How do enterprises actually prevent developers from exfiltrating source code?
Posted by thmeez@reddit | sysadmin | View on Reddit | 53 comments
We have a scenario where an external/contract developer needs access to source code stored in Azure DevOps, but we want to minimize risk of code exfiltration as much as reasonably possible.
Current thoughts:
isolated workstation / VDI
Entra joined compliant device only
clipboard redirection blocked
no local drive mapping
restricted browser/download access
Conditional Access + Intune policies
only approved apps allowed
For companies using Microsoft stack (Entra ID, Intune, Defender, Azure DevOps, Windows 365 / AVD etc.), how do you usually approach this?
I know nothing is 100% preventable if someone can view code, but I’m interested in industry-standard approaches and practical controls companies actually implement for sensitive repositories.
downtownpartytime@reddit
Make everyone work onsite, no electronics in or out, strip search to check for paper on exit, no network access outside of work location
thmeez@reddit (OP)
yeah that is military based option makes sense. thanks
mat-ferland@reddit
You won’t make exfil impossible if someone can see the code, but you can shrink the blast radius a lot. I’d avoid giving the contractor a normal local repo on their own machine. Put the work in a controlled desktop/dev workspace, block drive mapping, keep clipboard/downloads tight, use short-lived access, and log the important actions. That still isn’t magic, but it changes the problem from “source is on a random endpoint” to “source stayed inside an environment you control.” - I'm a little biased on this because we sell VDI/DaaS for this reason.
thmeez@reddit (OP)
yeah i will consider that for sure
zero_z77@reddit
First, if you don't trust them, don't hire them. If you don't trust any contractor, then do your development in-house, simple as that. If the code is really that sensitive, allowing a 3rd party to have access to it shouldn't even be a conversation in the first place.
Second, it should already be explicitly stated in their contract that any code they're being given access to is your company's intellectual property and they are not authorized to copy it or share it beyond the scope of their contract. In plain english, if they do exfiltrate your source code, they will probably get sued and blackballed from the entire industry. That kind of a breach in contract/ethics is the kind of thing that can end careers and buisnesses.
This is not a technical problem, it is a buisness problem and it is management's job to understand the risks involved in making these kinds of descisions.
There is genuinely nothing you can do to truly prevent them from exfiltrating code short of setting up a military style "secure site" for them to work in. Which is basically a room that is completely air-gapped, monitored, and has a physical security checkpoint at the entrance with guards who search everyone that goes in or out for removable media, USB devices, phones, laptops, or any other kind of digital storage, communication, or recording devices, since these items are not permitted in the site without explicit authorization.
thmeez@reddit (OP)
thank you , that gives insights.
PedanticDilettante@reddit
in manufacturing sometimes they break the product up into parts and subcontract out the pieces. Then none of the subs has the full plans for how to copy the thing. You could do that by modularizing the code. You still need someone trusted to assemble the final product and you need to coordinate between them to exchange interface specifications
thmeez@reddit (OP)
thank you
The_Koplin@reddit
I know a military software architect. They work in a bunker with a man tap. When you come in everything on you is put in a locker. You go through security. You go work at your station. Reverse when you are done. USB disabled physically as well as logically and other physical measures. All station video monitored. Etc
Know another contractor that did work for a crop science company. They supplied a phone and laptop at the entrance to a cave. He did his work, on the way out he returned the laptop and phone and got his car keys and personal effects back.
So in extreme cases. Physical isolation and compartmentalization
thmeez@reddit (OP)
thank you very much
myISPsuck@reddit
Hire a professional cause you clearly don't know what you're doing. You're ignoring all the comments mentioning the fact the developer can just take a photo of the code using their phone.
thmeez@reddit (OP)
embedded qr code can prevent it and not all comments are in same idea.
crashorbit@reddit
Hire people you trust , then trust them.
thmeez@reddit (OP)
zero trust
EViLTeW@reddit
Zero trust is a network protection philosophy, not a business operations one.
All organizations, at some point, have to rely on trusting their employees. This is true for every governmental "alphabet agency" and it's true for whatever uber-secret gacha game your developers are working on.
thmeez@reddit (OP)
it can be first used in network but it also widely usable in ther layers. yes it must rely but it doesn give vonclusion that they can do whatever they want , there must be isolated system.
graph_worlok@reddit
Show dem like Snowden
Jacmac_@reddit
If they can see it, AI can decode a video of it. There really isn't a solid defense.
zero_z77@reddit
If they can see it, they can write it down in a notebook.
Jacmac_@reddit
Yeah, but for source code, that is unlikely to be of any value. Maybe back in 1975 what you're saying would be true, but we aren't using hammer and chisels to write on stone tablets any longer.
zero_z77@reddit
That depends entirely on what you're dealing with, and how paranoid you are about it. The biggest damage from source code leaks today is usually hardcoded credentials, config files, or revealing exploitable vulnerabilities that might still be in production. It's a precursor to a cyberattack more than corporate espionage in most cases.
But yes, most modern source code isn't particularly "special", and like i said it's covered under copyright anyways. So even if it is exfiltrated, actually making use of it is probably illegal.
That, and most software at the corporate scale is more like "plumbing" that just connects dozens of different databases and 3rd party services. So, just having the source code doesn't really work unless you can actually replicate the production environment that it's supposed to run in.
And in 1975, you wouldn't need those measures in the first place because everyone would already be working on an air-gapped mainframe in the basement from a dummy terminal in their office, the internet, cell phones, and laptops didn't exist, a hard drive weighed 40 pounds, and your software was usually either on a big stack of punch cards or a tape reel. All of which would've been hard to copy & smuggle out of the building.
thmeez@reddit (OP)
what about the qr code in the avd that cntains traceable session information in azure virtual desktop?
