How do large companies protect their source code?


Source code theft is a problem for any company that develops its own software products. Massive corporations such as Apple, Facebook, Google and Microsoft have all suffered from this issue over the years. So, source code theft is not something that only strikes startups and SMEs. In this post we will look at how the giants of Silicon Valley protect their intellectual property.

How does Apple protect its source code?

Apple, by reputation, are a very secretive company. They are highly protective of their intellectual property. They have sued other corporations, like Samsung, for patent infringement in the past.

Apple aggressively pursue any infringement of their patents. But despite beating Samsung in court, they couldn’t protect themselves from an internal threat.

Not too long ago an intern accidentally leaked the source code for iBoot on GitHub. The code was initially only shared between a very tight group of friends active in the iPhone jailbreak community. But soon it found its way onto the internet and the genie was out of the bottle. Although the code was old, from iOS 9, it could still be of use to hackers who could weaponize the information. Apple stated that they knew about the leak before it hit GitHub. But even they could not prevent the leak from hitting blogs and news sites all over the world. The incident caused some embarrassment for the company, but it could have been a lot worse.

A few years ago, Apple CEO Tim Cook stated that Apple were “doubling down on secrecy”. Since then the Apple global security team has grown. Most governments would be envious at the resources at their disposal!

Tim Cook has blamed product leaks for poor sales of iPhones. Which prompted the expansion of the security team. To prevent product leaks to blogs, security at Apple’s factories in China screen 3 million people per day for stolen parts. Apple’s factory security is now so effective that more leaks come from Cupertino than China.

Despite this mammoth security process, a low-level employee still managed to share vital source code with a few friends. Which shows how vulnerable all companies are to internal threats.

How does Google protect its source code?

Google has traditionally embraced open source development, making a most of the code they use available online. However, this does not mean that they do not jealously guard their secrets. The Android operating system, despite what many people will tell you, is not completely open source. It relies on closed systems like Google Play Services to deliver a good experience to users. But the biggest secret of all at Google is the Google ranking algorithm that powers their search engine. Which is the foundation for everything Google does.

Next to nothing has leaked regarding the search algorithm. Former Googlers might now how it works and offer ranking tips but there has been no leak that shows explicitly how Google ranks websites. Due to patent law Google actually discloses a lot of its ranking technology, but the real secrets are only known to a chosen few at Mountain View.

Google protects its code in a number of different ways. Firstly, they use their own internal version of Google Plus for internal communication and audit trail purposes. Actual access to code is tightly controlled by physical security. Employees have to leave non-work devices in lockers and can only access Google code on their workstations. Also, the codebase Google is working on is huge. The entire Google codebase is said to be well over two billion lines of code. So even if small snippets were taken, they would be useless without the rest of the codebase and infrastructure that makes them work.

Despite this, Google take their code security very seriously. The legal repercussions to stealing anything from Google are severe. They have an investigations team, like Apple, and prosecute product and software leaks to the fullest extent of the law. Google also offers very generous restricted stock options to staff that would have access to trade secrets. So, it’s not really in anyone’s interest to steal as they would lose a lot of money.

Most of the leaks that have plagued Google in recent times have been cultural in nature. Employees have released memos and emails to the press to highlight what they feel is an overzealous culture of spying. The most famous case was that of James Damore. Despite what you may think about the politics of his memo, his insights into how Google investigated him were very interesting.

Mr Damore suspects he was being monitored after the memo he had written went viral.

“All the internal apps updated at the same time, which had never happened before. I had to re-sign in to my Google account on both devices and my Google Drive – where the document was – stopped working.”

He went on to say that the spying capabilities used by Google were highlighted in his contract. Damore also stated that they were a good thing for a company that gives staff access to “a lot of secret things…”.

In summary Google uses physical security, employee monitoring and stock options to protect its IP.

How does Microsoft protect its source code?

Microsoft, one of the historic giants of tech, have had issues with code becoming public over the years. Way back in 2004, elements of the Windows 2000 and Windows NT 4.0 source code leaked online. As Windows is so widely used, the security implications for this were staggering at the time. Access to such important source code could have given hackers the opportunity to attack the Windows operating system. Which is still the world’s most popular operating system for both business and individual users.

This was not the last incident of Microsoft leaking source code or, in one strange incident, giving source code away. In 2010 Microsoft struck a deal with the FSB, the Russian intelligence service, and gave them access to its Windows 7 source code. In some ways this was a slightly bizarre move for the company to make. It is very common for big tech companies to cooperate with government intelligence agencies, but it is a rare for an American company to give such direct access to a foreign intelligence operation. Although this is not a leak, it may have made the Windows platform less secure. With recent events on the world stage, this move makes even less sense now than it did at the time.

Like many companies, Microsoft has been affected by a malicious insider leaking their code. In 2014, Alex Kibalko was convicted of stealing trade secrets and sentenced to three months in prison for stealing and leaking Windows 8 code. This case made the news partly due to the way Microsoft tried to find out exactly who Mr. Kibalko had leaked the code to.

During this incident Microsoft scanned the Hotmail account of a blogger to try to find the identity of the Windows 8 leaker.

This caused as much embarrassment for Microsoft as the leak itself. Later they publicly admitted they had accessed the journalists’ email account. This also forced a changed to their wider Outlook privacy policy. But they still maintain the power to access an Outlook user’s email account if they have legal recourse to do so.

Microsoft will go to extreme lengths to protect their IP if they feel it’s threatened. Even if this results in bad PR.

How does Facebook protect its source code?

Like Google, Facebook has dealt with several “cultural” leaks in recent years. They are also one of the most aggressive Silicon Valley companies when it comes to protecting their IP. Again, in a similar way to Google, much of Facebook’s valuable technical IP lies within its algorithms. But they have been the victims of an external theft of source code.

Glenn Steven Mangham was imprisoned for two months for stealing Facebook source code in 2011. Although he never distributed the code, he managed to gain access to Facebook source code through hacking techniques. Mr. Mangham has always claimed that his reason for accessing the code was to inform Facebook of any vulnerabilities he discovered. But Facebook have argued that his motivations were not as pure as he has stated.

Facebook does run a “white hat” hacker program to help protect itself against internal threats. They have even hired hackers for their internal security team. As a company that holds a massive amount of personal data on its users, this is very prudent. But they are also very aggressive when it comes to internal threats.

Employees and contractors have been fired for leaking memos to the press and workers with access to sensitive information are closely monitored.

It’s estimated that Facebook’s security team now numbers over 20,000 members of staff. This covers functions as diverse as detecting ad fraud all the way through to moderating terrorist content. But although the bulk of this massive security apparatus is dedicated to keeping users safe, protecting trade secrets is also a priority.

What strategies do all these large companies employ?

Apple, Google, Microsoft and Facebook all employ similar strategies. They all monitor employees very closely. Most of them offer stock options to deter theft of trade secrets and they are very willing to prosecute offenders through the law.

Even with their resources, these corporate giants have all proved to be vulnerable to internal leaks. However large or small your business is, it’s important to be aware of this risk.

Read other posts like this:

Trends in Data Loss Prevention (DLP)
What is DLP (Data Loss Prevention)
How to Choose a Secure Software Development Company
The Great Resignation and What it Means for Software Development and Data Security
Source Code Security Highlights of 2019 Report
Top Data Breaches of 2019: Half-Year Review