Pattern idea: Secure InnerSource

[spier]

A question came up in Slack about how to practice InnerSource in a secure way.

I am summarizing the conversation here, removing any names of people/companies to comply with Chatham House Rule.

The question was:

My company is trying to adopt an InnerSource model.
Our security team is not comfortable with opening up source code internally. They are worried that it would lead to code leaks.

What should we do to reduce the associated risk?

Definition code leak in this context:
A bad employee may get the code and expose it on the Internet.
This could negatively impact company branding or have other negative impacts on the company, depending on what was leaked and the industry the company is in.

Naming ideas for a possible pattern

• Secure InnerSource
• Security and InnerSource
• Satisfying Security Concerns
• Addressing Security Concerns
• Security Concerns and Mitigation
• Working with Security
• Security and Transparency
• Security and Discoverability
• Secure Discoverability
• Discoverability in a Secure Way

[spier]

Solution 1 - RBC

(not from the Slack conversation)

This talk from GitHub Universe 2021 is mentioning this topic:
Making InnerSource & Developer Experience Real at one of Canada's Top 5 Banks - by Anthony Vacca, Sr. Director, OSPO & Developer Experience

They could not make all repositories public inside of RBC (i.e. they could not make them all available as InnerSource).

1. Need to know basis
2. Official Custodian (Owner) for each repo

To solve for these constraints, they created an internal public InnerSource org with only 3 rules that they negotiated with their Security Team are:

1. No hard coded usernames and/or passwords.
2. Repo does not have client information.
3. Code will not be distributed directly to Production.

[spier]

Solution 2

That is usually a concern, and here is where InnerSource has a trade off.

To mitigate and reduce the risks what you could do:

1. Eliminate anonymous access to source code (all users must be logged in to your Source Code Management tool), log the access to repositories
2. Keep the repositories private, but expose metadata on the projects (i.e. through a portal), and create some kind of access request workflow. This way you could still give people access to the code, but not open it to everyone by default

Keep in mind that number 2 will likely have an impact on contributions due to the additional step to access the code.
We do only 1 at our company.

[spier]

Solution 3

We differentiate between multiple sharing levels depending on the nature of the code in the repository:

• open source
• inner source
• restricted source

For restricted source, we use a tool that automatically adds the README.md and some other meta data to an internal repository in GitHub, allowing the GitHub search feature to include this data in the search results. Note: This is similar to Solution 2, point 2 above.

Phrased slightly differently

Problem
Balancing openness versus preventing code leak

Solution
Define multiple confidentiality levels with associated policies, including sharing level in the SCM:

• PUBLIC - open source: findable and accessible for all SW developers in the world
• INTERNAL - inner source: findable and accessible for all SW developers in the company
• CONFIDENTIAL - restricted source: findable for all SW developers in the company, low-friction process to gain full access

[spier]

Solution 4

Our company just started an InnerSource experiment recently.
Below are our practices to mitigate the concerns of the security team:

1. Invite the security team to the task force (InnerSource Program office or similar) to work out secured InnerSource adoption plan/checklist
2. Collect real cases from industry leaders about how they mitigate the security concerns to learn from them
3. Scan the target repositories (including code and test case) for confidential data such as account, password, token, keys, data or the algorithm that is your company’s core competence. Then, remove them from the repos that you want to make INTERNALLY PUBLIC. If the confidential data can’t be removed from or encrypted in the repositories, keep them PRIVATE and restrict user permissions to access them.
4. Collaborate with the security team to enhance the restriction to the source-code management system such as 2-factor authentication, SSH key rotation policy or abnormal access detection
5. Implement secret-scanning gating in the CI/CD pipeline with regular secret-scanning planned job

From my experience, security is usually in conflict to the transparency on information, but the importance is its relative balance. If we make the repositories more transparency, simultaneously we can place more security measures to protect the repositories from other angles like access control, monitoring, detection.

The rationale behind all of this:
There are always security concerns related to sharing more information within an organization. Ii is almost impossible to remove out all the concerns. What we can do is to mitigate the concerns through technique, policy, process and communication (the most important part).

Therefore when naming a pattern about this, I would call it "Security concerns and mitigation". I like the term “mitigation” in the name to cover any possible solutions towards the concerns.

[bartgolsteijn]

How about Addressing Security Concerns as title?

[spier]

How about Addressing Security Concerns as title?

Also nice! I added it to the list above.

When turning this into a pattern, we can use any of these as a working title to begin with. Then when the pattern is ready, we can reevaluate and change the title, depending on what fits the content of the pattern best.

Would that approach work?

[lenucksi]

A lot of what I see here is basic good software engineering practices, such as "don't have unprotected secrets in repos".
Another part of open/innersource/restricted with a very good reason including "try hard to fix the reasons for restriction" I have seen in working already.
And I find the inclusion of checks into CI/CD pipelines and the inclusion of the security experts early on to be a good idea. In case of publication you likely want a check of what you publish anyway.

Nice collection. Looking forward to see where it goes.

[spier]

Thanks for the input @lenucksi .

What did you mean by the sentence below? I think there is some word missing.

In case of publication you likely want a check of what publish anyway.

[mishari]

When talking about security, it's useful to frame discussions around confidentiality (maintaining secrets), integrity (no unauthorised changes), and resiliency/availability and the wording of the pattern should address these issues specifically.

My 2c on this pattern:

1. See how GitLab processes non public information handling sensitive information page and SAFE framework I propose adapting this for use in InnerSource.
2. Appropriate levels of abstraction and code modularization, it's difficult not to have secrets included if you have one large monolithic app, it's also not good for code reuse. InnerSource should encourage the modularization of software, separating out business logic code which can be kept confidential in a team, while releasing other reusable components to the wider organization.
3. It should be also mentioned that more eyes = shallow bugs, so where in some cases security can be maintained by restricting source code, in other times it's better to release code. There's been a few times where I've done a cursory inspection of code and found badly implemented cryptography.
4. Well publicized and documented process for handling security issues when discovered also goes a long way

[spier]

Good idea to explain more specifically what is meant when we say "secure" @mishari!

I think we might have a first version of this pattern ready soon, that we can share as a PR.
Let's work in your input then.