Jacmac_@reddit
What difference would that make to a chinese AI decoding the source code from video or screenshots? If we are talking about something critically important and valuable, trust is way more important than trying to figure out how to prevent all possible exfiltration methods. You can trust a guy sitting at a terminal in a building where he is being watched. You can not trust anyone using a remote session of any kind under any prevention circumstance you try to implement.
thmeez@reddit (OP)
i suppose at least they need to somehow audit it for applying legal obligations?
vermyx@reddit
You don't. Taking this approach attracts people to try and take your stuff and scares away talent. How would you feel if you were told "I don't trust you"? How could you do your job when trust is a necessary component? The best approach is audit up the wazoo and alert on unusual activity.
Live-Juggernaut-221@reddit
You know that scene in the Simpsons where burns turns a poor factory workers pockets out and finds several atoms?
That
Flaky-Gear-1370@reddit
With the tool that you or some fake conversation is no doubt going to link to shortly
jacobpederson@reddit
Serious question: Why bother? If you can SEE the code you can steal it. Why not hire a trustworthy person (and then TRUST THEM). instead?
Spiritual_Tap_1569@reddit
Most enterprises rely on layered controls rather than “prevention”. VDI/Windows 365, Entra Conditional Access, Intune compliance, and Defender for Endpoint are baseline. Add repo-level RBAC, short-lived access, just-in-time elevation, and audit logging. Assume viewing equals potential exfiltration, so focus on detection, watermarking, and rapid offboarding of contractor accounts where possible.
thmeez@reddit (OP)
is there anyway to make code watermarked or i dont know that labeling or something that we can apply dlp policies?
BrainWaveCC@reddit
No.
The more access you give someone, the more ability they have to circumvent things.
If you really need to ensure that developers aren't going to exfiltrate your code, you need to trust them. If you don't trust them, don't give them the level of rights that really require ultimate trust.
thmeez@reddit (OP)
this is not related trust or not trust, you need to secure in any circumstances. as a sysadmin you are not doing things with trusting.
helphunting@reddit
Nothing could stop them from scrolling through your code and recording it on their personal phone.
Due diligence is best you can do.
Do a good interview, check their online presence if that's really even possible.
disclosure5@reddit
This isn't a thing.
Honestly noone cares about your code as much as you think.
Ssakaa@reddit
And both only hiring people you can drag into court/favorable-to-you mediation and a contract that, if they're dumb enough to violate it, having a medical issue in the US would've been cheaper.
DrStalker@reddit
By having code so shitty that no-one wants to steal it.
I'm sure there are better ways, but this one has been very successful at most places I've worked at.
PipeOne8414@reddit
With screen shots and personal mobile phones you can take photos and extract text and/or print to pdf to then scan to text
The issue is personal not being trusted
Becomes an HR / Legal issue
Get the contract to sign a nda would be the best legal route
_Do_The_Needful_@reddit
A few ways, no single source of blocks:
Suspicious Github usage, usually detected by your SOAR platform. E.g. cloning tons of repositories in a short time.
Blocking things like USB.
Implementing detection and alerting for file uploads to other machines on the user's home network.
Blocking file upload to sites that you don't use, like Dropbox.
Block syncing to services like iCloud or personal storage.
At the end of the day, if someone wants to exfil code they will find a way, you just need to be sure you detect it. You can't automatically prevent 100% of cases.
Candid_Candle_905@reddit
They don’t stop exfiltration, they just make it noisy enough to catch before it walks out the door
Panda-Maximus@reddit
[ Removed by Reddit ]
admlshake@reddit
Well our developers are so bad at writing code, we just figure nobody is going to want this crap.
thmeez@reddit (OP)
dhejdhwjn
countsachot@reddit
Daily mind scrubs.
rootkode@reddit
You can’t completely prevent it.
thmeez@reddit (OP)
there must be someway that how we apply labels to the files then we can apply to the code
Azuras33@reddit
And how do you verify the code that runs on another company? You can't easily so your watermark will don't do anything.
ortensempa@reddit
DLP policies on device level in Purview can handle exfiltration but if they have read access they can just take photos
danekan@reddit
Monitoring GitHub use itself.
Local dlp tools
sk_sushellx@reddit
Securing external dev access in a Microsoft environment is a literal fever dream when you're trying to keep the source code air-gapped without killing developer productivity. I usually stick to AVD for the VDI isolation, keep the project roadmap in Notion, and use Runable for the research-grade reports and project walkthroughs. It is a massive glow up to just orchestrate the architecture from a distance and let the enterprise-grade policies handle the heavy security lifting.
bill696@reddit
Best way would be to do what they now want to do where i work and pretty much block copy paste of anything in and out of AVD. Which is a bummer. Personally when i make universally usable code i keep a copy on my end. Sometimes ive developed apps on my own time and hardware and brought it to work. I havent in a very long time, but now it would be way harder. Also i mean we block anything but copilot so it limits how well you can have AI help with your code. Se ex/inflitrating code could still be helpful
PowerShellGenius@reddit
It's the company's choice if they want Claude seeing their code or not. You don't have a right to bypass that...
thmeez@reddit (OP)
there are so many holes, we cant track or block but there must be something we can apply to the code that traceable at least
Civil_Inspection579@reddit
A lot of mature orgs treat contractor access more like “controlled exposure” than true trust. The goal becomes making exfiltration harder, noisier, attributable, and limited in scope rather than pretending technical controls alone can fully stop it.