A criminal case in China has highlighted the need for effective source code controls after a software developer got jail time for posting his employers’ intellectual property online.
The unnamed employee was a software engineer for Chinese drone company DJI, developing code for agricultural drones, according to reports from Technode. They worked on an agricultural drone management platform and code for agricultural machinery.
The developer opened an account on online code collaboration site GitHub and leaked the source code for both projects, making it available to the public, later claiming to have done it by accident. The loss of intellectual property cost the company around RMB 1.14m (around £129,700).
This isn’t the only source code theft we’ve seen. Anime-streaming platform Bilibili saw more than 50Mb of its source code posted on GitHub earlier this month, Technode said.
The thefts highlight the need to protect developer access to source code. Several techniques can help, including the use of private repositories with identity and access management (IAM) that limits access to privileged accounts and tracks developer access. Separation of duties requiring extra authorization for certain developer activities can help, as can multi-factor authentication.
These internal protections may not be enough, though. Over in the US, a hacker grabbed Snapchat’s source code last year and posted it on the popular source code management site. The company had shipped some of its source code with an iOS update. This highlights the need for a build and deploy process that firewalls the digital binary from the source code.
Get all this right, and you’ll still have to contend with people decompiling your code. Decompiled source code from video game Undertale made its way onto GitHub this February. That’s difficult to stop, but there are some measures such as obfuscating your code and using third-party packer tools to pack your executables into encrypted wrapper applications. Ultimately, though, if someone wants your code, they’ll reverse engineer it.
The takeaway here is that like most other security challenges, protecting source code isn’t a process with a binary outcome. You can never entirely secure it. You can only reduce the risk of compromise.
Chinese authorities fined the DJI developer RMB 200,000 (around £22,700) and sent him to jail for six months.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
