Articles & E-Books

 

Protecting your source code means protecting your fintech

Jun 23, 2020

As with most modern industries, increasingly more of our financial services are both run and powered through apps and software, and behind these is the human readable stage of computer programming – the source code.

This code is what a programmer writes that eventually becomes machine readable object code.

It is not unusual for software programs to have millions of lines of code (for example, the Windows 10 operating system is reported to have about 50 million lines). Regardless of size or complexity, for most financial technology providers, source code is at the heart of everything they do. The core value of its business lies in this intellectual property and for this reason, being able to secure it is paramount to ensuring the success, health and ultimately the future of the business.

Of course, if this intellectual property is valuable to the business, it is also valuable to those with malicious intent as well. Source code theft can originate from both inside and outside the organization and could result in competitive and financial damage, and even ruin, if it falls into the wrong hands. What’s more, the wrong people accessing a fintech’s source code could do more than just steal it. Bad actors have been targeting source-code management systems, which could allow them to make security flaws to exploit them or even back doors into the application itself.

There are some estimates that suggest 43 percent of data loss is caused internally, with 50 percent of data breaches being intentional. We have seen several instances where start up fintechs have had their source code stolen by someone within their organization they trusted.

In two particular cases, the individual that stole it started a new company using the lifted source code. This is why the best approach to protect source code is to leverage a variety of legal methods, combined with technological structuring and internal policies and procedures, to ensure original creative and proprietary ideas are not compromised, and thus business can continue to thrive.

Legal structuring

Like all programming, a fintech’s source code is created with a lot of intention and creative energy. For this reason, it should be treated the same as any other intellectual property and covered through copyright protection.

Like all intellectual property, the copyrighted source code cannot be distributed without permission. However, while this protection does extend to the source code as the expression of the idea underlying the software, it does not apply to the idea itself or the function of the software. Therefore, copyright alone does not prevent third parties from creating separate codes to replicate a given source code functionality.

Additionally, published details in copyright documentation could potentially give competitors an unwanted edge, so fintechs should play close attention to the information conveyed in these.

For some businesses seeking greater protection, they can apply for patents and/or coverage under trade secret law for the more sensitive aspects of their propriety knowledge. Patents may be able to prevent a third party’s ability to replicate the functionality of a company’s source code – closing the gap in what copyright protection is able to do on its own.

Trade secrets law offers an alternative or supplement to both copyright and patent protection. It not only covers patentable technologies, but also commercial and business information that is not necessarily eligible for patent protection. This can include valued, commercial information considered to be generally unknown or inaccessible to the public. The duration of this protection is indefinite, lasting for as long as the information remains closed.

Internal control structuring

More often than not when working with a fintech, we identify control gaps that could result in unauthorized access to the company’s source code. When thinking about this code, companies should ask themselves some basic questions:

  • Who has access to my source code (and who should have access)?
  • What logical security mechanisms do I have to prevent (i.e., strong passwords, limited number of failed login attempts, etc.) or detect (i.e., real-time security alerts for suspicious activity, access logs, changes logs, etc.) unauthorized access to my source code?
  • What are the layers of security in between my source code and the internet (i.e., firewalls, intrusion prevention systems, email filtering controls, etc.)?
  • How could the source code get exfiltrated (i.e., USB storage drives, email, internet file sharing sites, etc.)?
  • What would happen to my business if my source code was compromised?

While this list is not exhaustive, it does give a good idea of the questions you need to answer or the controls that should be in place for moving down the path of better securing your source code.

Training and due diligence

A strong, robust security program must address the human element. While it is important for companies to implement strong security procedures, creating a culture of security awareness is key to ensuring everyone is on the same page when it comes to preventing issues. It is critical to ensure a company’s protocols are properly explained to their team and that they continued to be followed properly.

Openly discussing issues such as phishing attacks and general security hygiene best practices can go a long way toward helping mitigate potential issues.

This can include training to make sure staff are aware of security issues in the first place. For example, just because an individual works on a specific program or coding project does not necessarily mean they fully know or understand the security risks associated with it. It is the company’s responsibility to ensure they have this knowledge.

Encryption, code management and monitoring tools

Today’s fintechs have some powerful, dedicated tools to help protect their code and prevent unwanted exposure or theft. These programs can allow companies to better manage their code, offering encryption and continuous data monitoring.

Technologies like encryption tools and code obfuscation techniques, can help protect against attempts to copy or “reverse engineer” a source code. Effective methods for this include hiding parts of the displayed code, altering its data structures and even creating false, nonfunctioning code segments.

Companies should also consider implementing specialized data loss prevention tools.

These programs monitor data around the clock and alert users to any suspicious activity. They also can be adjusted to a company’s standard activity cycle and allow a comprehensive view of company’s overall data movement.

Specifically, these tools can be very effective when applied to high-level risk areas like vendor data touchpoints, to help further mitigate possible security risks.

Additionally, there are also tools like user behavior analytics and digital forensic programs that can monitor and track odd or suspicious user behavior and analyze past incidents, respectively. These can help companies mitigate both internal and external threats to their code.

Redundancy

As with all cybersecurity, taking a layered, multi-pronged approach to protecting source code offers the best defense. Applying multiple strategies to cover different threats and risks can create a more well-rounded security program.

However, businesses should also consider implementing redundant security measures, as well, especially when it comes to source code. Many companies often skip or limit redundancies viewing them as either too expensive or unnecessary. However, including a few extra back-ups around critical areas can be a worthwhile investment, potentially mitigating a lot of headache and heartache further down the road.

How Wipfli can help

Our fintech team can help you navigate the complex maze of competition, technology, regulatory and operational environments. Our services are designed to help you overcome your growth pains and be proactive with challenges. See our web page to learn more.

We also offer a full suite of cybercrime services to help protect you from internal and external cyberthreats. See our web page to learn more.

Author(s)

Mike Morris, CISA
Principal
View Profile