The Security of Source Code

  • Comments posted to this topic are about the item The Security of Source Code

  • I've never heard of this type of attack vector. Nor has the idea even occurred to me, until I read your editorial, Steve. In thinking about it the first thing that comes to mind is the attack had to have been an internal one. Someone who normally works on PHP code wanted to plant a back door in it, for some reason. I conclude this because my experience at source control at scale so far is limited to using TFS. No one can get to our code repos unless they're known people in our Windows AD domain. Otherwise, if it were an external agent, they'd have to obtain the person's credentials, then go poking around possibly for a long time, to find the repo to put a back door into. I can imagine that taking a couple of hours. I might be naive enough that my two-hour estimate is overblown, but that's what I think it would take.

    Rod

  • It could be someone internal, or someone that helps a hacker.

    It could also be someone that gets access internally through social engineering, poor security, or another backdoor. While certainly someone could be aiming for your org specifically, think about all the bored high school and college students around the world with nothing better to do than poke at different orgs looking for holes they can create.

  • Another nightmare with some codebases is with the libraries they import, there was one trivial javascript function that so many projects were using, and then the trivial javascript function author abandoned his project and had it taken over by a bad actor, and the javascript function turned nontrivial in a hurry. With codebases like this, you don't even know whether the project libraries you import are similarily importing from elsewhere, and its probably nontrivial to trace down the sources of the imports that your import has imported via another import.

    mirrors all the way down!

     

     

  • Steve Jones - SSC Editor wrote:

    It could be someone internal, or someone that helps a hacker.

    It could also be someone that gets access internally through social engineering, poor security, or another backdoor. While certainly someone could be aiming for your org specifically, think about all the bored high school and college students around the world with nothing better to do than poke at different orgs looking for holes they can create.

    Hmmm, good point. Man, this sort of thing is scary. At this point I'm hoping it is still relatively small.

    Rod

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply