Security of Code Repositories

This topic is one of the topics listed in the CISSP exam outline. As a CISSP instructor and experienced developer, I am highly interested in this topic. It happened to me that I just designed and shared a question, CISSP PRACTICE QUESTIONS – 20191008, related to this topic a couple of days ago.

Version Control System (VCS)

A code repository is storage where the source code is persistently stored. It is typically managed by a version (source/revision) control system (VCS) so that the historical revisions to the source code can be tracked by version.

There are two types of version control systems:

  • Centralized VCS (CVCS), e.g. Microsoft TFS and Apache Subversion (SVN).
  • Distributed VCS (DVCS), e.g. Git and Mercurial.

The Attack Surface

File Systems

It’s common to use common file systems, e.g. NTFS or ext4 to support the code repository. Git is the most well-known CVS that uses file systems supported by the operating system, while Microsoft TFS uses a relational database with proprietary structure.

The following screenshots are local repository examples of git and TFS.

Communication Channels

It’s a good practice to connect to the central code repository using SSH.

It’s common to push or upload code to the central code repository over HTTPS. RFC 2617 defines two HTTP authentication schemes: Basic Authentication and Digest Access Authentication.

The Basic Authentication Scheme uses the unencrypted credential. As the capabilities of web browsers are quite limited and the client scripts at the client side are transparent, it’s ineffective or in vain to encrypt the user credential in the web browsers. So, it’s common to conduct HTTP authentication over HTTPS.

Secure Source Code Handling

Local and Remote Operations

I define “source code handling” as acting on or performing a required function with regard to the source code. The primary or most common required functions or operations with regard to the source code are check-in/check-out and push/pull. They need frequent access to the local source code repository (local repository) and infrequent access to the remote central source code repository (remote repository).

Version Control vs Change Management

Source code needs good support of version control, but it doesn’t necessarily require change management. Requirements need change management instead of the source code itself. The changes to the requirements need evaluation and formal approval or signoff to change the requirement baseline, but developers won’t get formal approval to develop or revise codes.

Access Control: DAC and RBAC

The protection of the code repository is one of the biggest challenges in software development, especially the local repository.

Secure source code handling should address the major vulnerabilities at the local and remote repository. Both of them are typically supported by OS-level file systems and managed at the owner’s discretion. Even though access to some remote repository with proprietary storage, e.g. Microsoft TFS, is managed by role-based access control (RBAC), the local repositories are still at the file system level that needs discretionary access control (DAC).

The File System, NTFS as Discretionary Access Control

The protection of code repository needs DAC more than RBAC as the local repository is more vulnerable. RBAC is non-discretionary that the roles are predefined with privileges, the access is typically managed centrally, and the developer can’t control the access to the local repository effectively through RBAC.

Microsoft TFS Groups as Role-based Access Control

Encryption, NDA and RBAC

NDA and RBAC help, but they can’t prevent the theft of developer’s laptops, while encryption as preventive and corrective security control does. The source code at rest or in transit can be protected by encryption as a preventive control. With the support of  Trusted Platform Module (TMP), some hard drives are manufactured in such a way that they self destruct themselves when an unauthorized (unregistered) user tries to access data from these drives. This corrects the intrusion.

NDA as an administrative security control definitely helps, but it can’t detect, prevent, correct, or recover data breach. RBAC if not effective enough to protect local repository.

Feedback to the Question Discussed

The following practice question is discussed in Luke’s Facebook group:

  • The “handling” in the question is not commonly agreed upon. It should be further defined.
  • IMO, all the four options provided contribute to secure source code handling. The question seems too vague.

Leave a Reply