Data Security & Source Code Protection
As far as sensitive data goes, few pieces of information rank higher then program source code.
Source code is highly sensitive proprietary information, making up the program instructions for any application in their original form.
The More Sensitive, the Bigger the Risk
For years, security experts have been pointing to the risks of exposed source code.
Two elements in particular make source code a major potential liability. The first and more obvious is the intellectual property element. Creators stand to lose the investment in producing programs as well as all potential future profits if source code is lost.
The second factor is that source code can be manipulated. Not only can changes be made to the software’s functions and tools, but malicious elements such as Trojans and backdoors can be inserted as well. These compromised code sets are then used to mass produce the software in machine code form, i.e. the form in which they're purchased by the common user.
Surprisingly, many developers still use primitive security measures, despite the many examples of stolen or maliciously modified programs.
The Conventional Approach and its Holes
Today, the market has produced several source code repositories, many of them open source. Hosts such as Assembla, Microsoft’s Azure DevOps, and the increasingly popular GitHub are just a few of the options out there.
Unfortunately, the run-of-the-mill source code host has its downsides.
First off, many of these platforms leave issues in tracking and locating code once the code is uploaded. Some even require the downloading of external apps to search for code sets. For organizations that need fast reliable access to stored code, the way in which many hosts are structured can prove to be a liability.
In addition to the logistical setbacks, IT professionals have also pointed to the security vulnerabilities of common source code hosts. For one, many sites are made vulnerable by the errors of their administrators, which can in turn potentially compromise the entire platform. Additionally, there is often no way to track and classify access to code stored on the hosts. Developers and other team members are able to freely access code and even execute changes to it. The lack of policy and enforcement protocols exponentializes the insider threat and the risk of data exfiltration.Protect my source code Now
PageUp and the 3rd Party Liability Problem
3rd Party Liabilities
The tech world was thrown into frenzy over the recent hack of international HR service provider PageUp.
In late June, chief executives reported "unusual activity" in its IT infrastructure. An investigation was launched and emergency notifications were distributed to PageUp’s broad client base.
The industry quickly understood: the implications of this hack were potentially devastating.
PageUp specializes in storing personal details of workforce personnel. The company boasts two million active users across 190 countries. All of this data was now suspected of being compromised.
The most recent news on the PageUp damage report was the leaked data of the UK food and hospitality giant Whitbread. The hotel and coffee shop operator acknowledged that some current and prospective employees’ data may have been compromised during the PageUp hack. Whitbread sent a message to individuals potentially affected stating that personal detail collected during recruitment processes “may have been accessed and could potentially be used for identity theft.”
Whitbread has reportedly suspended its use of PageUp’s services.
The Third Party Liability
The PageUp breach and its subsequent fallout highlight the ever present--and increasingly risky--threat to data posed by third party outsourcing.
Third party contractors are extremely attractive targets for cyber criminals. As one industry leader put it: “information like dates of birth and even maiden names […] gives cyber-criminals all that they need to successfully monetize the hack, from phishing attacks to identity theft.”
The risk of third party vendors is especially true in the era of heightened compliance demands set by current data regulations. Laws like the EU GDPR put all the responsibility on companies when it comes to who they trust to handle their data. In the medical industry, HIPAA requirements also extend to any outside service provider dealing with personal data of patients.
Handle on the Data
Enterprises need to take control of their sensitive data, whether it is on their own networks, or being managed via outsourcing.
This means companies need to vet their digital-service supply chains more seriously. Managers must get clear answers from service providers on very important questions:
- What are the security standards for personnel data?
- How up to date are the company’s data loss protection tools?
- How does the contractor deal with regulation compliance?
Ensuring the tight standards of contractors is the only way for companies to safely employ third parties to handle their most sensitive data.