Small Business Defense – Source Repositories and Honey Tokens

As mentioned yesterday, source code is a nice juicy target for an attacker. So, what can you do about it?

The first thing to do is to make sure that you have the ability to detect whether an attacker was able to make changes to your code. To do this, you need a way to ensure that you have a good clean reference copy of what the code should be. The easiest way to do this is to use a revision control system. Though there are many, I prefer subversion, as it is both free and fairly easy to use. Once your code is checked into your revision control system, it’s easy to look for differences in running code and stored code. In addition, if you are compiling your code (or converting it into bytecode), you can keep all the code in the system. Then, you can add strict access rules to the repository and gain an extra layer of defense.

So, that takes care of protecting your assets and helps you confirm if they are stolen, but how do you detect the theft in the first place in case someone does get through? That’s where a “honey token” system comes in. This sort of system is often installed at the edge of your network and simply checks all outgoing traffic for certain key words and phrases. It’s fairly easy to come up with specific strings to embed into your source code (or other intellectual property of interest), and then set these systems to look for them. They’re not perfect and may miss transfers that are compressed or encrypted, but they’re better than nothing.

And after all, protecting your assets is a matter of incremental improvement.