Slashdot Mirror
Third Party Code Review?
An Anonymous Coward asks: "It looks like our sale-person is about to land a big contract with a very large US Bank, however there is a large catch in that the bank is demanding that we let them do a full audit on the source code of the software application we are selling them. After the recent rash of identity thefts of credit card and other personal info, they now mandate that all internet facing applications that store potentially private information have to have a full source code audit. This includes software from 3rd party vendors such as my company. They want to run our Java code through some software called Fortify (we looked up the price -- around $80,000) and also do a manual analysis of the code. This software is our company's life-blood. We would be ruined if it fell into a competitor's hands. We aren't storing private information about their customer's; all of the information can be found from government county auditor web sites. I understand their point of view, but it is a very scary step for us to take. Has anyone else done this and how did it work out?"
This is why your company has lawyers.
Handing over the source code should be part and parcel of any non-retail software package. Like Free Software, but without all the philosophical bullshit.
I was almost sympathetic until I re-read:
.. )
... "
very large US bank
What, pray tell did you expect? It looks as though you blundered into a pot of gold and kept going despite the fact that you're not large enough yet to carry it away.
Of course they'd demand third party review. I hope *my* bank would! What I also don't see mentioned is any mention of a three inch NDA that would be signed.
Established companies like Microsoft can sell stuff with some (or all) of the hood welded shut. They are an authority. They dictate who our browsers trust. They're huge and they could afford to pay for resulting damages (good luck pinning any on them
If you really want to use this as a spring board I'd let them have at the code. Unless you're in the middle of an "Oh SHIT we gotta re-code all that GPL stuff we used
Why would you worry if there wasn't anything to worry about? And why risk your "life's blood" on one single venture?
Order happy meal first. Big mac later.
Off my soapbox.
Non Disclosure Agreements and Really Good Lawyers, that's what it's all about. And if you think it's too much of a risk, just turn the job down. Big fat contracts are look appealing when they arrive on your doorstep, but if they come with massive provisions which are too risky for your business then don't be scared in turning them down. Especially when it's your business, your life and your way of thinking/sanity which is exposed.
Of course, there is the bargaining position of if they are really in need of your software, then you could be in a good position to strike up a trust and maybe negotiate your way out of being audited.
I've done a few defence contracts where they've demanded the same type of auditing, and in a few I've managed to get out of the auditing process for non-mission-critical systems by negotiation.
Task Mangler
Better idea. Ruin Fortify.
... you get the idea. Then offer to audit the Fortify source code for free. Start a new company in China (they dont have freedom of speech, but neither do have strong copyright protection) and start selling Fortify+ (or FortifyLight depending on your marketing strategy). You will be a multi millionaire soon. Dont stop, claim that the original Fortify stole your source code and sue them (dont care if its obviously untrue, remember SCO ?). And then finally when you have a few billion dollar in you bank account GPL the code under GPL 3 and post the news on slashdot.
Talk to the bank manager, let him know that you whole heartedly support security audits. Then ridicule him for trusting Fortify, a closed source tool, for sucah an important audit. Enlighten him about the possible conspiraces involving Fortify, Nigerian Scammers, Dick Cheny ,
Whew, another success story for the books.