The lesson is clear: Security matters, but only when you secure the “right” things. In the case of Acme Online, real competitive value comes not from the front-end user interface code, but from the back-end services code that codifies Acme’s business processes for pricing, inventory, product recommendations, and sales.
In this case, the contractors don’t actually need access to the proprietary back-end source code to achieve their objectives. What they do need, however, is secure, well-documented, and highly accessible development web services. This requirement could have been satisfied with far less onerous security measures, including:
- A publicly facing set of web services that is accessible outside the company firewall, enabling development from anywhere
- SSL certificate authentication, ensuring that those services are accessible to only company-approved developers
- IP whitelisting, to minimize the chances of a denial-of-service attack from unauthorized computers
- API rate limiting, to ensure that no one developer (or malicious actor that has obtained a developer’s credentials) can attempt to reverse engineer back-end algorithms by issuing thousands of API requests
Finally, a clear company policy on the use of third-party components, rigorous validation of the completed code, and appropriate safeguards for Acme’s IT and API infrastructure could be effective in combating the risks of malicious front-end code injection without impeding the progress of the development team.
With these security measures in place, the developers could have set up their own development pipeline, used the tools they’re comfortable using, and developed software anywhere and anytime they had an internet connection.
This approach would also have significant security benefits by implementing the principle of least privilege: Developers would have access to only those resources necessary to complete their work, with no broader access to internal company systems or networks. The use of external-facing APIs in this manner replaces the outmoded and ultimately ineffective concept of a “company firewall” that does little more than divide network traffic into internal (‘good’) and external (‘bad’) sources.