Source code can be likened to the ‘secret sauce’ of a company. The code represents your intellectual property at a fundamental level – it is the instructions that make software products work. It is also part of your competitive edge and is a highly strategic aspect of your company’s innovation and place in your industry.
Because of this inherent importance source code has a high risk of exposure and theft. Examples of source code theft or even accidental exposure are widespread. Like the example of the IBM software developer who was recently given a 5-year prison sentence for source code theft. Or the accidental exposure of code from GreyShift, iPhone unlocking specialist for law enforcement agencies, which resulted in the company being held to ransom by the hackers. (1, 2)
The consequences of source code exposure include everything from allowing competitors to have an advantage to loss of innovative edge, financial costs, as well as creating security issues for your firm and customers.
Source code is leaked via a number of routes. In a previous article, we looked at some of the reasons why and how source code exposure occurs. These routes to exposed code include both insider and external threats. In an effort to reduce the risk of source code breach we can apply best practices in securing source code. In this article, we will look at 5 of the most important of these practices. (3)
5 Best Practices in Securing Source Code
Source code exposure can be a complicated area to address. This is because it can happen by both malicious and accidental means. Any measure you take to mitigate source code loss must cover both causes of leaks. The 5 best practices below, give a robust grounding in preventing the loss of this most precious of commodities, your source code:
Best Practice 1: Have clear security policies that include source code
Why is this needed? Security policies are a fundamental part of a modern organization. They help your organization to strategize and advise on all potential security issues. Data theft of all kinds is a major problem across all industry sectors. Over 6.5 million data records are stolen every day, across all companies. An organization is placed at serious financial risk when it is breached; research finding that share price drops remain depressed for at least 6 months post breach. (4, 5)
Source code should be treated like any other company resource; threats must be acknowledged by your security policy and addressed therein. These threats should include not only code loss through accidental or malicious exposure but also the potential for code to be intentionally infected by malware – i.e., compromised.
Actionable ways to contain the issue: When creating a security policy for your organization ensure you have a section that covers any source code development areas and personnel involved in code development. This should include at a minimum:
- GitHub and other repository types, best practices – for example, access rights, repository configuration, robust credential policies, prevention of downloading of source to local machines, etc.
- The use of removable media by developers – in particular, to prevent accidental loss of code
- General security hygiene practices for developers – policies to help mitigate the risk of password sharing amongst developers and the use of collaboration portals where passwords and code may be posted in groups
- Security awareness training for developers – just because an individual writes software code doesn’t mean they are aware of security risks
- Compartmentalize source code when using subcontractors – developers do not usually need to have access to all of the code. They should be given access on a ‘need to know basis’
- Keep any secret credentials and certificate keys separate from source code – use auto-scanning of code to check credentials have not accidentally been added to the code
- The use of relevant technologies – see best practices 2, 3, and 4
Best Practice 2: Apply dedicated tools to prevent source code theft
Why is this needed? Insider threats to source code are very costly. In our recent post on the issues of internal threats, we identified that it can cost a minimum average of $1.8 million and up to $20 million USD to rectify an insider incident. By its very nature, ensuring that insiders respect company Intellectual Property (IP) can be a tricky thing to do. However, dedicated tools to prevent software theft give us a layer of protection that would otherwise be very difficult to achieve. (6)
Actionable ways to contain the issue: Apply specialist tools that have been designed to contain this very difficult area of cyber-risk. Data loss prevention tools help to manage security issues related to high-level risk areas including those leaving an organization – 89% of leavers continue to have access to proprietary corporate data even after leaving an organization; subcontractors who may have privileged access; and, existing employees who you trust but need to verify (see also best practice 5 below). (7, 8)
Best Practice 3: Privileged access and 2FA
Why is this needed? Passwords are often the weakest link in controlling access. Developers usually require a high level of privileged access as they work on source code. Data breaches like the recent Collection #1 incident where 773 million data records, including passwords, were leaked, makes the use of passwords for privileged access, high risk. Anyone who needs privileged access, for example to source code repositories, needs to have robust authentication applied. A second factor, such as a digital certificate or time-limited code received on a mobile device, and FIDO based apps, are examples of strong and/or two-factor authentication (2FA). Biometrics is another type of credential that can offer stronger access control to a privileged area of a network. (9, 10)
Actionable ways to contain the issue: Any area of your network that holds sensitive data, including source code, design specifications, and other related documentation, should have 2FA applied. There are a number of different types of technologies available to control access to privileged areas of your system. However, these are often dependent on the application. Services often utilized by development teams, such as GitHub offer two-factor authentication. (11)
Link this best practice back to best practice 1 and create policies that encompass a model of least privilege, i.e. only allow access to those who truly need it.
