March 20, 2020 | 9 min read
Ronen Slavin

Actually, you should care a whole lot.

Source code is the ‘magic elixir’ of your organization.

Source code houses the building blocks of your software. It’s what gives you your competitive edge, your secret strategy, your access to success.

Today, more organizations are using remote workers, outsourcing to freelancers and distributing work across more locations that are typically less secure. While also moving from secured, in-house servers to running on the cloud without fully understanding the added exposure they could face that requires additional security precautions to mitigate risk. This is happening across all industries, from entertainment companies to the agriculture space to national defense.

So really caring about how secure your source code is, is vital to the health of your organization, no matter what type of organization you run. Especially when you weigh the potential risks and business impacts that security vulnerabilities can have on your company.

There are many reasons cybercriminals are searching for access to your source code. This post will cover the top 3 risks that will cause the most danger to your business.

1. Intellectual Property Leaks
Source code, in many cases, is the intellectual property of the organization and is protected under copyright laws giving software companies legal protections and responsibilities around their code. Every company that relies on source code for its operation, will have, at minimum, some IP within its source code. Whether it’s newly developed algorithms, payment processing, fraud detection or other business critical elements that run digitally.

What happens when you have your source code IP leaked?

A couple of years ago, Tesla’s manufacturing operating system (‘MOS’) was hacked by a former disgruntled employee who wrote software that transferred Tesla data to external sources including a video of Tesla’s manufacturing systems. In other words, their secret sauce and part of their competitive edge was exposed.

In other words, source code reveals not only the actual code, but the innovation around a product. Look at what happened over at Apple recently when leaked iOS 14 code containing private details about new features and changes in iOS 14 and related software, services, and products. Apple competitors couldn’t have asked for better.

1.1 Shareholder Responsibility What happens when your organization is public and IP is leaked?
When the source code of a public company is leaked the company has a fiduciary duty to inform shareholders and be disclosed in public securities filings. Losing control of proprietary information can have devastating effects on a company. Stock prices can be affected, fines can be levied and leaks can even pose health and safety concerns for consumers.


2. Source Code Secrets
You can have secrets in your source code. Secrets in source code are available to all repository contributors whether cloned, copied or distributed. And all of these copies each provide authorized access into your system. Secrets can include anything from API keys, encryption keys, Oauth tokens, passwords, and more.

What can happen when you have secrets in your source code?

Take for example what happened with major Canadian firm, Rogers Communications. A few months ago, a security engineer discovered two open GitHub accounts with Rogers’ application source code, internal usernames and passwords, and private keys. And having this code leaked with keys made this hack even more severe. The security engineer who discovered the open GitHub accounts said in his interview with The Register that, “in addition to source code, the information also contained credentials for deployment systems and Oracle-supplied gear.” Worse: Experts suspect the offending code injected into the source code belonged to a former Rogers Communications developer.

3. Increased attack surface

Source code doesn’t only house intellectual property, it also houses your developers issues and bugs, your source code defenses and implementation details on the infrastructure on which the software is built. Combined together, if leaked, it’s easier to find vulnerabilities and new attack surfaces. Attackers can then search the code to see what known vulnerabilities exist in the infrastructure used, what defences are in place and how to overcome them, and even find new vulnerabilities in the source code and use them to target the software’s users, systems and the organization itself.

What happens when your antivirus code is leaked?

Last year, antivirus companies McAfee, Symantec and Trend Micro all allegedly had their source code stolen with a worst-case scenario that its security software could be perused by hackers to devise ways to circumvent it and access sensitive user data.

Bottom line: Increase Software Security Prioritization

Lesson learned. The repercussions of leaked source code are a company’s worst nightmare. Accidental or intentional exposure of source code is basically handing over your trade secrets to your competitor and throwing in the towel on innovation. Source code security is the responsibility of both (boards when the company is public) management, engineers and developers and they must work together to create policies and take precautions to avoid pushing private company code to any public repositories. All of these incidents should serve as a warning on the importance of keeping track of where company source code is kept, who has access to it and who shouldn’t.