McAfee made a startling announcement at the recent RSA conference – that hackers compromised source code management systems at Adobe, Google and other. It is a well documented description of how hackers are targeting internal code, both to steal it, and equally importantly to change it. In the second case, it presents firms with a very difficult problem of unauthorized and unknown change.

According to a press report in Wired,the attack was documented by McAfee in this whitepaper.

I’ve read a lot of reports that describe attacks, but this one is more detailed, and should be a real wakeup call for corporate security managers, software development teams, and software development tool suppliers.

The important new finding is that the hackers targeted source code control systems (they called out Perforce, but the problem could easily apply to others as well). A quick check on Perforce on Wikipedia shows that the product has security capabilities, but clearly they were not in place at the right level. So that’s the first wakeup call – use the role-based access features that your software probably already has. And note to software vendors: role based access, encrypted communication and other security features are not afterthoughts, and should be turned on by default.

The second point is that there is a lot of valuable IP in the form of source code on each developer’s local system – and that’s also a high value target. Another wakeup call to the security team. What are you doing to protect that code?

The final, and from my perspective most important point is the quote from Dmiti Alperovitch, McAfee’s VP for threat research. He says that while there is no evidence at this point of altered code, “the only way to determine this would be to compare the software against backup versions”, “…an extremely laborious process”.

The message is clear – be diligent about your control of your code, and have a way to validate its integrity if needed.