Slashdot Mirror

← Back to Stories (view on slashdot.org)

Third Party Code Review?

Posted by ryuzaki0 on from the who-would-you-trust-with-your-code dept.

An Anonymous Coward asks: "It looks like our sale-person is about to land a big contract with a very large US Bank, however there is a large catch in that the bank is demanding that we let them do a full audit on the source code of the software application we are selling them. After the recent rash of identity thefts of credit card and other personal info, they now mandate that all internet facing applications that store potentially private information have to have a full source code audit. This includes software from 3rd party vendors such as my company. They want to run our Java code through some software called Fortify (we looked up the price -- around $80,000) and also do a manual analysis of the code. This software is our company's life-blood. We would be ruined if it fell into a competitor's hands. We aren't storing private information about their customer's; all of the information can be found from government county auditor web sites. I understand their point of view, but it is a very scary step for us to take. Has anyone else done this and how did it work out?"

8 of 89 comments (clear)

  1. ruined? by croddy · · Score: 4, Insightful
    you would be ruined if a competitor got the software?

    then it sounds like you are in the business of selling disks with programs on them. in that case, you're already sunk. you need to move NOW to a model where you make your money deploying and supporting software.

    show them the bleeding source code, you pansy.

    1. Re:ruined? by Embedded2004 · · Score: 3, Insightful

      That's retarded.

      There is nothing fundamentally wrong with selling software.

  2. Not too sympathetic. by tinkertim · · Score: 5, Insightful

    I was almost sympathetic until I re-read:

    very large US bank

    What, pray tell did you expect? It looks as though you blundered into a pot of gold and kept going despite the fact that you're not large enough yet to carry it away.

    Of course they'd demand third party review. I hope *my* bank would! What I also don't see mentioned is any mention of a three inch NDA that would be signed.

    Established companies like Microsoft can sell stuff with some (or all) of the hood welded shut. They are an authority. They dictate who our browsers trust. They're huge and they could afford to pay for resulting damages (good luck pinning any on them .. )

    If you really want to use this as a spring board I'd let them have at the code. Unless you're in the middle of an "Oh SHIT we gotta re-code all that GPL stuff we used ... "

    Why would you worry if there wasn't anything to worry about? And why risk your "life's blood" on one single venture?

    Order happy meal first. Big mac later.

    Off my soapbox.

  3. NDA by Centurix · · Score: 5, Insightful

    Non Disclosure Agreements and Really Good Lawyers, that's what it's all about. And if you think it's too much of a risk, just turn the job down. Big fat contracts are look appealing when they arrive on your doorstep, but if they come with massive provisions which are too risky for your business then don't be scared in turning them down. Especially when it's your business, your life and your way of thinking/sanity which is exposed.

    Of course, there is the bargaining position of if they are really in need of your software, then you could be in a good position to strike up a trust and maybe negotiate your way out of being audited.

    I've done a few defence contracts where they've demanded the same type of auditing, and in a few I've managed to get out of the auditing process for non-mission-critical systems by negotiation.

    --
    Task Mangler
  4. Uhh, java class == source code by QuantumG · · Score: 3, Insightful

    The only thing missing is the names of local variables and the comments. If you're distributing your program unobsfucated (and studies have shown that 99% of companies do) then they already have your source code.

    --
    How we know is more important than what we know.
  5. Just do it by El+Royo · · Score: 3, Insightful

    As others have pointed out just get a really good NDA (which I'm sure the bank has probably already insisted on anyhow). The benefit of 3rd party code review is that they just might actually turn up a vulnerability in your software. This is just like having someone pay you to help you validate your software. At the end of this you can say your software has been validated by Fortify.

    --
    Author of Enyo: Up and Running from O'Reilly Media
  6. Re:NDA by WebCrapper · · Score: 4, Insightful

    On top of this, I would transfer the source (on whatever media) encrypted so, if something where to happen, they cannot claim it was stolen somewhere in the middle. Require them to call a specific person when they receive the disk to get the key.

    An NDA and possibly a Non-compete agreement should be fine. This stops them from sharing the source and from giving the source to in-house developers to try to pick through your source to make a product for themselves.

    Also, since they do this with all applications they use, you have the right to ask for the contact info of a few places they've done this with. This allows you to talk to X Company about what happened during and after the process. Tell them this is your security check on them.

    Either way, as with most business related "Ask Slashdot" articles, you need to consult your lawyer.

  7. Merely an audit? by bbc · · Score: 3, Insightful

    As a buyer of software I would not only expect (not demand: expect) access to the code for an audit, I would also expect you to keep the source code in escrow, in case you fold and are no longer able to support the software.

    As the other poster said, if you're in the business of moving bits on discs, you're already ruined. You're just waiting for the time delay to kick in.