0

So, how can new companies that have just started protect
their source code from leaking by their employees?

If it is a new company that means that the source code of the product is not so big and
complex yet in order to distribute developers to different parts and limit their access.

Also, the employees need internet access for help during their work
(that means that they can just upload the source code anywhere they want).

Furthermore, I do not believe that NDAs (Non-disclosure agreements) can stop anyone.

Imagine the following scenario:
You have hired 10 developers, and after some time one of them
uploads all your source code using TOR to a remote server.

Result:
Your source code has been leaked, you can not find the culprit and you don't know who to sue.

Light Flow
  • 304
  • 1
  • 8
  • @Xander - your dup is also a dup. Here's the original: http://security.stackexchange.com/questions/17276/how-to-prevent-private-data-being-disclosed-outside-of-organization – TTT Mar 15 '16 at 17:01
  • @TTT Yes, that is on purpose. It ensures the options are navigable. – Xander Mar 15 '16 at 17:03
  • Your supposed "original" answers do not answer my question, have you read their answers? Also, have you read my question? My question is specific to new companies (and its for intentional leakage), also none of them mentions the scenario that I mentioned. – Light Flow Mar 15 '16 at 17:03
  • @LightFlow that's because there is no way to achieve what you want. That's why companies exist that specialize in forensic analysis of computers to try to determine if an employee leaked/stole/exfiltrated/manipulated data to their advantage. One more answer that might give you some more insight is http://security.stackexchange.com/questions/109087/how-do-large-companies-protect-their-source-code – childofsoong Mar 15 '16 at 17:07
  • @Xander - after reading both your link and the one it is supposedly a dup of I agree. Your link is much more relevant to this question, and the supposed dup of that question takes almost an opposite approach in its answers. Though I do find a little bit of humor in "this is a dup, well, so is that!". – TTT Mar 15 '16 at 17:10
  • If you can't determine who used TOR on your own network or burned a disk, or plugged In a USB drive you have major DLP issues – Ramhound Mar 16 '16 at 02:00

1 Answers1

1

There is no perfect technological solution, and there never can be.

Humans are the weakest part of security, (because they click on things they shouldn't and fall victim to social engineering traps), but they are also the strongest part of security. They can identify when something "doesn't seem right". They can look into and probe deeper to confirm or refute their suspicions.

Ideally, the people you hire should not want to steal your source code. You should be treating them well so that they want the project to succeed as much as you do.

Ideally, you should know each of your developers well enough to know if they would do something like that. Even if you blocked access to Tor, you can't prevent them from putting the code on a USB stick. If you prevent that, you can't prevent them from printing it out and sending it through the mail, and so on. You need to nurture a level of bidirectional trust, such that they know you're working in their best interests and you know that they're working in yours.

Omniwombat
  • 173
  • 13