Secure your work

If someone does break into your systems and gains access to source-code or Web-site files, is there a way to make sure that vital data is not tampered with? The answer is yes, with source-code version-control programs.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Microsoft's Rick Miller is now claiming that his company knew about a widely reported security break-in from day one (which MS claims was around mid-October) and monitored it for roughly two weeks. We haven't seen such fancy spinning since the spider got drunk on moonshine.

Seriously, though, if someone does break into your systems (or, for that matter, your customers' systems) and gains access to source-code or website files, is there a way to make sure that someone hasn't tampered with vital data? The answer is an enthusiastic "yes."

Mission Control: The products that make that "yes" happen are widely known as source-code version-control programs. At their core, they all work by recording a history of all source-code files, whether they are C programs or elements of your website. Rather than recording multiple copies of your files, which would soon lead to data crowding that would cause even terabyte hard drives to pause, those programs work by recording version changes - much in the way that Quark's CopyDesk helps editors track file changes as electronic documents are routed between reporters and graphic artists.

Properly set up, you can use version-control programs like the open source Concurrent Versions System (CVS, no relation to the drugstore) - to make sure every change to your code is recorded. That will help you to pinpoint bugs, find cracker-inserted code or even roll back your files to previous versions, if you think that step is necessary.

The problem with CVS, however, is that like so many Unix-based tools, to use it well requires expertise. As a result, many firms have tried to build a better mousetrap.

Of those programs, some of the most noteworthy are JavaSoft's JavaSafe, Lucent Technologies' Sablime, MKS' Source Integrity Professional Edition and UniPress' Source Code Manager. Microsoft also has its own, Visual SourceSafe. But even before the break-in, Visual SourceSafe was known in the change-management industry as "Sorta Safe."

Padlocking The Data Safe: Some companies, meanwhile, are expanding their product lines beyond the traditional bounds of code management. Those businesses usually describe themselves as being in the software configuration management (SCM) business. That term sells them short.

As International Data Corp. analyst Richard V. Heiman puts it, "SCM tools have expanded in features to cover a broad functional spectrum from simplistic configuration management (CM) and version-control, to more sophisticated tasks such as process-management and change-request tracking. Most SCM vendors are positioning their products for Web-content management in addition to more conventional software (i.e. code) management."

Top-Notch Tools: The leaders in that expanded field are AccuRev's (www.accurev.com) AccuRev and Rational Software (www.rational.com) with ClearCase. Both tools make it possible to do what AccuRev's CTO Damon Poole calls a "software audit." (Like Dr. Evil, we just "love" quotation marks.)

In a software audit, just like a reputable financial audit, the tool should be transaction-based and should not permit changes to be made to the audit information. That may sound like a no-brainer, but you'd be surprised at how poorly some companies audit their own code. That approach makes it both easier to see where and when the files were tampered with and who did it. It also ensures that the cracker doesn't cover his tracks by changing the audit data.

Safe At Home: While Microsoft declines to reveal how the company determined its code was untouched, sources within MS say the company uses an internal tool, SLM, and Rational's ClearCase to audit code - rather than its Visual SourceSafe. If that truly is the case, it's a pretty good bet that Microsoft's code remained safe during the break-in.

In our brief tests, we found that AccuRev/CM, AccuRev's most comprehensive product, did the best job of protecting both our source code and our web pages. While the interface on the Windows version could stand some work, the functionality was in there.

And don't think that just because you don't have software developers in-house, you don't need the new CM programs. While website hacking has become so commonplace that it no longer makes headlines, that doesn't mean you want yours or a partner's site to end up looking like a graffiti-trashed subway car. These 21st century programs also did a fine job of protecting our HTML, XML and Java Web information from damage.

Regardless of your choice, CM programs are a good last-ditch defense for mission-critical data. CM firms not only represent a valid safeguard, but in partnership with them, you can also further protect your business in a world where even Microsoft is open to attack.

Editorial standards