This blog is part of a series on securing code repositories. Read our first blog on the topic by clicking here.
When developing software, companies' primary concern is that the software performs the tasks it is supposed to and operates efficiently. Cybersecurity controls, when implemented in code, are intended to ensure the protection of user data and safeguard it against attacks during its exploitation. However, the source code itself often remains outside of these security considerations.
Source code protection is becoming increasingly critical. About a year ago, the hacker group Lapsus$ publicly leaked the source code from some of the most important tech companies – almost 200 GB of Samsung's source code, Nvidia's DLSS technology code, and 250 internal Microsoft projects.
When we think about source code disclosure, we mostly think of unauthorized access; however, the source code is an asset accessible at many points within a company's infrastructure: by developers, backups, third-party version management services on-premise or cloud service (e.g., GitHub), and even stored on developers' local machines, so other risks must also be considered.
Common risks threatening source code
The most common risks threatening source code tend to be:
- Human Factor (Insiders): Disgruntled employees or those leaving the company often have direct access to the source code and can transmit it, publish it online, or copy it onto portable devices.
- Human Factor (Negligence): Employees can leak source code by mistake or negligence, sharing it via emails or, especially nowadays, with the use of Generative AI. A recent study by Netskope revealed that source code is posted on ChatGPT more than any other type of confidential data.
- Software Providers: When outsourcing projects, the security measures of the subcontracted companies to protect the source code are trusted. Without verifying these measures and without monitoring and ensuring compliance with non-disclosure agreements, there is a risk.
- Open Source: It's normal to incorporate open-source libraries, and depending on the type of license used, this may mean that any software that incorporates them must also comply with open-source policies. This means that while companies are not required to publish their source code, they may be legally obliged to provide it to those who request it.
- Unauthorized Access (Hackers): The source code contains a wealth of confidential information, which most often includes encoded secrets such as passwords, API keys, and private certificate keys. This information is often stored in plain text within the source code, making it an attractive target for attackers. It can also be tampered with by embedding malware for unauthorized use, such as disclosure of information, alteration of the data it processes, etc.
“Data protection by design”
While the security requirements for source code, being intellectual property, are more related to information security (ISO27001, NIS-EU, NIST-US, etc.) that does not contain personal data, GDPR does not establish specific obligations on software development or source code. However, the GDPR's obligations are derived from the principle established in Article 25 of “data protection by design” as a legal compliance requirement.
The obligation to implement data protection by design is applicable to data controllers, who are required to apply appropriate technical and organizational measures "both at the time of determining the processing means and at the time of the processing" itself. As stated in Recital 78 and Article 28 of the GDPR, data protection by design also involves developers of products, applications or device manufacturers in or for the European Union community.
The developer who designs the treatments carried out by the software, in the application of their duty of due diligence, must proactively ensure and anticipate events that affect privacy before they occur through Privacy by Design (PbD). This is characterized by the adoption of proactive measures that anticipate threats, identifying system weaknesses to neutralize or minimize risks. It is the developer who must adopt the necessary measures and controls to protect the source code and neutralize the threats mentioned.
CyberProof’s recommendations
Let's remember that the protection of the source code is a multidisciplinary task that requires a collaborative and proactive approach among developers, security teams, and management to maintain the integrity, confidentiality, and availability of software assets. In this context, some recommended measures are:
- Identity and Access Management (IAM): Ensure that only authorized personnel have access to the source code, using strong authentication and role-based authorization.
- Training and Employee Awareness: Raise awareness about the importance of source code security and train employees in best practices.
- Source Code Disclosure Control: Implement non-disclosure policies and confidentiality agreements with employees and collaborators with DLP tools.
- Security and Compliance Audits: Perform regular audits to ensure that security measures are adequate and regulations are being met.
- Software Supply Chain Security: Ensure that software providers have robust security practices.
- Management of Dependencies and Third-Party Components: Review and update open-source libraries and dependencies to mitigate known vulnerabilities.
- Incident Detection and Response: Establish an incident response plan that includes potential source code leakage.
- Encryption and Protection of Sensitive Data: Use encryption to protect API keys, passwords, and other sensitive data stored in the source code.
- Integration of Security into the Software Development Life Cycle (SDLC): Apply 'data protection by design' (Privacy by Design - PbD) and 'security by design' (Security by Design - SbD) principles from the early stages of development.
The protection of the source code is a multidisciplinary task that requires a collaborative and proactive approach among developers, security teams, and management.
Interested in learning more about how to proactively protect your data? Read our eBook on vulnerability management by clicking here.