ARTICLES

Preventing Source Code Misuse and Abuse

Source code is at the root of all software. It is intellectual property, it is a competitive advantage, and it ensures your business can operate and your customers can continue to transact with your company. For these reasons, application security has been a long-time, pressing cyber security concern. OWASP and other industry standards groups have worked for years to promote application security. Consequently, there has been enormous growth in the commercial and open source application vulnerability scanning tools market and in the demand for secure code development training. Fortifying code from the onset and continuous testing against flaws and manipulation are extremely important; the entire cyber security community has seen what happens when a threat actor exploits code.

But hardening software at the core is just one aspect of application security. Certainly malicious intent is forefront in security professionals’ minds, however, human error and insider threat are equally important. When I write, “human error,” purists will naturally think of mistakes made in the code writing process. Human error, though, can also refer to a developer copying and pasting proprietary code into a public GitHub repo or sharing it in other insecure ways in an effort to get feedback or collaborate with colleagues. Human error can refer to a lost or stolen laptop on which code is stored. There is nothing malicious or mischievous about these actions, but they may lead to theft or exploitation.

As it relates to insider threat, this category is clearer: A disgruntled employee leaks code to undermine a fellow developer or his/her/their employer. A developer who plans on leaving the company takes code with them as a point of pride or demonstration of their work, even if removing code is not permitted under the organization’s acceptable use policies. These things happen all the time, and no amount of code scanning or developer training will prevent these actions.

An eye opening moment

A few years ago, Ronen Slavin, now co-founder and CTO of Cycode, was working as a security researcher when he learned that a fellow employee was stealing source code. This sparked an idea, and he teamed up with Lior Levy, a former software engineer and solutions architect, to evaluate the market for instances of lost and stolen source code. As former developers and engineers, the pair knew the security market didn’t need another tool for source code validation or testing. What was needed was a tool that could detect when source code was inappropriately being moved/shared/copied and prevent leakage.

In 2019, Levy and Ronen co-founded Cycode with a mission to help organizations protect and govern source code, but in a way more akin to DLP than code scanning. On a recent briefing, Levy told me and Ed, “Source code is a critical part of IT, and if it’s leaked or there are misconfigurations of development environments, companies lose their ability to compete and open themselves up to compromise. Most of our customers have experienced some sort of source code leakage, but it's happening more than companies realize. We know about the big code breaches like AMD, Microsoft, and Uber, but the issue is much more widespread.”

A dispersion problem

The root of the problem lies in the fact that organizations’ source code is unlikely to be centrally stored, accessed, or managed, Levy said. Companies have on-site developers, developers working from home, and third parties and contractors developing code on their behalf. Code isn’t written or stored in a central repository either. Development platforms were built for collaboration and the widespread use of cloud and containers makes securing development environments and their contents extremely difficult.

Cycode was built to help companies protect their source code and detect when it may be at risk. However, even though Cycode can serve the function of source code leakage detection, it is not a DLP tool. Deployed via an API (without a proxy or agent), Cycode finds where source code is located, scans it for embedded secrets, analyzes the metadata, then fingerprints the code so it can be tracked via the Source Path Intelligence engine.

A governance solution

Admins can also review access controls and deploy least privilege to ensure developers don’t misuse, abuse, or unintentionally lose sensitive data, and alert admins when threats are detected. Additionally, Cycode can automatically scan code for common issues such as exposed API Tokens, credentials, database connection strings, and other sensitive information. “Cycode is full source code governance,” said Levy. “It can perform asset visibility, code leak detection, secrets detection, and help development or security teams eliminate unnecessary and insecure access.”

At present, there is no category for source code detection and response (SCDR?) or source code leak protection (SCLP?), but it seems like Levy and Ronen may be on to something that could be a nice complement to traditional source code scanning and vulnerability management, especially if Cycode can build in automated remediation (which is part of the future roadmap). Currently in beta, companies can request a demo or beta access via the company’s website