tags:

views:

251

answers:

9
+1  Q: 

How to protect applications ?

My boss have given me assignment to find how a web based application developed in .NET can be protected. As per agreement products developed in our company are an asset of the company and even non-developers can access the code. But my boss still he wants to know how he can protect products in case a developer steals the code and tries to launch it from his home ?

Please guide how this can be controlled.

A: 

Usually this is not a technical problem. You control developer code theft by hiring a lawyer.

It is difficult enough "protecting" redistributable .NET code, but I would think it is (nearly) impossible to protect the code against your own developers.

Update: Here's also a constructive suggestion, for the sake of the challenge. Organize developers like a spy network -- have them work on individual modules based on agreed-upon specifications in separate geographical locations, with you acting as an information hub. Integrate the modules yourself or with the help of one trusted person. In this way, none of the developers have all the pieces to make the application work "at home".

Tiberiu Ana  2010-04-19 07:50:51
But what about the person acting as a hub?
Riho  2010-04-19 08:25:18
Once the project finishes, he or she would have to be shot.
ShellShock  2010-04-19 08:30:31
As I mentioned in one of the other comments, the overheads of codifying your mistrust of your developers in this manner are very unlikely to outweigh the costs. And all they have to do is go on SO or twitter and they'll suss out who's working on their team by finding people who are asking questions about how to get work done in a team of non-trusted developers. Hang on - how was the OP trusted to be on SO :P
Ruben Bartelink  2010-04-19 08:36:26
+5  A: 

Just off the top of my head... rip out all their USB ports, CD rom drives, and disable their internet.

Mark  2010-04-19 07:51:34
+12  A: 

If the developer has:

  1. the source
  2. the knowledge of how the the technical aspects of the system hang together
  3. the knowledge of what the customers really want, beyond simple technical facilities

there isnt much you can do - things like Obfuscation and even Code Protection only kick in after a compiler has seen the code. Assuming you're going to allow the developers to compile the full end-to-end code on their machine, it's not hard to disable anything that one could ordinarily put in place to guard against customers stealing code.

Having said that, in the case of a web based application, you won't be using something like Obfuscation as a first-line of defense mechanism - only as a (tinfoil-hatted) defence in depth mitigation against the threat of decompilation after someone has compromised your site and got themselves a copy of your assemblies.

Ultimately this is why protection around stuff like this is written in legalese, not a computer language.

(BTW this is a duplicate of this question which has some great answers - which I unfortunately only discovered after retagging this)

Ruben Bartelink  2010-04-19 07:53:17
+1 You are totally correct this is a legal question, not a computer science question. Its 100% impossible to protect your code like this.
Rook  2010-04-19 17:16:58
+1  A: 

Use source control software correctly (Visual Studio Team System has this built in). You should then know who has the code.

This won't stop anybody running the code and distributing it but would make the person who last checked it out somewhat accountable for its whereabouts.

David Neale  2010-04-19 07:55:46
(Not the -1er) Can you explain how this is going to prevent someone from running the code or provide anythig useful to anyone?
Ruben Bartelink  2010-04-19 07:58:52
(-1er) Using a SCM is a great tip, but it won't help with code theft -- by definition, developers will need to get the source code and build the project locally (in a common scenario).
Tiberiu Ana  2010-04-19 08:09:32
Agreed - somebody who has access will always be able to take it away (code is just text after all). Source control would prevent non-developers getting any access to the code and, as I said, create an audit trail of developer access.
David Neale  2010-04-19 08:15:50
0: This is relatively obvious. Do you feel that such an audit trail (of what, SCM GETs? - they arent normally logged) would actually form a useful part of a legal attack or defence? Doesnt really make sense. Ultimately this doesnt answer the question unless you can explain it better to me.
Ruben Bartelink  2010-04-19 08:32:17
I wasn't aware that GETs wouldn't be auditing - if so then I agree SCM would give little benefit in this situation. If not then although it wouldn't form the backbone of any legal evidence it could help the actual investigation and lead to admissable evidence.
David Neale  2010-04-19 08:37:36
+6  A: 

What if a developer memorizes the code part by part and retypes it at home day after day. Ask your boss, what would he do about that? Reset the developer's memory like in 'Men in Black'? LOL. Shrinks do have a medical term for your boss' attitude.

My advice is this: tell the boss to let it go or hire other developers that he can trust.

AOI Karasu  2010-04-19 07:58:50
+1 good way of putting it. You could technically achieve a (pretty moot) prevention of this by silo the developers and only giving them access to the source of their corner. But obviously this sort of mentality is not going to lead to a successful team, system or company...
Ruben Bartelink  2010-04-19 08:29:39
+11  A: 

Pay your developers decent salary :)

Riho  2010-04-19 08:03:29
great answer !!
user279521  2010-04-19 13:32:55
+2  A: 

Legalize, and thats all that you can do.

KMan  2010-04-19 08:08:36
+3  A: 

You can't protect the source code.

Any developer worth his salt knows exactly how to reproduce whatever he wrote. He is the one who made it, so he can do it again.

The only thing you can do is legally protect your products with patents and copyrights.

VexXtreme  2010-04-19 08:12:28
+3  A: 

Tell your Boss to believe on his/her developers. And tell him/her to give Good salary to Developers. Code is written by developer, so any how they can rewrite their own code.

MAS1  2010-04-19 08:14:02

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?