Whose Line (of Code) Is It Anyway?

Richard Walters, CTO of SaaSID, looks at how managing developer access to code can ensure the security of sensitive projects being developed in the cloud 

  • 11 years ago Posted in

Cloud-based platforms, such as GitHub, Appaloosa and CloudBees, have made it easier than ever before for international teams of programmers to collaborate on creating proprietary source code. The cloud-based approach offers the obvious benefits of reducing development costs and time to deployment for innovative organisations.

As with data security in the cloud, the usual asset management concerns have been voiced when organisations have adopted these cloud-based code repositories.

The Appcelerator survey of 6,046 mobile developers, undertaken by IDC in the second quarter of 2013, found that more than half of the developers expected to build employee and customer supporting applications for enterprise app stores. Appcelerator predicted that this would grow to 60 percent of developers by the end of 2013.

There is an on-going debate about whether enterprises should devote in-house resource to developing and maintaining bespoke applications, or whether they should opt for using cloud-based app stores. While reliance on external coders could indicate a risk to businesses, even when internal employees create proprietary applications, source code may be misappropriated if an employee leaves the organisation.

Two years ago, former Goldman Sachs programmer, Sergey Aleynikov, was given an eight year prison sentence for stealing source code that he developed for the investment bank’s automated trading platform. His successful appeal highlighted a loophole in current legislation. Under US laws governing industrial espionage and trade secrets, an employee cannot be convicted of stealing proprietary code unless he or she downloads it to removable media and physically takes it off the business premises.

Aleynikov had uploaded the code to a remote Goldman Sachs server in Germany and downloaded it to his personal computer at home. This was deemed to be legal while he was still an employee. When he went to work for a competitor, Aleynikov’s former employer began legal proceedings. The source code formed the basis of Goldman Sach’s platform for automated trades, which contribute significant revenue to investment banks and hedge funds. During the trial, Aleynikov’s former unit reported automated trade revenues of $300 million.

The Goldman Sachs v. Aleynikov case highlights both the high value of developers to businesses and the risk posed by unscrupulous individuals. Under existing laws, one could argue that the risk of source code theft has increased with the advent of cloud-based code repositories.

Given this background, we were not surprised when a large financial enterprise approached SaaSID to find out how our web application control and auditing software could be used to keep track of source code. The organisation employs distributed teams of application developers, which often include a mixture of internal staff and contract developers, based all round the world.  These programmers use GitHub, Appaloosa, CloudBees and cloud-based code testing applications, such as TestFlight, to collaborate on bespoke applications.

Clearly, hiring an international team of developers requires a lot of investment by organisations and the resulting applications deliver real competitive edge to the business. Reducing the risk of source code theft is a priority for any project manager.

Our customer wanted to investigate how it could enable international teams to make use of cloud-based platforms to facilitate rapid development, while also retaining full control over access to the source code. Specifically, the organisation needed a way of immediately revoking access to the code repository as soon as a project concluded, to limit the risk of contract developers reusing the proprietary source code on competitors' projects.

The financial organisation is using our browser-based software to enforce single sign-on to GitHub, Appaloosa, CloudBees and TestFlight, without requiring any changes to these applications. The first time developers log in through our browser-based agent, their credentials are stored, the enterprise directory is queried and role-based access is provided. After this first log in, each developer’s interaction with the source code can be managed and audited for the duration of the project.

This browser-based approach to managing cloud-based repositories has delivered six clear benefits to the organisation. The project manager is able to rapidly provision and revoke access to the cloud-based code repositories. Because the management software is based in the browser, the project manager has complete control over access to the code repository, regardless of the device being used by each developer.

He can control whether programmers are able to share code updates outside of the development platform, by enabling or disabling application features such as `export’, `download’ and `share’. He can monitor the progress of the project by using our audit tool to check who has logged into the development site and contributed updates to the source code.

Using the Analytics dashboard, each developer’s contribution can be visually recorded, enabling individual contributions to be recognised and rewarded. This tool also works well with TestFlight, by enabling the project manager to trace problematic code to the right developer or team, so that bugs can be swiftly removed.

Using a browser-based approach to remotely manage access to cloud-based code repositories has provided this organisation with a clear overview of the progress of its application development; fine grained control over who has access to the repository; a clear record of who has contributed which lines of code and the ability to instantly revoke access to the source code as soon as a developer moves on, or the project is concluded.

References:

Appcelerator/IDC survey, Q2 2013 http://www.appcelerator.com.s3.amazonaws.com/pdf/developer-survey-Q2-2013.pdf

The Guardian, 12th April 2012, Brian Braiker, “Goldman Sachs programmer stolen code case theft thrown out over irrelevant statutes”http://www.guardian.co.uk/world/us-news-blog/2012/apr/13/goldman-sachs-programmer-source-code-theft

Geek.com, 12th April 2012, Matthew Humphries,“US Appeals Court rules source code theft isn’t stealing trade secrets” http://www.geek.com/news/us-appeals-court-rules-source-code-theft-isnt-stealing-trade-secrets-1482639/

Geek.com, Jennifer Bergen, 21st March 2011, “Goldman Sachs ex programmer sentenced to 8 years for code theft”http://www.geek.com/news/goldman-sachs-ex-programmer-sentenced-to-8-years-for-code-theft-1330867/

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.