Best Practice 4: Technologies such as encryption and behavioral analytics/monitoring
Why is this needed? Security relies on a layered approach. This means that you cannot apply a single best practice and hope it mitigates risk. Instead, you have to use a number of both technical and human-centered best practices. Security should be thought of as a process.
Various technologies can be applied on a global and/or departmental basis to harden your protective layer.
Actionable ways to contain the issue: Using technologies like encryption, code obfuscation technologies, and by monitoring your employees and contractors in a non-intrusive manner, you can keep on top of issues before they become incidents. You have to begin at the very start of the process of development, from the individuals who develop and/or access the code through to the repository it is stored in, to the sharing and release of code.
Best Practice 5: Policies that encompass Trust but Verify
Why is this needed? This best practice brings all of your efforts in protecting your source code together. This is a philosophical mantra that provides a basis for a practical way of reducing not only source code exposure but other sensitive data leaks. ‘Trust but Verify’ is all about creating a pragmatic basis of trust within your organization. Blind trust does not work as the 90% of companies concerned about an insider threat, attests. (12)
Actionable ways to contain the issue: Trust but Verify brings the sociological and technological approaches to source code security together. It is based on developing excellent communication with your employees. This includes: applying security awareness training so all of your extended workforce understands the risks; having clear security policies which include code protection; and, applying the best available technologies, like data loss prevention, to protect your source code.
Your source code is your intellectual property and proprietary sensitive data. Protecting this resource is a fundamental need for any organization that generates code. Loss of source code not only affects your financial bottom line, it also gives your competitors a leg up. If your company creates source code, you need to make sure it stays under your organization’s control. But source code is a very valuable commodity and with value comes risk.
To mitigate that risk, you have to follow a process that encompasses best practices. Our 5 best practices for securing source code are built upon deep industry knowledge. If you follow their advice, your company can contain the risks associated with source code development. These best practices offer a layered approach to protection that builds upon previous practice methodology to add depth and strength to your security. These best practices will ensure that any threat, both internal as well as external is mitigated against. Keeping your code safe is a priority in a world where cybercrime is rife. But equally, accidental exposure can end up costing your organization dearly.
- Computerworld: https://www.computerworld.com.au/article/632406/ex-ibm-employee-jailed-over-source-code-theft/
- The Cyberwire: https://www.thecyberwire.com/issues/issues2018/April/CyberWire_2018_04_27.html
- Stop-Source-Code-Theft, Why do developers steal source code?: https://www.stop-source-code-theft.com/why-do-developers-steal-source-code/
- Gemalto, Breach Level Index: https://breachlevelindex.com/
- Comparitech: https://www.comparitech.com/blog/information-security/data-breach-share-price-2018/
- Stop-Source-Code-Theft, Insider Threat 101: https://www.stop-source-code-theft.com/insider-threat-101-for-software-development-companies/
- Stop-Source-Code-Theft: https://www.stop-source-code-theft.com/
- The Hague Security Delta: https://www.thehaguesecuritydelta.com/media/com_hsd/report/154/document/2017-Insider-Threat-Intelligence-Report.pdf
- com: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
- FIDO Alliance: https://fidoalliance.org/specifications/
- GitHub Help: https://help.github.com/en/articles/securing-your-account-with-two-factor-authentication-2fa
- Computer Associates: https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf