Eran Orzel
Aug 17 · 4 min read
Source code is the most original and full description of a software program. It is the basic building blocks of software that reveals its internals, dependencies, and components down to the smallest detail. In a world where organizations compete on software, source code is to be guarded like money in the bank. Unfortunately, there have been numerous incidents of the source code of high profile companies being leaked.
Here are some reasons any organization should worry about a source code leak:
Company reputation: A company that is unable to protect its most valued data such as source code is hard to trust.
User data misuse: User data such as email IDs, and credit card data is sold on the dark web and is misused, causing end users much loss.
Intellectual property theft: Unreleased product features, incubating ideas and complete working processes of teams get revealed. A company can lose its competitive edge due to this.
Access to core systems: Starting with a single repository or server, an attacker can find ways to get to the very core of a system including its databases, and core servers.
Infects customer servers: As in the SolarWinds attack, hackers can target customers resulting in a ripple effect that can last years after the start.
Mercedes uses an OLU (onboard logic unit) that sits between the hardware and software of their smart vans. This software was found by a security engineer who was browsing through GitHub repositories using specific Google search queries. The developer was able to download 580 Git repositories from the server which he made publicly available until Mercedes contacted him to take them down. The developer has found many of such repositories, and has openly talked about how outrageous it is that companies pay such little attention to the security of their source code.
As in many industries, the gaming industry is all about protecting their copyright. Within this industry, Nintendo is known to be strong-handed at using the law to crack down on theft of its intellectual property. Yet, this past year, a mammoth collection of files and source code was leaked from Nintendo servers that revealed in deep detail the exact development process of many games such as Super Mario and Pokemon. This was a treasure trove for fans, but many also were unsure how to handle such confidential information that had become exposed. Once exposed, there is no turning back – the only half-measure is for Nintendo to threaten to sue those who publicly share the information. The source code leak was so large, it was code named the “gigaleak.”
Windows XP and Windows Server 2003 are old operating systems, but they are still used by some, and are still sold by Microsoft. This past year, the almost complete source code of both these operating systems was leaked. This isn’t the first time that the source code of Microsoft products has been leaked. Previously, source code for Windows 10 and Xbox had also been leaked. While these operating systems are older and of lesser consequence, it shows that even the biggest tech companies suffer from the problem of source code leaks.
Another automaker in the source code leaks news was Nissan. This leak involved many of Nissan’s mobile apps, marketing and sales tools, website information, and connected car services. This was found when Nissan sloppily misconfigured one of their Git servers with the username and password as admin/admin. This is an example of how one oversight with access credentials can expose entire systems.
EA games is one of the top game developers in the world and is the latest victim in a series of source code leaks. This time about 780 GB of EA’s game data was leaked online. This included code for popular games such as FIFA, Battlefield, and Starwars. Using this data hackers can create cheats for the EA games, and even get a glimpse into hidden and unreleased game features. While the details of the leak are scarce, EA has confirmed a network intrusion as the cause.
To prevent source code leaks it takes more than a security best practices doc, or a one-time security audit. It requires continuous security protocols that are enforced at every level, every user, and every component of the system. Here are some measures that can be implemented with a modern security solution like Argon:
Git repo config: You can check the config for your Git repos to ensure only the right ones are made public.
Run code checks: Within public repos you need to check for accidental or intentional inclusion of confidential and sensitive information.
Strong access credentials: Automatically check for weak passwords and ensure two-factor authentication is set up.
Access controls: Git repos and other parts of the system should be access controlled so that users (both human and machine) can see only what they need to for their purposes.
User behavior tracking: There should be a baseline setup for what normal user behavior looks like, and any anomaly should be alerted immediately.
Privilege escalation: Bad actors will try to escalate their privileges. Any such attempt should be tracked and alerted system-wide.
Though source code leaks are difficult to prevent, the stakes are so high that it should be on every organization’s top priority list. Rather than relying on outdated, static security processes, leverage a security solution like Argon for dynamic, and timely protection of your source code from end-to-end.
DevOps has evolved into a standard practice of software development. According to…
Logging in to websites to access your accounts isn’t as secure as…
Today’s businesses and enterprises are heavily dependent on software and applications for…
