Open Source and how it works for secure projects?

Question

Hi, i've always wanted to make some of our companies products open-source..but we have a lot of things in our source code that would make us vulnurable. How is this handled in most open source projects? For example, we use some custom web services to do actions to our database (Add accounts, delete accounts, ect). The source code would have to contain the key (password) we use to use the web service. If someone wanted, they could grab the source, get the key to use our web service, and wreck havoc on our database.

Are these just projects that should not be open source? Or is it common to just put the sensitive stuff in a file or something and not include that part? (Although doing this, would make the source kinda useless for the public since it would lose it's functionality).

Any links or resources on open-source projects and how this kinda stuff should be handled would be nice.

Thanks

Answer 1

Would it not be possible to put your sensible data into a configuration file? This will also allow other users to easily add their own sensitive information etc.

Answer 2

You should not include the sensitive data into the public, so one option could be to make a public API for the services, and then the users would need to create an account to get an API key for the data.

I don't think this should stop you from Open Source the products, but I think you need to rethink the way the data is handelend trough a public API.

Answer 3

Passwords and senstitive data are best not included the source file. If you look at the design of open-source software like PHPMyAdmin, a config file is provided to add in those information, and are usually stored in the root folder of the webhost (or anywhere outside www folder).

So the idea is that if your website use some info to link to a service, you should hide them away in a file as well and ask your user to provide the password and to create their own account.

Answer 4

Though program codes are open-source, your sensitive data is not. Never "provide" your data to others.

Normally, one-way hashing verification can already be used as basic encryption. If extra security is needed, use an extra measure, like public & private keys & pre-shared passwords.

Answer 5

If you're hardcoding a database password in your code, you're doing it wrong. As others have pointed out, you should store that in a separate and protected configuration file.

If you distribute your code, be it the source or just a binary, that password is out there and can be recovered by anyone that cares to do so. Hardcoded passwords in binaries are often a trivial matter for a hacker to recover.