Mar 16 · 4 min read
Your source code is your most valuable asset and, for software companies creating digital products protecting that code is the number one priority. After all, raw code is the blueprint to your business’ proprietary technology, and you haven’t gone through the effort to create it, to share it.
Data from Statistica shows in 2019, the number of source code breaches in the United States amounted to 1,473, with over 164.68 million sensitive records exposed. In the first half of 2020, there were 540 reported data breaches. As DataBreaches accurately puts it: “there’s no need to hack if it’s already leaking,” many of these breaches are avoidable.
In August 2019, Intel reported a leak compromising restricted documents and code on a public server. The code’s existence was made known to ethical engineer Till Kottmann, who says he received the original information from an unknown source.
“Most of the things here have NOT been published ANYWHERE before and are classified as confidential, under NDA or Intel Restricted Secret.” – Till Kottmann
According to Intel, an employee of the Intel Design and Research Center may have been responsible. The package included reference, sample, and initialization code for the company’s 7th generation microprocessor (codename, Kaby Lake). It also contained firmware, schematics, documents, tools for later unreleased platforms, and camera processing tech made for Space X, among other highly sensitive and protected data. The leak’s impact was severe, with many trade secrets contained in the files.
We know it can take years to remove source code from the internet, as Microsoft demonstrated by taking a whopping 11 years to remove all traces of Windows 2000 after a 2004 leak.
In May 2020, Kottmann made another code leak discovery, this time for automotive goliath Daimler, otherwise known as Mercedes-Benz group.
The developer was able to register an account on a code-hosting portal and then downloaded 580 Git repositories through Gitlab containing the source code of onboard logic units (OLUs) installed in Mercedes vans. The hack was due to a lack of account authorization processes—a big wake-up call for Mercedes.
After the initial leak, investigators discovered passwords and API tokens for Daimler’s internal systems to make matters worse. Bad actors could use passwords and keys to execute future intrusions against Daimler’s cloud and internal network.
Investigations found that none of the source code was public, so they assumed that the code was private and contained proprietary information. Daimler took down the GitLab server from where Kottmann downloaded the data.
Don’t become the next leak: Secure your development environment
At some stage during your product build and release, you will inevitably lose visibility of your source code, making it vulnerable.
Your code is pushed, pulled, and copied by hundreds of developers, perhaps even thousands. As such, your code faces manipulation and the risk of theft as it passes through your software development lifecycle. By reducing the attack surface of your environment, you can mitigate risk.
There are four key ways in which you can reduce the likelihood of an attack on your development pipeline:
You must be able to log actions and actions of users and services running within your development environments—this will create visibility and the ability to easily and quickly trace events. Are you aware of all activities that happen across your integrated services?
Your access and authorization protocol is a significant weak spot. For example, one developer can access all your organization’s code—if someone gets their credentials – bingo! Instant access to your organization’s systems.
As we saw in Mercedes’s case, they didn’t enable SSO. Someone outside of the organization registered to their Gitlab, and since no fine-grained access control was applied, once in – he was able to access all code projects in the organization.
“In 2019, 50% of all breaches came from the misuse of credentials, frequently found in code”—SANS 2019 Cloud Security.
Conservatively speaking, you might be working with around 20 integrations into your SCM. Github, Gitlab, and Bitbucket each offer hundreds of integrations. Do you have visibility on them all? Do you know who has access?
Third-party integrations expand the attack surface of your environment by being another portal into your systems. Moreover, third-party software has hundreds of different security configurations, allowing for human-error in the set-up process.
Both humans and tools pass sensitive data between build phases; when you lose your source code and files’ visibility, it can be hard to know when sensitive data is at risk of a breach. Are you alerted to leaks or use of sensitive data throughout the build process?
In 2019, a Starbucks developer left an API key in a public GitHub repository, kicking off a critical alert. Luckily, the discovery was made by an ethical hacker, Vinoth Kumar, who reported it through the HackerOne vulnerability coordination and bug bounty platform.
Had attackers found this beforehand, the key would have allowed access to critical internal operating systems, execute commands, and manipulate the list of Starbucks authorized users.
These reasons highlight why it is so critical to protect your pipeline and not just the individual elements that make up your software lifecycle—through visibility of your pipeline at all stages, you can mitigate risks on a holistic scale.
How Argon Security can help you expect the unexpected
In an ever-changing digital landscape, mitigating source code leaks can feel overwhelming. Argon can help you . Offering the ability to harden access, authentication, and even code changes—our three pipeline security engines are designed to preserve product integrity, from code to release.
What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…
The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…
Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…