Access to source code

Share: TwitterFacebookPinterestLinkedin

In the resent years, attacks on source code has been increasing. Examples are Microsoft, Lastpass and Samsung. Leaked source code can not only impact your intellectual property right, but might also impact the overall security of an application or service. Specifically when the attacker can change the source code and add for example malware or worst. Hence most organizations want to prevent access to their source code.

How

In order to prevent unauthorized access to your source code, you need to know what source code you have (perhaps a no-brainer) but also know what tools (compilers, integration tools, test platforms, etc) are allowed to access it. When you know this, you can focus your attention towards the correct items.

It is advisable to have a central storage for your source code and developers should only have access to the parts of the code which they are actively working on. Depending on the required access level, the developers can have read-only or write access to the source code, preventing unauthorized changes. This access control should be in line with your general Access Management policy and procedures. Changes made to the source code should be checked and approved by another person (or system).

As with all controls, the process should be auditable, meaning that an audit log should be able to show you who/when performed a change and who/when approved it.

When you first start setting up secure access to source code, it might be overwhelming. But be aware of the fact that there are source code management tools available that help you with this. See also the Related links section below.

Risks

The main risk when setting up access controls to source code, is that you choose a method that prevents your users (like developers) from using it because it is to difficult or cumbersome to use. Always look for a method or tool that suites your organization needs.

Example Control Ruleset

When the following controls are used, you should be compliant for this topic:

  • All source code is stored using one central repository.
  • Access to the central repository is managed using an Identity Access Management (IAM) proces.
  • Access to the source code is based on Least privileged and need-to-know.
  • Changes to source code requires a change request ticket.
  • Audit logs are maintained containing all actions (read/write) on source code.
  • Audit logs are stored for a minimum of 6 months and only accessible by security employees.

Related links

Gartner on Application Development Life Cycle Management tools
Microsoft GitHub
AWS CodeStar
Google Code