March 8, 2010

Operation Aurora and SCM Security

Surround SCM
Recently, you may have read about some security attacks against large companies like Google, Adobe and others called Operation Aurora. You may have also seen that the underlying attack was against their SCM systems. McAfee published a white paper on this topic (found here) that outlines some of the problems with the SCM system in question. Surround users might be wondering whether they are also vulnerable to similar kinds of attacks. Based on the report from McAfee and the items they outlined, the general answer is no. Several of the problems found revolve around default privileges for new users being too high (basically, administrator level.) In Surround, new users have no privileges, which helps remove these problems. A second set of problems has to do with passwords and other data being sent in clear text on the network. In Surround, passwords are always sent in an encrypted format. In addition, there is a simple server setting you can enable to encrypt all communication between the client and server. A third category has to do with custom web access. Surround web access is through WebDAV, which allows your network administrators to use the standard mechanisms for securing that kind of access. Although not covered in the McAfee white paper, a large number of SCM systems either do not provide built-in authorization control or make you write Perl scripts in order to provide security. We view this as a security problem as well, since forcing your users to write and debug scripts for authentication and authorization is not only a bad use of their time but not a great plan for security. Now it’s important to realize that any complex client/server application is going to have avenues of security attack. And almost any system can be made insecure through incorrect configuration. The goal for Seapine is to make sure that we choose reasonable defaults that balance security and ease of use, while providing the ability to make your installation as secure as you need. We're always evaluating this, especially with Surround SCM, as we want you to be comfortable storing your critical company assets in Surround. With this most recent round of attacks focused on SCM systems, now might be a good time to evaluate your configuration and make sure you've got the right balance set for your organization. Overly byzantine security can be just as bad as overly simple if it causes your users to come up with ways to circumvent it. Make sure you're leveraging the best built-in capabilities of all your tools, including Surround SCM.