For many companies, their source code is the essence of who they are. It is the foundation of any company’s intellectual property, and it reveals inner logic, dependencies, and components in great detail. In today’s competitive world, source code is a deeply guarded secret for good reason.
If source code falls into the hands of malicious actors, the repercussions can be devastating. Source code leaks:
- Jeopardize Intellectual Property – Source code leaks not only reveal your current IP, but it can reveal new or planned product roadmap features before they are announced, giving away your competitive edge. Â
- Reveal Business Logic – Vulnerabilities in business logic, such as a back door built into an application for support purposes, can be leveraged for nefarious purposes, making you less secure overall.
- Expose Sensitive Data – Source code leaks sometimes expose sensitive data. Personally identifiable information (PII) like customer names and credit card account information could result in heavy fines, while hardcoded secrets could give attackers access to other systems.
- Compromise Customers – Attackers can use the source code to identify vulnerable routes and libraries to further exploit the application and potentially impact downstream customers.
- Damage Reputation – The damage to your organization’s reputation from source code leakage destroys customer trust and has a real impact on your bottom line.
Recent Source Code Leaks
One of the challenges with code leaks is that not all leaks are intentional acts performed by bad actors. Sometimes minor mistakes can lead to accidental public exposure. For example, Git systems are designed so that developers bring their personal account to work on corporate projects. Many developers allow public access to their personal repositories to share their personal projects. If a developer accidentally saves proprietary code from their job to a personal repository, proprietary corporate code could unintentionally be made public.Â
Following are some recent high-profile source code leaks. The list includes both intentional and accidental leaks:
- Microsoft – In March 2022, Microsoft was targeted by the Lapsus$ hacking group, which released a 9-gigabyte zip archive that contained source code for Microsoft’s Bing search, Bing Maps, and Cortana voice assistant.
- Twitch – In October 2021, Twitch, a live streaming service focused on interactive gaming and esports owned by AWS, suffered a data breach when a 125-GB torrent file was posted on a public 4chan message board. Attackers not only leaked Twitch’s source-code, but also internal security protocols and the earning records of many top streamers.
- Nissan – Nissan’s source code was leaked in January 2021 due to the misconfiguration of a company Git server, which was left with a default username and password of admin/admin. Exposed source code included Nissan’s mobile apps, internal core mobile library, various sales and marketing tools, and their vehicle logistics portal.
- AWS – In January 2020, an AWS DevOps Cloud Engineer committed almost a gigabyte of data to a personal GitHub repository. This source code leak included lists of AWS and RSA key pairs.
- Snapchat – An iOS update exposed a small amount of Snapchat’s source code in August 2018. Though the mistake was caught almost immediately and a takedown request was made, the source code was posted publicly on GitHub.
As illustrated by many of these source code leaks, the repercussions of a leak extend far beyond source code. Often the downstream impact of the leak is worse than the leak itself. According to Lily Hay Newman in Wired.com, “if an attacker has compromised something as highly guarded as source code, it could mean that they’ve grabbed other crown jewels like sensitive user data, encryption keys, or code-signing certificates, which are meant to verify that a piece of software hasn’t been altered by a malicious actor. If stolen, these have more urgent and immediate ramifications for the security of a company, its products, and, most importantly, its customers.”Â
Prevent Source Code Leaks
The old adage, “an ounce of prevention is worth a pound of cure,” most certainly applies to code leaks. Because the impact of code leakage can be devastating, organizations must prevent them whenever possible. So how do you prevent code leaks?
The first step is to limit who has access to code by implementing proper governance and least privilege policies. The fewer people who can access your source code, the less likely that it will be accidentally or intentionally exposed.
You also must monitor for anomalous or suspicious user activity that can be a predictor of a code leak risk. Small changes in user behavior might not be concerning on their own, but multiple changes to typical behavior could signal that something is amiss. So how do you identify abnormal behavior? First, you must understand what the normal behavior of your organization’s software development environment is. This includes typical user activity, repository access patterns, and more. Once normal behavior is understood, suspicious activity such as cloned repositories, privately forked repositories, and excessive downloading can be automatically identified so potential harm can be avoided. Armed with this information, security teams can stay ahead of the problem to keep intellectual property safe.
Reduce the Risks Associated with Code Leaks
Source code leaks have consequences that impact business operations. This includes exposing valuable intellectual property and trade secrets or tipping off competitors to product roadmaps and feature announcements. Leaks also have security implications. Attackers frequently search code leaks for hardcoded secrets and examine code for attack vectors to exploit, both of which can lead to further breaches. What if you could prevent a leak from turning into a full-blown breach?
To prevent source code leaks, you need a complete code leakage solution that reduces the damage that a code leak could cause, including the likelihood that it develops into a breach. This includes proactively scanning for and eliminating hardcoded secrets and misconfigurations in IaC templates. Code leaks involving hardcoded secrets could give attackers a direct pathway into your systems or environments. They also significantly expand attack surfaces, which makes the software supply chain even more difficult to defend. IaC templates are often leaked alongside proprietary code. If an IaC template falls into the wrong hands, malicious actors could look for insecure configurations that could be used to breach the organization.
Minimize the Impact of a Code Leak
Whether by accident or as the result of a breach, private source code appearing in public repos is shockingly common. In fact, GitHub has reported a 248% increase in Digital Millennium Copyright Act (DMCA) takedown requests from 2017 to 2021. A DMCA takedown notice is part of US copyright law that informs a company that they are hosting or linking to material that infringes on a copyright. Organizations need to be vigilant to prevent exposure so that malicious actors don’t have an opportunity to do harm.
To proactively identify a leak, you need a solution that fingerprints proprietary repositories then continuously monitors public repositories and code sharing sites for organization repository identifiers in the wild, including names and keywords that might indicate a leak. If proprietary code appears on a public site, you need to be alerted automatically so the code can be removed immediately. Reducing the time that code is publicly exposed reduces the likelihood of it falling into the wrong hands, which minimizes the impact of a code leak.
The Real Cost of Source Code Leaks
It’s hard to measure the true cost of a source code leak. Despite this, no one wants a leak to happen to them because the cost is so high and the risk is too great. A source code leak impacts your reputation and your customers’ trust. It can also give away your closely guarded secrets and threaten your competitive edge. The good news is that with the proper tool in place, a source code leak doesn’t need to be catastrophic.
There’s a lot you can do to prevent code leakage from happening, such as having the right governance and least privilege policies in place to limit the access to code. Furthermore, by preventing common security issues, such as hardcoded secrets and IaC misconfigurations, you can ensure that a code leak isn’t an easy path to a data breach. Finally, should a source code leak occur, the right tool makes sure that it is found and removed quickly to minimize exposure.
Whether by accident or through a malicious act, source code leaks happen. The good news is that with the right measures in place, there is life after a leak. The even better news is that you can prevent headline-grabbing leaks from happening by adopting the right tool.
Originally published: April 28, 2022