Several big-name companies haven’t been putting enough protection around some of their source code, according to news reports.
According to Bleeping Computer, a security researcher called Tillie Kottmann has assembled a GitLab repository of source code from dozens of companies including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney and Johnson Controls because of misconfigurations in their infrastructure.
Kottmann told the news site some companies are contacted before the code is posted. When asked, the source code is removed from the repository. In addition, because some of the code originally included hardcoded credentials where possible, these have been removed before being posted in the repository to avoid security issues.
Bleeping Computer said it isn’t clear how much of the code on Kottmann’s server is proprietary and should be kept private. After looking at some of the code it believes some projects have been made public by their original developer, while others are old enough that they haven’t been updated in a while.
This isn’t the first time corporate source code has been found with not enough protection. In January a Canadian security developer and researcher found two open GibHub accounts with application source code, internal user names and passwords, and private keys from Rogers Communications. Rogers said the code was obsolete. Last year the same researcher found source code belonging to Scotiabank on Github.
“From a technical standpoint, these leaks are not that dramatic,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said in an email. “Most of the source code is worthless unless you have other pieces of technology and, importantly, people to make complicated systems work properly. Moreover, the source code rapidly depreciates without daily support and improvement. Thus, unscrupulous competitors are unlikely to get much value unless they are seeking a very specific piece of software. Furthermore, unlawful usage of the source code is quite easily provable and may trigger multi-million lawsuits.”
But, he said, the researchers who posted the code may be sued for a variety of reasons including copyright infringement, conspiracy and violation of computer crime laws. Large companies are unlikely to go to court, he added, preferring to quickly remove the source code from the repository and remediate their internal DevOps security processes.
To prevent the loss of source code, organizations should revise and continuously monitor their DevOps operations, converting them into agile DevSecOps, he said.