If source code or data is required to be off the developer’s network or workstation, require that it can only be done by exception or only on particular, well-audited workstations. There’s been enough stolen code from the world’s enterprises to be examples for everyone.
Still too much extra effort
Believe it or not, many developers (and admins) absolutely think that having to click back and forth between the SAW and less trusted virtual machine is too high a burden to increase security. I hear the complaints all the time. Just tell them you’ll be glad to give them two separate computers, one for developing and one for everything else, if switching back and forth between a physical computer and a host VM is too much. That usually shuts them up.
But suppose management agrees that a few mouse clicks to switch contexts between the secure admin workstation and less-trusted virtual machine is too much extra effort, there are myriad ways to have both trusted and untrusted applications running on the same computer at the same time, and have them security-separated.
One traditional way (beyond running hosted virtual machines) is running each app remotely on a different hosting server, such as is often used by Citrix or Remote Desktop Protocol (RDP) implementers. To the end user it looks like the application icon is sitting on the same desktop, but when they click on the icon, it launches the app remotely on a different server.
The problem with these designs is that initial program launch is often a lot slower than subsequent starts, and that in many of these cases there is still not a true security boundary between each of the applications or on the desktop. Although I don’t know of a case of a single “in-the-wild” remote app exploit, the security experts who have looked at these models do find big flaws. Still, they remain a pretty good solution, until the first real attack in the wild exploiting them.
An even better solution is something like Joanna Rutkowski’s CubesOS. Qubes is a hypervisor-enabled desktop system with a focus on security isolation. It can run other operating systems, each within its on virtual machine instance, and the Qubes administration backend and network run in their own isolated virtual machines as well. Qubes is a security-oriented back-end that makes creating, managing, and operating all the virtual instances easier. Each virtual instance can appear co-mingled in a GUI desktop, although they are completely separated by hypervisor-enforced security boundaries. And it’s free.
While we are at it, make sure all your developers are trained in secure development lifecycle (SDL) methods. Most developers still don’t have adequate secure program training. Most colleges and other educational institutions are still doing a poor job preparing the world’s programmers to write secure code.
Sign up for Computerworld eNewsletters.