Avoid source code leaks on third-party repositories | SC Media
Risk management, Data security

Avoid source code leaks on third-party repositories

February 18, 2021
Nissan North America reported a significant source code leak in January because of misconfigured Git servers. Today’s columnist, Landon Winkelvoss of Nisos, offers some advice on how security teams can safeguard source code. ykanazawa1999 CreativeCommons (Credit: BY-NC-SA 2.0)
  • Save code in the wrong place. GitHub runs a popular code repo, but many organizations maintain private instances which are not properly mapped out for developers.
  • Inexperienced developers. Busy coders can overlook the importance of maintaining company code in a predetermined location. Not grasping the importance of source code for a company, they might offload proprietary code to other destinations for their personal resume – accidentally including company API and crypto keys in this less-than-secure location.
  • Collaboration interferes with security. Lax security controls may exist around the coding environment when an organization relies on a distributed team of coders, including geographically diverse contractors who may be concurrently creating code for other companies.
  • Lack of attention to detail, or an actual intent to dox proprietary code. While far less common, developers’ poor job satisfaction can create a breeding ground for insider threats, including a desire to out a company's perceived lack of security controls.
  • Detail processes and procedures for checking out code of corporate repositories. In addition, train and educate developers not to download code locally and store on private servers. Developers should also store code in a secure location and never use public repositories for proprietary code.
  • If the company has to store code locally, implement a combination of virtual desktop, RDP, and VPN infrastructure to ensure proper segmentation.
  • Cyber threat intelligence should automatically scrape for proprietary source code on third-party sites to alert security teams before it becomes public. The methods security teams use to scrape repos are the same way every security team, third-party security researcher, and malicious attacker indexes the internet. The automation can catch the code, but organizations need expert analysis to take action on the code, request to take down the code from the repo, and inform the person posting the code they need to remove it. Third-party repos generally do not have an automatic takedown for these requests. If an analyst catches the automatic detection, they pray the coder has paid attention, and perhaps the takedown can occur within 30 minutes. If a security team must rely on the third-party repo, it can take up to 48 hours.
prestitial ad