What’s a source code leak?

Source code leaks allow people to obtain original source code program files for operating systems or commercial software packages. These files are usually obtained through system security exploits, bugs, or disclosures from current or former employees. Published source code gives people, including hackers, an inside look at important intellectual property and system code. Code leaks allow cyber attackers to illegally gain confidential user and corporate information via security exploits from system data.

Code leaks are a phenomenon of the modern world. Even government security teams at the NSA, FBI, and CIA have leaked or published system exploit code. Access to source code has helped state-sponsored bad actors in Russia, North Korea, and Iran author malware and ransomware. Hackers have extorted millions from corporations and attacked state hospitals, municipalities, and even IT infrastructure of police forces.

On September 23, 2020, the complete source code for Windows XP SP1 and Windows Server 2003 was published, to the delight of hackers and ransomware authors. Windows source code lets bad actors discover new exploits that break security on older, unsupported WS2003 systems. It also lets them test security holes in newer operating systems such as WS2008 and WS2012. 

Why do source code leaks happen?

Source code leaks come from many sources. Hackers sometimes scan third-party sources to discover code. Misconfigured DevOps applications or software like IDE plugins, CSV, and FTP can be exploited to unlock code. Code access can come from bad security practices like storing login credentials in code in plain text. An estimated 75% of security breaches come from developers coding secret backdoors or access keys and passwords into source code.

Many leaks arise from human error: developers not checking which code repository they are committing their source to, or developers sharing code they developed at different companies in their portfolio.

What’s at stake?

Source code reviews can unlock unauthorized access to personal, proprietary, and Intellectual Property (IP) data. People and organizations can suffer severe negative consequences from confidential data leaks. Costs can include:

• Financial losses
• Reputational damage
• Share price loss
• Product recalls
• Lawsuits
• Loss of sales
• Fines from data protection non-compliance
• Ransomware payouts
• Increased security and compliance costs

For example, in 2018, Snapchat shares dropped by 3.4% a day after the SnapChat source code breach went public. The Equifax data breach of 2017 ended up costing the company $4 billion. 

Leaks are big news when they happen to big companies, but they happen to smaller companies all the time. The bottom line is that source code leaks, especially operating system source code leaks, are great for malware and ransomware authors, but are very bad for business. 

How do I prevent a leak?

Source code leaks might be difficult to completely prevent, due to human error, issues with remote work in a pandemic, and other factors, but your first lines of defense are:

• a secure development environment and secure DevOps tools
• a secure, supported modern OS for your IT infrastructure

Implement a secure development environment

Development environments can be vulnerable to cyber attackers. A business can start by integrating robust security practices into code development to keep credentials and repositories secure, and making sure that security sits at the foundation of all development activities. 

Planning and implementing a secure development program starts with auditing plugins, configurations, and repositories, and putting strong access and authorization controls in place. 

Developers must avoid hard coded credentials, such as passwords and access keys, which can be used to steal sensitive data and gain privileged access to a company’s DevOps apps, development environment, IT infrastructure, or cloud. Undocumented system backdoors are also a terrible practice.

Get off outdated and unsupported operating systems

The recent WS2003 leak might not be such an issue if millions of businesses around the world weren’t still running production apps on outdated, unsupported platforms such as WS2003 and WS2008. This source code leak leaves the OS open to being scoured by hackers for serious security flaws and vulnerabilities.

Servers running outdated and unsupported OSs are at risk and put businesses in peril. Antivirus software has limited effectiveness on computers that don’t have the latest security updates and patches. The number of holes in software also increases as machines are left unpatched and when hackers have OS source.

Fixing cybersecurity problems doesn’t mean you need to buy another round of antivirus and threat detection software for modern systems. Hardening modern servers and networks won’t close security holes on legacy systems, no matter how much money you pour into security. If you don’t close known legacy system hacks, they won’t disappear.

The first step is to fix legacy system exposures by moving apps to secure modern servers and operating systems. Modernizing by moving them closes security exposures. Once apps are on modern servers, you can perform a vulnerability analysis and remediate apps as required to fix problems, such as cross-site scripting or other software issues.

• If you’re running applications on old Windows systems, upgrade your hardware and operating systems.
• Move your software apps from old operating systems like WS2003 and WS2008 to modern, secure WS2012, WS2016, and WS2019 systems to eliminate malware exposures.

How VirtaMove can help

Use VirtaMove’s automated migration tool to isolate legacy apps and dependencies from the underlying OS. Then, move your legacy apps to a new server and OS (upgrading web server and database components on the fly as required). After the move, you can perform a vulnerability analysis and remediate or enhance the apps as needed. 

Our customers report to us that it’s important for them to modernize legacy applications and move them so that they can run on modern, secure servers. Commonly, they report quarterly progress and status of these efforts to the organization’s CIO or CTO, and all the way to the Board of Directors.

Close the door on malware and ransomware. If you need help to upgrade your legacy applications, don’t hesitate to give us a call. We modernize apps and move them to new, secure Windows Server and Linux operating systems every day. We’d be pleased to share what we know.