How do you protect non-open source code against leaks?
Today with technologies such as USB drives, Internet drives and E-mail, how do people protect software assets?
+3
A:
Well ... That's a rather wide-ranging question, here are some of the obvious methods:
- Forbid users/employees to use USB drivers. This happens. In some workplaces, the ports are physically disabled (i.e. glued shut).
- Don't allow users to freely surf the web.
- Use aggressive filtering on e-mail, that removes attachments, or at least limits their size to something very small.
I'm not saying "do this and it's no problem", it will remain a huge problem, and also might become a human problem since the above will also make your employees feel non-trustworthy, which in turn might make some of them more likely to do something they shouldn't, as a protest.
unwind
2009-04-28 11:42:11
+1 for mentioning the human factor repercussions
Adam Paynter
2009-04-28 11:45:57
Not to mention that a bad guy has to find only one channel to get data out, so you need your security people to be smart. If they miss something, you've ticked off your employees and gained no real security.
David Thornley
2009-06-01 17:17:13
+12
A:
Copyright and contract law seem to work for most companies. The technological fix is not always the right one.
anon
2009-04-28 11:46:39
+2
A:
Often the code base is so huge and complex that having it all at hands is useless without the authors/maintainers.
sharptooth
2009-04-28 11:48:40
+3
A:
In contrast to unwind's answer, I would say that restricting internet access and forbidding useful kit like USB drives is exactly the kind of thing which is going to demoralise and aggravate your employees into stealing your IP. Ultimately if someone inside your organisation wants to steal your IP they will.
I think the better approach is to treat your employees with a little respect and give them no reason to steal IP. If they want to work at a company they'll also want to protect that company themselves.
Then recognise that the value of your IP is seldom in the software itself (which will quickly become old and inert) and instead is usually in the heads of the people who wrote it, and moreso in the collective thought and experience of the people as a whole.
It is not the spoon which bends. It is yourself.
annakata
2009-04-28 11:48:40
A:
Since this is tagged C#, I'm wondering if you are talking about obfuscating the code or otherwise making it harder to decompile or actually protecting employees from stealing it?
Before going to a lot of trouble to protect employees from stealing it, it might be worth considering if it is a worthwhile process. I mean if you have a new trading algorithm, and a platform that can hit the market fastest then sure, that needs to be protected at all costs. But if one of your employees copies the source of your small web shops in house content management system, does it really matter? Your software might only be a small fraction of your perceived value to the client - there's the support, maintenance etc as well. And if your employee tried to approach your client to sell him the software cheaper, you'd sue him into oblivion.
As already stated above, going to excessive lengths to lock down your systems might only make employees feel like drones and might make them more likely to do something you don't want them to.
Winston Smith
2009-04-28 12:08:04
A:
Use source control solution that authentication and authorization features are non-trivial to circumvent. That will allow you to segregate your repositories by project, and only one project would be leaked at at time.
I agree with the rest of the answers that technological solutions to source theft and leaks will just slow a malicious user down, not stop them. Best to do some threat analysis and build a social environment where malicious users aren't created or given access in the first place.
MatthewMartin
2009-06-01 17:12:17