tags:

views:

104

answers:

3
+2  Q: 

Protecting IP from Overseas Contractor Theft

Hello SO,

The nature of our business often has 2-3 remote developers working on a single project (mostly Rails), and each one currently has carte blanche access to source so they can checkout, run, and develop locally.

The problem is any one of them could ship the whole base out the back door. Overseas legal action seems futile.

I'm guessing the best way would be separation of duty type of strategy where a contractor only gets specific portions of code - but how can they run and test the full project?

I'm looking for advice, strategies, or even software solutions to mitigate this risk.

Thanks a ton.

+1  A: 

I don't think there's much you can do about it. Either take the risk, or don't use off-shore contractors.

But I'd balance this with an honest assessment of how valuable your code is to you and to a supposedly dishonest contractor. If it is really valuable, then you should be able to afford to take legal action to protect it ... even in a difficult legal environment.

Stephen C  2010-01-27 09:46:47
Thanks Stephen... we maintain a healthy balance of on and offshore developers and are happy with the strategy so I guess the reality is code security is a concern both on and offshore.. writing good policy and enforcing is probably a good start.
Chad  2010-01-27 09:54:30
+3  A: 

You should really allow only trusted people to handle your family jewels. I can't think of any stronger sign of trust a software company can show than to give someone complete access to their source.

That being said, a few ideas come to mind.

  • If they're consultants, you should see if you can get some kind of business agreement with an entity in the remote country that can take care of local legal hassles for you. US companies with offices in India do this all the time.
  • Perhaps you can give access to non-important pieces of the software to the untrusted parties and have them work only on that? The unit testing can be done by them on the pieces but the integ. tests that require the entire system have to be done by you.
  • It might also be possible for them to use the 'important' parts of the code as a service from a server you provide rather than as modules locally. Admittedly, this requires some reengineering but it might be worth it.

The bottom line is what Stephen said. Low priced off-shore contractors come with certain liabilities. If you're not willing to accept that, you'll have to change your mode of working.

Noufal Ibrahim  2010-01-27 10:01:40
Good advice.. thanks. The servicing out of components is pretty close to a strategy we've discussed.Re: liabilities - we accept them, hence mitigation and not elimination.
Chad  2010-01-27 10:24:33
+1  A: 

Well, if you don't trust your developers enough to let them work with your code, then don't hire them.

I don't see any way you can meaningfully limit their access to code without seriously impacting their productivity. Even if you could compile some of the code, it's very useful to have access to the full source to understand problems and bugs.

At any rate, you may be overestimating the threat: Most kinds of piracy would be possible even with the binary, and without the infrastructure and customers your company provides, the stolen code is probably not worth much.

sleske  2010-01-27 10:18:13
I agree with you re: the infrastructure and customers together with the code makes the sauce.... just covering the bases. Thanks.
Chad  2010-01-27 10:23:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security