Securing Source Code on Endpoints

Securing source code from loss or theft has historically been challenging due to the lack of security options available to deliver effective security without impacting developer productivity. For many businesses, their source code is an extremely valuable asset yet to enable productivity it has to be copied onto developer endpoints in plain text formats, making it difficult to keep this valuable asset secured and monitored.

SecureCircle’s Data Access Security Broker (DASB) is a simple and reliable security architecture that enables customers to secure source code on the endpoint without impacting developers from doing their job. DASB protects against both insider threat and accidental data loss without constraining developers to a particular IDE or build tools.

When deployed in a best practice configuration, SecureCircle can secure source code on endpoints without development teams needing to change how they operate or interact with code, IDEs, and development tools. This focuses on SecureCircle best practices for securing source code in development environments.

High Level Architecture

The most common approach to managing and working with source code is to leverage one or more code repositories that are considered the source of truth for a given development project. The code repositories provide functionality that simplifies managing various versions of code, branches, and releases.

In development environments, it is common practice for developers to copy code onto their endpoints (Mac/PC/Linux) using a pull request or checkout process. This checkout or pull operation allows developers access to move code directly to their local endpoint for the fastest and most reliable development experience when working with code.

SecureCircle ensures source code is persistently encrypted when it moves to the developers’ endpoint without impact to developers and their tools so businesses always remain in control of their source code regardless of where the code resides.

Securing Source Code on the Endpoint

When SecureCircle has been configured to best practice, source code is secured as it moves from the code repository to developer endpoints. Specifically, the client process (e.x. git, svn) on the developers’ system is configured as a Secure Process. When the Secure Process copies or writes source code files to the developer endpoint, the SecureCircle agent ensures the source code within the files is encrypted at all times and remains secured even in-use.

An additional layer of security recommended by SecureCircle is to use SSH as the transfer protocol for any pull requests from the code repository. Not only will this ensure source code is encrypted in transit, but it also allows an added layer of security by allowing the private SSH key file on developers’ endpoints to be managed by SecureCircle. By securing the key with SecureCircle, access to both the source code on the endpoint and access to the repository over the network can be revoked when disabling a user or device. When access to the code is revoked, it can no longer be read on the endpoint by any process. Similarly, the endpoint will no longer be able to make requests to the repository, as the SSH key that grants access to the code repository is also unreadable. All secured source code on developer endpoints is monitored. When the applications and process attempt to access the source code, the attempted actions can be logged in a SIEM for further analysis.

Allowing Access to the Source Code on the Endpoint

Source code within files that have been checked out by an approved developer on an approved endpoint, by an approved process, are always kept in an encrypted state. Not only is the code always encrypted, only approved IDEs and compilers are granted access to the code within the file other processes on the developers’ endpoint can’t access the plain text version of source code unless explicitly approved.

When an approved IDE opens source code, it reads plain text yet the file is never decrypted. However, the source code is kept within the IDE and other approved processes, such as alternate IDEs. Compilers can also be approved applications and read plain text within the secured file so that compiled code can be successful without any change to the developers’ normal workflow or changes to the build tools.

In general, when processes that consume data run on the endpoint they are either considered an Allowed Process that grants permission to read the content within files or a Denied Process, in which case they are forced to read the encrypted version of the bytes. Transport tools such as windows explorer, Mac Finder, email clients, and file sync clients (e.g. Dropbox) are all recommended to be Denied Processes, which means these processes can transport secured files but never read the plain text contents.

Securing source code within the clipboard‍

It is common to use the clipboard in the operating system to move data from one location to another. In source code development, the ability to copy and paste is an important tool for productivity. With SecureCircle, developers are free to copy and paste within and between Allowed Processes. However, if a developer attempts to paste code from an Allowed Process to a Denied Process, the operation will be blocked. By controlling copy and paste in this way source code can be blocked from being exfiltrated into unapproved applications and processes that are considered high risks, such as email clients or web browsers.

Securing newly created and derivative source code

When new source code files are created, they can either be secured by default, as part of a Secure Process, which secures every new file created or they can be secured based on the content of the code being a derivative of source code that was previously secured by SecureCircle.

By enabling Secure Derivative, similarities within data across files will be detected. When a new file is created with similar contents to an existing file, it will be automatically secured with the same policies as the original file and transparently encrypted to allow the security to move with the data. When source code is copied from one file to another within an Allowed Process, Secure Derivative ensures the file that receives that code will inherit the security of the file that contained the original code.

Checking source code into the repository

When checking code back into the code repository, the process on the developer endpoints can be set as an Allowed Process, which removes the encryption from the bytes within the source code as it is sent to the code repository. The source code files are encrypted in transit through SSH but are then stored in plain text format within the source code repository, which allows standard server-side tools within the code repository to continue to operate as expected. When a developer checks out the code in the future, it will be secured as per the original method described above. SecureCircle recommends that security controls be implemented on the repository to complement the code workflow described in this whitepaper.

Revoking access to source code

In the event that access to source code needs to be revoked, SecureCircle allows the ability to disable access to source code on endpoints by user, group, or device.

When access to data is disabled, the data is no longer accessible to the user, group or device implicated, regardless of where the data resides. Attempts to access the source code on a device that had access revoked will be denied and these attempts will be logged. Additionally, the ability to copy source code from the repository will also be revoked as the SSH private key file will no longer be accessible to the clone process on the developers endpoint. Removal of access to source code can be effective within seconds based on the configuration of time to live (TTL) settings within the SecureCircle service. Finally, access to any additional copies or derivatives will also be revoked even in the event they were copied onto removable media.


SecureCircle allows businesses to create workflows that automatically secure data as it moves to endpoints. By deploying SecureCircle source code is encrypted within files as they are pulled out of source code repositories with no impact to developers or the tools they use. Source code is always kept in an encrypted state, and only approved applications can access and modify the plain text code. Access to source code can be revoked at any time, regardless of where the secured source code files are being stored. Keeping data encrypted within any type of file without impacting developers or developer tools is what makes this approach to source code security unique. At SecureCircle, we believe that frictionless data security drives business value for our customers by providing persistent protection against
accidental exfiltration and insider threat. For more information on how we approach data security, please visit our website

Download Whitepaper