At my company we are very protective of our source code. We have satisfied our paranoia by setting up a development LAN that we air-gap off from the Internet and the rest of our company networks. Within the development network, we have a few secured machines (the source control server, the build server, the domain controller), and all source is required to be kept either encrypted or in a locked room. Being able to explain such a simple security policy to our customers has been a competitive advantage for us, but as our company grows the costs of maintaining this network have also become greater. To deal with the pain over the last year, we have stepped away from our strict air-gap policy by allowing two-factor-authenticated RDP-only VPN access to the network.
However, the lack of connectivity between our development network and the rest of our corporate network continues to be a serious impediment to cooperation between teams that work inside the network and teams that work outside the network. We’d like to consider dramatic reform of our network architecture, but we’re not sure what industry best practices are for securing source code. What we might consider would be:
- Connect our development network to the rest of our corporate network, and allow unrestricted communication between any two hosts on this network. Also allow relatively unrestricted outbound connections to the Internet.
- Allow full VPN access to the corporate network for remote employees.
- Carve out a separate “test sandbox” network that wouldn’t hold source code, wouldn’t be patched, and would only allow inbound connections from the rest of the corporate network.
- Require that development machines be managed with the assumption of hostile network traffic: require up-to-date patch levels, don’t allow unauthenticated remote debugging, set strong passwords, etc.
- Continue to require that all code at rest either stay in a locked room (for old platforms that don’t have a satisfactory encryption solution) or be encrypted
- Continue to require that all developers with access to the code sign appropriate documents stating that they will not remove any code from the network
Would this be considered a satisfactory security policy at major software development organizations you have worked for? What other practices do software development organizations follow to protect their source? For example, are intrusion detection systems a common part of source security?
The "how do we secure our source code?" question is closely related to ours, but we are more concerned about the network architecture than the employee policy or the backup strategy.
Best Answer
Company policy is often more effective than a technology solution for some of these things. That's not to say that technology can't play a role in helping enforce the policies.
I suggest that you look into a Fortigate from Fortinet. They have a few things that you can leverage to help you. They have the ability to quarantine any computers that don't meet your policies, aka patch levels, A/V, etc. It also has the ability to do both application protection and data leak prevention. So you would just need to setup a data leak prevention rule to block anything that resembled code. So if your company has a standard header that is put at the top of the files you could look for that and block and report it. If you add the FortiClients to the mix you can lock down the USB ports on the local machine as well as enforce firewall, A/V, data leak prevention, and Intrusion Prevention policies at each client.
So to talk to your points.