Software development is much faster when we leverage online tools and services. It can even be more secure if we use peer-reviewed, well-respected code instead of writing it ourselves.
Sometimes, however, in an effort to speed up and simplify development, we use public online services in a way that puts the business at risk. These three mistakes can expose intellectual property and even allow unauthorised changes to the software we're developing.
1: Committing sensitive data to online repositories
Online code repositories such as GitHub and similar services are great when your code has a public flavour to it. Enterprises can purchase private versions of these services that give them extra control. Sometimes developers host corporate code in an online repository, which offers many benefits, including: Developers can sign themselves up without waiting for a central IT team to provision resources; they can access the repository from anywhere and not be restricted by corporate network access; and they can find support in forums, apps, and examples.
One big danger with online source code comes from the data that is committed there. For example, if developers use a public repository to host the code of an internal application, they could be inadvertently exposing corporate infrastructure details on the internet. Sometimes configuration files refer to internet-facing test systems, user names, passwords, or hidden interfaces. Other intellectual property includes proprietary algorithms, undocumented APIs, or even production data that is being used as test data. Private keys (for SSH, for TLS web servers, for mobile app signing, and more) are found frequently in online repositories, where it is easy to search for them. Small to medium-size businesses are especially likely to leverage free or nearly-free online services this way.
The security staff needs to know where the code is hosted, what security settings are in use on the repository, and who at the firm has administrative access over the repository.
2: Pasting sensitive data into online paste bins
There are numerous online services that allow developers to effectively copy/paste text, code, error messages, and data. These services make a lot of sense for distributed teams, or for teams who have no easier way to do this sort of sharing.
When teams are collaborating and they need to share data quickly, it is easy to upload it into a pasting site (e.g., Pastebin, Pretty Diff, and pb) and then paste the URL into a HipChat or Skype session shared by other developers. The test data might include session tokens, user names, passwords, or server configurations. Many paste sites do not operate over HTTPS, which means that the pasted data is also visible on Wi-Fi networks where any developer (the sender or one of the receivers) is working. Other users in a shared office space (e.g., at incubators, maker labs, serviced offices, etc.) will be able to see this data just by listening on the network.
3: Forgetting about managing users and access
When a software team signs up for an online service, often one of the developers takes on the role of administrator, and that person controls who has access to the code and other assets. This is a fine way to get started, but it's important for the IT team to ultimately have control and responsibility. Ultimately, a firm's IT staff are in charge of controlling access to information, reviewing access periodically, and reporting on who has access to data. Developers are not responsible for any of these sorts of activities, so they need to hand over control once the tool has been adopted and put into regular use.
IT security teams need to embrace, learn, and take ownership for how online services are used. They need to know who has access and whether that person still needs access. They also need to apply the same joiner-mover-leaver (JML) processes on the cloud services that they perform on internal systems.
IT security pros: Lead, follow, or get out of the way
IT security staff need to understand what software developers need and provide a secure way to achieve the right result. Cloud services offer speed, accessibility, and flexibility. If an online service is being used widely, there is probably a good reason. The gut reaction of some security staff will be to prevent access to cloud services. They might try blocking at a network level or adopting a policy against them. Prohibition is rarely a good option, though, since it impairs development.
There are two more reasonable alternatives: Corporate IT can provide an equivalent service in a more secure fashion (e.g., hosted in a way that only authorised developers can access it), or they can learn to manage online services and bring them into the fold of corporate IT.
Many corporate IT departments do not provide systems that are easy to use, feature rich, and have lots of support. So if corporate IT cannot step up to that level, their alternative is to embrace online services and learn how to use them securely.
When enterprise IT security staff start learning and managing developers' use of online services, the firms will get the best of both worlds: developers working quickly with modern tools, and compliance with security policies.
Paco Hope is a security consultant at Cigital.
Author of the Web Security Testing Cookbook and frequent conference speaker, Paco Hope is a security consultant with Cigital who has been working in the field of software security for almost two decades. Paco helps secure software in the financial, retail, and online gaming industries through security requirements, source code review and architectural risk analysis. He serves as a subject matter expert to (ISC)² for the CISSP and CSSLP certifications. Outside of secure software, he is passionate about privacy, user experiences, and data visualization. Paco fundamentally believes that security is less about wizardry and more about common sense.