Code Security

[Kadir Avci]

What are you doing for code security?

Prevent from copying, erasing, stealing ..etc.

Kadir Avcı
Software Developer | Freelance Web Designer
web: www.kad1r.com
twt: www.twitter.com/kad1r
Sent from Izmir, 35, Turkey

[Processor Devil]

The best defense is not to write any code :).

2009/12/9 Kadir Avci <avci...@gmail.com>

[Jamie Fraser]

Nothing.

The nature of .NET code means that if someone *really* wants your source code they can get it (with the exception of remote code, i.e. asp.net, wcf services)

[Processor Devil]

It works this way for everything, not only .NET...
you can use javad for retrieving code from java bytecode, .NET reflector to get code from .NET based apps and if you are really skilled, all you need from getting code back from native binaries is debugger.

2009/12/10 Jamie Fraser <jamie....@gmail.com>

[Jamie Fraser]

Of course, but we are in a .NET forum so I'm talking specifically about .NET! You can, more or less, consider Java & .NET interchangeable in most cases, this being one of them.

However, something like C++ cannot be reverse engineered quite so easily, although, given enough time, it can be.

The moral of the story - don't waste  your time "protecting" your source. Protect your ideas instead by making your software so compelling to use that people don't want to steal the code behind it.

[Gunawan Hadikusumo]

i agree........LOL

[Cerebrus]

Double LOL !

On Dec 10, 2:09 pm, Gunawan Hadikusumo <john.hadikus...@gmail.com>
wrote:

> i agree........LOL
>
> On Thu, Dec 10, 2009 at 7:13 PM, Processor Devil

> <processor.de...@gmail.com>wrote:

[Kadir Avci]

Hmm I get it. Thank for the answers.

Okay, on the other hand in your company what are you doing for these? I mean how is your programmer working on the project? And also again what are you doing for prevent stealing the code?

Kadir Avcı
Software Developer | Freelance Web Designer
web: www.kad1r.com
twt: www.twitter.com/kad1r
Sent from Izmir, 35, Turkey

[Processor Devil]

Maybe just about the security, I can only recommend you this video
http://www.asp.net/learn/security-videos/video-8718.aspx

it is about preventing sql injection in asp.net code, I like Joe's videos, he always shows something good :)

2009/12/10 Kadir Avci <avci...@gmail.com>

[Benj Nunez]

I agree with Processor Devil. Why bother? How important is that?
Unless
your code is run in high-risk areas like nuclear power plants which I
doubt it is, you wouldn't
need to protect it. :)

Happy coding!

Benj

On Dec 10, 4:13 pm, Processor Devil <processor.de...@gmail.com> wrote:
> The best defense is not to write any code :).
>

> 2009/12/9 Kadir Avci <avcika...@gmail.com>

[Peter Smith]

Code security? SAAS! :)

Just provide people with the ability to send data to your code, and get the answers from it.

Cloud computing is the solution to both code security and data security...from the PoV of the cloud owners!

[InfRes]

If it's you're own staff stealing your intellectual property
you're talking about, the only way you can protect against that
is non-disclosure agreements and non-competition agreements.

> > > > The best defense is not to write any code :).- Hide quoted text -
>
> - Show quoted text -

[stephen thomas]

It seems no one is really answering the question. If you sell commercial software that philosophy will put you out of business.

--
Stephen Thomas
Senior .Net Developer & SQL Server computer consultant

[Gunawan Hadikusumo]

why on earth you think people want to steal your code ? there are so many free tips and code on internet ?
Unless, you are working for SUPER SUPER SUPER secret .... such as working for HOMELAND security might be ?

[Gunawan Hadikusumo]

Or you create new programming language by your self first before developing any worthy project.
You can use Egyptian or Sumerian Language perhaps.

[Kadir Avci]

In my country I earn money from these codes. If they steal I can't earn money. So I need to protect them. And these codes different from other companies codes.

