

3 True Stories of Missing Source Code Security - sebastiank123
https://rhodecode.com/blog/missing-source-code-security/

======
wtbob
It's an ad. I'll bite, though.

#1 The Internal Job: the real mistake was in having production credentials
(i.e., the keys to the generators) inside the codebase. The keys should have
been generated when the software was deployed. Hardcoded information should be
kept to a minimum, or ideally eliminated altogether.

#2 Breaching the Version Control Process: there's not really enough
information here to figure out the actual issue. Someone changed a version
number, and that caused a bug to reappear? That sounds like #ifdefs or
similar, where setting a version number can cause code to be included or
excluded. Don't do that: tag your versions in your VCS, and eliminate dead
code ruthlessly. If you really need to get it back, you can always use your
VCS to restore a particular versions' code.

#3 Exposing from the Cloud: git's great; GitHub's great; not knowing to keep
your repos private is…not so great. Also, pretty damned easy to avoid. Any
private VCS would work here, to include git repos on a filesystem.

RhodeCode might be neat; it might not be. No doubt it could possibly provide
for a lot of stuff out of the box. At the end of the day, though, you can't
replace smart people executing well-designed processes with software; software
is only good for replacing drones executing dumb processes.

------
idontknow4
So I agree having good version control tools is always a must but some common
sense is always needed too. Although that said, I know code was reinserted on
me once (similar to example 2) but there is nothing more frustrating than
dealing with idiots.

