13

We have about 20 developers working in a heterogeneous environment, mostly using company laptops or desktops. We run Windows 7 on desktops/laptops and a mixture of Linux distros (Ubuntu/CentOS).

Management is very keen to set up a system that completely secures the source code, since we are working on project for a customer who demands the same, i.e. no code leakage.

We do let some people take laptops home over the weekend to work remotely, since that has made them very productive.

I have been asked to come up with recommendations on securing the environment, so that no source code leaks.

We have a central Subversion repository, which developers are using. We can consider new repositories, if needed.

Someone suggested using Virtual desktops for all users where all copy options are disabled, means you cannot copy files between different virtual desktops or to any removable disks. Even remote users can login to their Virtual Desktop using a VPN Connection.

Is this the best solution, or is there something better? We would like to use open source tools as much as possible.

Mike Samuel
  • 3,873
  • 18
  • 25
ramdaz
  • 253
  • 1
  • 8
  • 3
    Best if you want your developers not to be able to work. Other than storing working copies on true-crypt virtual disk volumes or similar and only allowing authorized access via SSL to the repository, you ultimately need to place some trust in your developers. Now the question is other than the standard IP infringement what makes this code so important not to leak? There isn't security through obscurity happening here is there? You could disable external discs, but there are always ways around it, going to stop them copying an pasting into pastebin, oops that just stopped the API docs too. – ewanm89 Apr 24 '12 at 10:11
  • "Someone suggested using Virtual desktops for all users, and where all copy options are disabled, means you cannot copy files between different virtual desktops or to any removable disks. Even remote users can login to their Virtual Desktop using a VPN Connection." Two monitors + pound code. It just makes it so it isn't easy, but anyone could do it over time. – StrangeWill Apr 24 '12 at 16:27

4 Answers4

10

If you're looking for top-notch security of the highest kind - air gapping is the only way to make this work. Unfortunately, having absolutely no connections to the outside world under any circumstances can be prohibitive, especially as developers like to copy and paste code snippets from documentation and so on.

Ultimately, this probably also means taking laptops off site becomes a no-go also.

Assuming you can't do that (because let's face it, it's quite an ask) - firstly, mobile workstations. Definitely go with the VPN option. Ensure all of the internet traffic via those laptops goes through the VPN. This way, your architecture and security requirements (firewall policies etc) are definitely enforced, and more importantly you don't expose anything but the VPN endpoint to the public internet.

Encrypt the laptop hard disks as a minimum. If the laptop is stolen whilst powered down, the source code should be secure for a reasonable amount of time. If the laptop is not powered down, or the attacker can observe the password entry, you haven't done anything but make their job slightly more difficult. LUKS is supported in both Ubuntu and CentOS to my knowledge - it uses cryptsetup and gives you a choice of decent algorithms and multi-slot passwords.

Hardware based disk encryption would be better, simply because it means your /boot partition is not modifiable.

Virtual LANs for security receive mixed opinions. From the point of view of development, I'm expecting your team work with sudo, or root, access and as such would easily be able to reconfigure the VM software to allow their host access, should they wish. As mentioned in the blog post, VMs are used for cheap network segregation - which works when you can enforce the configuration. Here, it looks like a difficult sell.

That's not to say you can't use virtual machines, of course; I would simply carefully study exactly how hard it is for your developers to bypass.

One way I've seen this work successfully if you have a sufficiently fast network and patient developers is to use remote desktop to VMs available on the network - but not physically accessible to the developers themselves. You can even use full thin clients, rather than desktops that RDP. The thin client model also deals nicely with my next topic... physical security.

When I say physical security, I mean how hard is it for your developers to plug a USB stick in, svn co and walk out with the lot? "Taking the code home" can happen this way, but you'll lose the lot if the USB stick is lost. Generally, there are two solutions available to you - epoxy resin and removing the various hci.ko modules from the kernel - thereby making it not recognise USB at all. Unfortunately, this has the downside of disabling USB keyboards and mice, too.

  • 2
    I think it's important to note that you should only be trying to prevent accidental leakage or theft from outsiders. You can't prevent the developers themselves from leaking the source code if they want to. Any attempts to do so are just going to slow everybody down, and it's not possible anyway. It's kind of like DRM. If they can see the code on their screen, they can copy or leak it if they really wanted to. If you don't trust your developers, don't hire them. So again, the key is focusing on theft or accidental leaks. – Mike Weller Apr 25 '12 at 13:58
7

You are talking about developers, and in a project that seems important like yours, you will probably have good developers. They will always find ways, to copy the source, but it can really hurt satisfaction if you hinder them working.

The only way i know, is to split the software into small independent parts, so every developer only knows about his part. This will give you a lot of work, because you have to define exactly the interfaces between the parts, but as a side effect you will get well testable code.

In my opinion it is much more important, what Ninefingers and Lucas already wrote, that the developers are not allowed to transport the source code on unencrypted USB-drives. Otherwise if the drive/laptop gets lost, the code is lost as well.

On the whole i would be careful not to exceed the limit of frustration, especially if you have reliable seasoned developers in your team.

martinstoeckli
  • 5,189
  • 2
  • 27
  • 32
  • 1
    +1 for *"split the software into small independent parts, so every developer only knows about his part"* – user11153 Nov 07 '14 at 14:35
5

The problem with security is that it's often a trade-off with usability. The first thing to do is to educate your users:

  • lock their computers if they go away
  • have an update,secured (AV/firewall) environment
  • store their computers in a safe place

In my experience virtual desktops are incredibly frustrating if you are coding. They are sluggish and sometimes your connection drops. So my keep the physical laptops if you want them to work on it from home.

What I suggest:

  • set up a vpn so that the SVN repo is only accessible through this VPN
  • when issuing laptops, set up a truecrypt on the hard drives (assuming you are on windows, for ubuntu you can just encrypt the partition where the code is stored).
  • If you don't want them to copy all the source code you can work with branches if they do not need access to all the code.
  • Have clear contracts with your devs what they can and can't do with the source code they made
Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
2

Management is very keen to set up a system that completely secure the source code, since we are working on project for a customer who demands the same. That is no code leakage.

This would require that all work equipment is left at work. All work equipment does not have the means to have flash devices plugged into it. It also means disabling the ability to read and write media disks.

If all code is kept at the office then its not possible for code to leave the office.

We do let some people take laptops over the weekend to work home, since that has seen to be very productive.

This means outside of the office you have lost control over what happens to the data.

Someone suggested using Virtual desktops for all users, and where all copy options are disabled, means you cannot copy files between different virtual desktops or to any removable disks. Even remote users can login to their Virtual Desktop using a VPN Connection.

It is a trivial operation to brute force a virtual desktop's username/password in order to change the password, so the ability to enable the ability to copy files.

Is this the best solution, or is there something better? We would like to use open source tools as much as possible

The simple solution would be to modify all equipment, the code can be viewed on, to prevent the data from being extracted from said hardware.

user11153
  • 894
  • 2
  • 9
  • 17
Ramhound
  • 496
  • 4
  • 9