720-891-1663

Okta Source Code Stolen – So What?

Source code is getting hacked more frequently these days.

In March, Samsung announced that hackers had stolen source code to their Galaxy phones.

Also in March, Microsoft said that hackers stole the source code for Bing, Maps and Cortana.

In May Mercedes admitted that they had misconfigured a source code repository and anyone could download the 500+ repositories on that server.

This month Okta, the security software provider, admitted that hackers were able to compromise its GitHub source code repositories.

For none of these attacks, were there bugs in the source code control systems that allowed the hacker to compromise security.

Of course Okta is trying to play things down, especially in light of another breach Okta had in March that compromised user passwords for hundreds of companies.

Security companies are high profile targets as vendors like Solar Winds, LastPass and Okta are discovering the hard way.

Both of Okta’s recent breaches were caused by third party connections. It is often easier to attack the suppliers of companies like Okta than to make a frontal assault on the company itself.

In this most recent attack, Okta tried to spin things as best they could, saying no customer data was directly stolen and no HIPAA, FedRAMP or DoD customers were impacted.

Still, losing control of your source code does two things:

  1. It makes it easier for competitors to copy your features or at least to see if you have implemented something better than they have.
  2. More importantly, it allows hackers to look for vulnerabilities in your code. Which they can then sell or use themselves to attack you and/or your customers.

Naturally, Okta is saying that they don’t depend on the privacy of their code to secure their data. At a macro level, that is true.

However, at a detail level there is no way that a company can say that losing control of their source code isn’t a security risk.

In the case of Okta, both breaches were due to compromises at third parties. One was a developer, the other a support service provider.

As I continue to say, third parties represent a significant risk.

If you develop software, is your source code safe? Would you even know if it wasn’t safe? Credit: Cyber News

If you are concerned about that risk to your organization, please contact us.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *