Thales Blog

Message To IT Industry: Wake Up And Protect Your Source Code – Your Customers Are Nervous

October 15, 2013

Screen Shot 2013-09-26 at 10.41.06 AMFirst it was RSA, then CISCO and now Adobe.  And, keep in mind, these are the companies that have publicly come clean.  There are clearly many more who either know they have been compromised-but won’t admit to it and some who simply don’t know (or don’t want to know) if they have been had.  These IT industry leaders should know better!  Treating your product source code like the cafeteria menu is not acceptable.

Source code is the digital recipe that describes how these products are made.  It reveals how the program instructions are executed, how memory is allocated and when (and how) operands are computed.  It exposes the “secret sauce” that enables company “A’s” product to be better than company “B’s.”  From a security perspective, source code also describes how the products perform security functions.  It describes how an authentication product manages cryptographic keys.  It describes how a router “looks up” access control lists.  And, in the case of Adobe, it describes how a data rights management control “talks” to the policy server.  By the way, the source code also reveals programming errors that can be exploited by hackers to gain control of the underlying operating system.

Customers use these products to secure their own networks and data.   They expect these companies to demonstrate adult behavior and ensure that their source code libraries are properly protected against unauthorized access.  However, event after event can only lead us to the conclusion that these companies do not learn from each other’s mistake and continue to place more emphasis on selling their products than protecting their recipe.

I can (somewhat) understand how Customer related information is frequently exposed.  Marketing and salespeople need ready access to this data and it is moved across corporate networks, “salesforce” clouds and all sorts of mobile devices.  What I cannot comprehend is why these companies would ever allow their “secret sauce” to be so readily available and exploitable insider their corporate networks.  My worse fear is that largely as a result of mergers/acquisitions and global partnering, these companies simply don’t know where all their source code libraries are at, who has access to it and what they are doing with it.  With Government fears over the digital supply chain, these incidents certainly give us reason to be worried.

With that in mind, here are a straight-forward set of recommendations to better protect your source code:

  1.  Care for your source code like you care for your sales projections and product plans.
  2. Find your source code libraries and place them on a network that is (optimally) physically isolated from your enterprise network or (less optimal) logically isolated via dedicated switched internal VPNs.  Access to the source code should only be enabled from physically switched workstations or thin client sessions that are “binded” to the dedicated internal VPNs.
  3. Place the source code libraries on a separate network domain segment that is only accessible via the dedicated workstations or internal VPNs. Store the source code in a structured data base that can be better protected at both the O/S and application layer.
  4. Use a high-security data encryption capability that also prohibits access by privileged network/system administrators and the data base DBAs.
  5. If you need to share your source code libraries with your far flung global network of partners, then give them dedicated (again, optimally physically dedicated) network workstations that can only be used to access the source code data bases.  Do not let your partners download the libraries to their networks.  All changes and documentation stay inside the internal data base.
  6. Monitor access to this domain and data base like a hawk searching for a wounded rabbit.

The inability to properly secure their product source code is not only “ethically criminal” it places their customer’s infrastructure (including the critical infrastructure) and data at greater risk. In the case of Adobe, if their Digital Rights Management/Live Cycle management server source code (for example) was exposed, I would be very worried about trusting my corporate secrets to this product.  It is time for the IT industry to think about their customer’s equity in their products and not simply sales of their products!