tags:

views:

102

answers:

2
+4  Q: 

Remote access versus walking code

At my work we are growing to the point where we are becoming uncomfortable with "walking code". By that I mean code that goes home with developers such as myself on laptops. While I am a developer, meaning I certainly have a motivation to keep development as convenient as possible, I'm also a business person, which means I have a motivation to protect the business as a whole.

This code is the family jewels of the business so to speak. Having walking code is starting to feel analogous to walking around with a cashier's check for my life savings in my wallet. Neither I nor my employer is very comfortable with it.

The question is what can we do to protect ourselves without compromising our productivity? By protection, I mean both from malicious (theft) and not-so-malicious (loss of work) ends. Of the two, theft is the lesser concern, so I'm mostly interested in the debate between these two procedural options rather than a legal discussion:

The number one option on the table is to keep all code on-site and do development through remote access (RDC). This protects the code and makes sure that no work becomes unavailable should the developer or laptop become unavailable. As far as I can see, as long as performance is acceptable, the only loss in productivity is not being able to work without internet access. That seems negligible to me. Slow remote desktop performance may become an issue in some cases though. We're leaning toward this option.

The second option is secure remote repository access with frequent commits, as well as encryption on the developers drive. The biggest issue with this is that it depends on a process that intentionally avoids committing code until its ready to pass a test build. That means significant portions of work can be floating about without a commit or backup. We are not a continuous integration shop and frankly will not be any time soon. It seems both encryption to protect the code as well as automated backups to our site would be warranted, but we don't have such solutions at the moment.

If you share these concerns, I'd like to know what you do. If you don't share these concerns, please refrain from answering here. Thanks.

Ted

+4  A: 

To answer your question directly, the encryption on the local drive seems like the least intrusive solution.

However I think it's worth stepping back a bit -- you're talking about someone stealing a laptop and then stealing the code. First of all, this sounds like an extremely implausible scenario. Unless you're working on the nuclear launch code, it just doesn't seem likely that someone is out there ready to steal your code.

And to the degree that it does happen, keep in mind it is likely to be your developers who do the stealing, not some nefarious outsider. The knowledge and experience they have in their head is not something you're going to easily guard.

But since all of these things are illegal, in the unlikely event of a theft your best bet is to prosecute the people stealing your work through the legal system. Rather than spend a lot of effort and imposing a miserable process on your development team, and then still being vulnerable to employee theft, just accept that it's a remote concern, and use the legal system as a post-hoc effort.

Clyde  2009-05-27 14:47:56
Thanks for your response. Recommendations on drive encryption for Linux? Or Windows for that matter?
Binary Phile  2009-05-27 15:03:44
A: 

If you are concerned about a laptop and the code on it being stolen, drive encryption is a must. We use Pointsec; it is fast, very stable, and apparently can be extended to volumes other than the hard drive - like flash drives and cd roms. Test files that contain customer data, even if sanitized, could be an even bigger concern than the code.

There is little you can do to prevent a developer from stealing code or data. At some point, you must trust someone. Even with drive encryption, there are a thousand ways a creative thief could do so, from bluetooth to taking screenshots with a digital camera or cell phone. You cannot prevent an employee from stealing, but you can prevent an individual from getting away with it. That's what makes the threat of prosecution or a lawsuit a credible deterrent.

R Ubben  2009-05-27 15:25:50

related questions

First-time software contractor, building a system for a multi-site client; who should own the intellectual property?
Use a framework to protect investment
"derivative work" and the consumption of web services
Embed Identification Information into a file
How not to run into the intellectual property trap on a daily basis?
Registration of software
What to do about open source ripoff?
What about fixing actual bugs in an interview?
Legal preparation/NDA when shopping a new technology around
How to work on a new Product idea?
Mutually beneficial IP/copyright clauses for contract-based freelance work
How can I prevent my web content from being repackaged by another site
Is an idea placed in the public domain protected from patent.
Can anyone offer legalese for retaining intellectual property as a programmer?
Protecting your ideas
Pros and Cons of Copyleft
GPL Code: What counts as a derivative work?
How do I use .NET without loss of control over intellectual property?
License question regarding Icon sets in web applications
Code ownership of personal tools used and created by employee
Intellectual Property for programmers: resources for understanding software patents
Where can one find free software icons / images?
Freelance work with no contract - who owns the code?
What can I do about my employer's intellectual property policy?