5

I'm developing a webapplication working with PHP, SQL DB and other technologies. I'm always considering someone stealing the source code or using it to other means.

How can you prevent someone from stealing your source code? If that happens what is the security practices that you can place in order to prove later in court that that source code is yours?

I know some technologies that you can use to prevent and to secure your source code, such as:

  1. Encrypting your files;
  2. Using metadatas to add watermarks to your source code;
  3. Letting all your friends know that you are developing this webapp so you have an alibi;

I would like to know how can you properly secure your source code. How can you place measures to prove later in court that that source code is yours?

I don't know if this next question fits very well in here but I will give it a shot: What proofs are accepted by the court in case someone steals your source code? I'm asking this because I know that in my home country Portugal the courts can't accept Facebook messages as proofs.

Anders
  • 64,406
  • 24
  • 178
  • 215
Bruno Francisco
  • 173
  • 1
  • 5
  • 5
    If your partner has access to the code (maybe because he needs to work with it) then preventing theft is impossible. And all the questions about what is accepted in the court are off-topic here because we are no legal experts. These should be better asked at law.stackexchange.com. – Steffen Ullrich Jun 25 '16 at 13:30
  • Cryptographic timestamping is the only applicable answer outside of "ask a lawyer". You can prove you held a copy of the code at time X, ideally before anybody else had it (so you can show you had it first) – Natanael Jun 25 '16 at 18:28
  • possible duplicate http://security.stackexchange.com/questions/40077/should-we-protect-web-application-source-code-from-being-stolen-by-web-hosts-thr – user2320464 Jun 26 '16 at 04:08
  • You should ask "what proofs are accepted by the court?" in law.stackexchange.com (please tag it with your jurisdiction - Portugal). I am surprised that FB messages are inadmissible as evidence - it is possible you have misunderstood, or that Portugal is very different to the jurisdiction I am familiar with. – Martin Bonner supports Monica Sep 23 '19 at 13:59

4 Answers4

3

It depends against what you want to secure your code.

If this is code which will be used (as source code) in development then obviously you cannot secure anything. My rule of thumb is that one someone can see anything then you cannot secure it (this extends to all kind of DRM protected documents which you take a photo of, run though OCR and poof, there goes the DRM).

As for whether you can protect that in courts you need to ask a lawyer who understands copyright in your specific case.

If you want to co-develop but do not need to share source code, you can work via APIs, shared libraries (which can be reverse-engineered - again ask your lawyer if this is legal or not) or some other mechanism where someone makes use of the functionality of your code, but not the code itself.

WoJ
  • 8,957
  • 2
  • 32
  • 51
2

How can you place measures to prove later in court that that source code is yours?

Place a copy in escrow prior to showing the code to anyone.

When you form a partnership or employ someone, you might get them to sign a statement, preferably in front of witnesses, that acknowledges your ownership of a specified body of code.

The statement might include a hash of the escrowed code or some other identification that is hard to subsequently refute.

RedGrittyBrick
  • 1,355
  • 8
  • 14
2

As already said, if you voluntarily provide access to your code to someone - co-developer or whatever - you can't secure it at all. Obfuscating will only slow extraction down and if your 2nd party needs to actually work with the code, you can't even use that.

If you're talking about preserving your code against external clients that have access to your webapp, then for backend simply follow best practices of storing binaries/scripts outside of user accessible directories on your web/application server and patch your environment against vulnerabilities. If your server is set up correctly, outside client should only ever see results of execution, not code.

Frontend JavaScript code OTOH can't be secured at all. Since it is executed client-side, you're by definition "voluntarily provide" a full copy of source to execute to client - and as already said, this can't be secured.

Generally any DRM system is useless as long as content is fully transferred to client. "If you can see (hear, read) it - you can copy it." The only way to secure any rights is through legal means.

Most of the time you actually aren't programming anything new that anybody would bother stealing and then go through pains to adapt it to their own goals. But if you do, just put UI and rest of trivial logic on client side and keep your "knowhow" secret core on server as backend and you'll be pretty much safe.

Oleg V. Volkov
  • 799
  • 5
  • 11
0

Encrypt your visual studio source code and protect it from illegal access. Allow developers to work from their location with the encrypted project to ensure that no one unauthorised gets the code.

You can also let developers start from scratch and work in the protected mode to ensure only you get the code from them.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Vsscp
  • 11