The world is caught up in the middle of a global pandemic of the likes not imagined by the majority of people alive today. Not since the Spanish Flu has the world come to a stop the way Coronavirus or Covid-19 has collectively brought humanity to our knees.
The world has turned upside down, entire countries are on lockdown, and with hundreds and thousands of businesses transitioning to work from home, another frightening epidemic (of lesser proportion but still dangerous) is rising – malicious hackers. Hackers are exploiting the pandemic
in any way that they can from preying upon people’s concerns such as sending phishing emails with supposed information about the pandemic or claiming to offer a VPN, something many employees now need to conduct work.
And due to the shift from working in office, behind firewalls due to the Corona era of working from home, it’s imperative that the CISO and cyber team build a highly strategic cybersecurity plan and policy that employees must adhere to in order to protect the company. Because source code in particular has a high risk of exposure and theft, the consequences of not setting policies into place are dire.
There are several quick policies the cyber team can put into place for R&D while building out a more cohesive strategy.
Enforce 2FA (2-factor authentication) security configuration in the source control management system.
Monitor and Review public code repositories to make sure they house open source projects only and ensure that no private IPs have been exposed.
Clean Your Repositories and make sure no sensitive information such as API tokens, credentials, database connections strings or certificates are exposed.
Educate Developers to ensure they are well aware of the risk of secrets exposed through code.
Track Source Control And Access. Tracking who has access to your source code provides control and the opportunity to limite or revoke access at any time for any reason. Be sure to communicate and coordinate with HR so that if someone is being let go, their access can be revoked at the same time they are given notice.
Silo Authorization Controls – Not everyone needs or should have access to all source code. Separation of access helps mitigate the risk of code availability.
Legal Review – It might sound obvious but it’s vital that every contractor and employee have a signed contract and NDA in place. If you don’t have legal requirements in writing that the IP and any code that is written for the organization belongs to the org., then there is no legal protection against stealing the source code. If there is a contract missing, speak with your legal department and get it up to speed – now.
Get into the mindset that you need to actively secure your source code and that it is a company wide endeavor.
• Communicate the policies with security and engineering managers across the company.
• Have a member of the security team set up sessions to speak with each department and discuss how the theft of source code and lax cyber security policies impact each segment of the business.
By making cyber security a professional goal, everyone in your organization will be empowered to work towards the common goal of secured company IP.