VSPackage.

As soon as it is installed, a VSPackage is fully trusted. Because of this high level of permission associated with a VSPackage, it is possible to inadvertently install a VSPackage that has malicious intent.

Users should ensure that they install VSPackages only from trusted sources. Companies developing VSPackages should strongly name and sign them, to assure the user that tampering is prevented. Companies developing VSPackages should examine their external dependencies, such as web services and remote installation, to evaluate and correct any security issues.

For more information, see Secure coding guidelines for the .NET Framework.

See also