Re: Source code security - rogue developers?
From: Ron Ruble (raffles2@att.net)Date: 06/13/02
- Next message: David Mohring: "Our Data : an appeal - a "Plimsoll line" for computer security"
- Previous message: Martin Ireland: "UPD: Virscan 4.7 available."
- In reply to: Matt Curtin: "Re: Source code security - rogue developers?"
- Next in thread: Mike: "Re: Source code security - rogue developers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ron Ruble" <raffles2@att.net> Date: Thu, 13 Jun 2002 15:40:28 GMT
"Matt Curtin" <cmcurtin@interhack.net> wrote in message
news:86adq080kf.fsf@rowlf.interhack.net...
> jeff@riverstyx.net (Jeff Magnusson) writes:
>
> > How do larger software companies prevent any/all developers from
> > making off with a full copy of the source code?
>
> This isn't really a security technology question, per se, but is
> instead a policy issue that will likely result in some technical
> mechanisms to help support the policy.
>
> In general, you need to decide what your policy is with regard to the
> handling of confidential and proprietary material. Build the
> understanding into your employment agreements so there can be no
> question about where things stand and how they should be dealt with.
> A good corporate attorney can go a long way toward avoiding conflicts
> down the road when they will be much more expensive.
>
> Another part of this whole thing is making sure that you take the time
> to hire the right folks. Do your background checks, make sure that
> candidates will fit into the culture in addition to having the
> necessary skills, etc. Do what you can to give employees a sense of
> ownership (or at least stewardship :-) and responsibility for what
> they're doing, which will make them better motivated not to work
> against it.
All good advice. A couple of other things:
- Include copyright notices for all code. Actually file for copyright
for any releasable versions.
- Limit access to those who require access to the code.
- Some people have, in the past, deliberately inserted sequences
of non-printing characters in odd patterns in the source. This
has actually helped in at least one case to prove that a coder
stole source code and just used search-and replace to alter
variable names.
- Maximize your legal defenses. Source code can be protected
as copyrightable material, intellectual property (with a _much_
higher market value), trademarked material (sometimes), or
patented (in some cases). Speak with your lawyers regarding
details
- Monitor access to source and basic usage. If you notice that someone
is accessing sections of the source tree he has no reason to, and
copying them to removable media, this can be a warning. You can
also add language to employee agreements regarding the need
to get permission before taking source code off-premises.
-- Ron RubleFor additional programming info, go to my web site: http://home.att.net/~raffles1/
Please direct additional questions to the newsgroup, rather than email, so others may benefit from the discussion.
- Next message: David Mohring: "Our Data : an appeal - a "Plimsoll line" for computer security"
- Previous message: Martin Ireland: "UPD: Virscan 4.7 available."
- In reply to: Matt Curtin: "Re: Source code security - rogue developers?"
- Next in thread: Mike: "Re: Source code security - rogue developers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
