How to Protect Source Code ? 1

[rpk2006]

Hi,

Please suggest some good techniques for protecting the source code. How do big software companies protect their source code, since there are thousands of developers working on it?

In some of my projects, my team members share source code. But the main role is of me, in all my projects.

How to protect it? There is always a new solution for the same problem.

Anonymous

 

[hnd]

I think that is a question of trust to your employees. If somebody is working with source codes he has to be granted access to the sources.

Therefore you have to install a policy which allows all people working on a project (and only those people) to get access to all data they need to know.

It is impossible to guess you some special. For that purposes you have to engage a security expert, who has to analize your company structures and prepare suggestions to you.

hnd
hasso55@yahoo.com

 

[rpk2006]

But Hnd, you have not suggested what big software companies do. There is always a new solution for the same problem.

Anonymous

 

[Alt255]

Perhaps big software companies use huge, enterprise-level document control packages. Walk into your local barbershop, open any copy of Application Development Trends magazine and you will be faced with glitzy two-page ads touting the relative advantages of these various packages.

Note that practically none of these advantages can be obtained by using this type of software in a small shop. The rules are different in the absence of a formal infrastructure. You could still use a product like Visual Source Safe (

http://msdn.microsoft.com/ssafe)

but I'll bet you would end up spending more time managing the other programmers than you would expend writing code (pardon my assumptions, but I think you would rather be doing coding now).

If you are just dealing with a handful of programmers, protect your code with a dab of common sense. Give them discreet chunks to work with and only a general idea of how everything will tie together in the end. Let's say you need to save program settings to the registry: give "Joe" specifications for the data, what it is, where it is to be saved and the values to be returned. In most cases, Joe doesn't need to see the code that Harry, Billy and Sally are working on.

 

[2ffat]

With large corps, only the most trusted, or those who have iron clad contracts, get to see everything. Most of the programmers only see the section of code they are working on. They are given specs they program by and then send their code into the upper echelons of programmers who then plop it into the rest of the code and see if it works. If it doesn't, they send the code code back with new specs and recommendations. Is it any wonder there are so many bugs?

James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that they think I am now
qualified to do anything with nothing.

 

[rpk2006]

Thanks Experts. There is always a new solution for the same problem.

Anonymous

 

[chiph]

I did some contract work several years ago for a couple of the larger banks in the US, and whenever they had changes to make to their core systems (the ones that did deposits, wire transfers, calculate interest, etc) they would have two separate programming teams in different cities do the work, and then trusted managers (who were officers of the bank) would reconcile the differences into the final bit of source code.

I grant that this is an extreme example...

Chip H.

 

[pansophic]

One of the best protections that you have is a legal one, not a technical one. You need to write your contracts with these "employees" such that they are producing a "Work for Hire" and explicitly state that all rights to the intellectual property belong to you (or your company). Also, putting copyright statements in the source directly is recommended.

As pointed out earlier, at some point, an individual has enough access to the source to reproduce it. At this point, it becomes a legal and moral problem, not a technical one.

But I have to agree with Chip H's post. If you are really paranoid (and I've worked with plenty of people who are) you need to modularize your code, and give only certain modules to individuals. This requires that you have EXCELLENT interface specifications, but that is not the worst thing that can happen. It frequently means that you must pay to have some sort of interface tester built as well, but that is a cost of protecting the overall source.

pansophic

 

[blainepruitt]

My company had some problems in the past with developers doing the same thing that you mentioned. There is a software package called Clearcase, by Macromedia, which forces the developers to "check out" code or other important documents, much like a library. In addition you can configure it to archive each change, and users names and timestamps can be referenced back to each change. If cost is an issue it can run on RedHat Linux for a reasonable price. HTH

*NOTE* - There are other software suites available that will do the same thing, you just have to do a little digging. Clearcase seemed to offer the most of what we wanted.

-bp