Kadir Avcı
Software Developer | Web Developer
web: www.kad1r.com
twt: www.twitter.com/kad1r

[Gunawan Hadikusumo]

I dont agree with your statement. The time to be spent to undebug the code is overwhelming, at the same time there are hundred thousand software company competing each other for the same type of software. Why dont just make his or her own software by his or her own logic instead. Time has changed. There are more more programmers in the market. If we are talking about 1980 era... you could be correct. But now, the most important is marketing. Even you can make so sophisticated software and only you can mantain that code, without good marketing , no one would buy your software. Unless your code is so important for Homeland security or Nasa program. But most of us dont work for them. So, why bother ?

[Gunawan Hadikusumo]

Sometimes i wish people steal my code, that means more more programmer making them selves dumb.
Programming is about practice, the more people love to steal the code instead making their own , the dumber
they become. So when they get addicted to my code, one day i will twist my logic and make them suffer unless
they pay me. When i code, i use different logic to make sure people who cheat will find them selves in the forest
where is no where to get out.

[Gunawan Hadikusumo]

try this http://www.xenocode.com/Obfuscator/?gclid=CKW72-zx7p4CFQIupAodu2jvJQ

[Brandon Betances]

Unless your an amazing developer, no one will probably want to steal your code.

 

If you mean, people in your office saying they did what you wrote, a repository and company policy on tagging code with your name (in the comments) work well.

 

And if people are stealing your ideas as a whole, get a patent. Only takes a few days.

 

I think I covered all the bases with this one.

[Theraot]

I've read all the post in this thread up to date, and well, you have
got quite a predicament here..

-------------------------------------------
On stealing your code...

You say you are paid to protect your code, well, If it's really a
conrcern for your company I think the code is running on the machines
of the clients. I think that because if the code is in a server, you
can just isolate it form outside... but if the attacker has access to
the maching running the code, there is nothing you can do... ofuscate,
encrypt, hide, whatever in the long run they get the code, doesn't
matter if it's .NET or not.

I'm not only saying that any security at this level is useless at the
date, I'm also suggesting against it, the end user should have the
right to know what his machine is doing. If you can develop a real
security at this level (something would involucrate hardware, I
think), then you are not only making the user buy that hardware
(lowering your market, unless that hardware has some adventage for the
end user) but you are making clear where to attack, and trust me, then
the cracker will really like to do it, they just luv the chalenge...
take DVD copy protection as example, XBOX as example... they end up
breaking it anyway.

Besides that developers respects a well done product, if your code is
good enough, they will probably perefer to help you instead of copy
your product just let it die. Well... about companies it may be a
different story, but in that case the protection is copyright, as they
just won't sell something you can proof it's not their own, they will
first buy you (taking as the product is that clever, right?).

Give good support to your products, set a help desk, good
documentation, and change management... they can't disassemble that.

Allow extension points to your code, if third party can develop plug
ins, add ins... then they won't say: "This program is good, but it
doesn't have such and such, let's copy the code and then we add that".
Believe me, I've had those thinkins...

-------------------------------------------
About illegal copies....

Go for software as a service any time you can (do they call that cloud
this days?), but If you are still limited to put the code on the end
user side... you can still add value on a server, say: updates,
support forum, news, extra content, a plug in lib, and for those
things you can have more control. They will not disassemble your
server code, because they simply can't download it (make sure of
that). The security is now on the field of illegal end user copies,
not about stealing code...

Also if you have this server side, you can request activation online
to the users, so you can detect illegal copies early... about that...
it's just a shame, that you need to purchase a new licence if you
change your hardware... look how web mail providers set a good
security without relying on hardware... why? they make people think:
"this is my account and it have sensitive info for me, so I will not
share it". Also the simple fact that the user sets a name, makes it
hard to use brute force because the attacker need to guess both name
and pass, and perhaps serial number also. And of course you can always
set a captcha. And the whole fact that your codes doesn't rely on
hardware and that it depends on the name (which you store in your
server, someplace where it can't be downloaded... and encrypted is
better), then they will be unable to create a keygen (key maker if you
like Matrix).

Remember: security on the server, not javascript, and be aware of code
injection (SQL or not).

If yout app is not big enough to set a server... damn, do not protect
that crap, futhermore, give it open source, and advertise it, so
everybody can tell that code was made by you. If there are developer
they will just make that app on their own without going to crack your
code. They just look what it does, and start from scratch... and trust
me, there are developers out there.