Ask Slashdot: How To Work On Source Code Without Having the Source Code?

occamboy writes: Perhaps the ultimate conundrum!

I've taken over a software project in an extremely specialized area that needs remediation in months, so it'll be tough to build an internal team quickly enough. The good news is that there are outside software engineering groups that have exactly the right experience and good reputations. The bad news is that my management is worried about letting source code out of the building. Seems to me that unless I convince the suits otherwise, my options are to:

1) have all contractors work on our premises — a pain for everyone, and they might not want to do it at all

2) have them remote in to virtual desktops running on our premises — much of our software is sub-millisecond-response real-time systems on headless hardware, so they'll need to at least run executables locally, and giving access to executables but not sources seems like it will have challenges. And if the desktop environment goes down, more than a dozen people are frozen waiting for a fix. Also, I'd imagine that if a remote person really wanted the sources, they could video the sources as they scrolls by.

I'll bet there are n better ways to do this, and I'm hoping that there are some smart Slashdotters who'll let me know what they are; please help!

This is what APIs / abstraction is for

You don't give them any source code. You create interfaces (in the Object Oriented Programming sense) and "dummy" implementation version of what your executables do. You provide these to the subcontractors.

This way, they can work on the new source code remotely, without accessing the existing proprietary stuff.

What if you give the suits what they want?

[generic_screenname]

Post a job ad, with a caveat in the description that developers can't see the code they are supposed to work on. Report back when you don't get any results. Have some conversations with recruiters and candidates, and document the WTF reactions while you're at it. It may also be worth getting different quotes from the team you wanted to hire: one at a rate with reasonable accommodations that allow them to do their jobs, and another where they will have to deal with endless BS because management doesn't trust anyone. The truth of the matter is that someone really, really wants to target your company, they will. An employee could steal something. You could be hacked. A very determined assailant, given enough time and resources, will get to you. There are tradeoffs made to account for this possibility, while allowing enough latitude for people to do their jobs. It's the same with this group of contractors. If they really, really wanted to steal from you, then they could, and no amount of legal procedure would stop them. If they have built up a good reputation, then they probably won't do this. At the end of the day, this gets down to managing the fear level of your superiors, and it may mean letting something go undone until they come around to letting go a little bit.

Re:You pretty much covered the options

[Tjp($)pjT]

I have done some forensics work in software. The most secure setup was a room with cameras, the computers in a locked box, PS/2 keyboard and mouse with attached cords that go into the locked box, VGA only monitor, and a printer filled with pre-numbered sheets of paper. I emptied all my electronics including watch, no calculator, no phone, etc. Allowed items were a pen/pencil and notepad. I was escorted into the room (roughly 1500 miles from my office) the paper was loaded by the escort. When I wanted to leave the room I pressed a buzzer button. The escort collected the printouts, and the paper supply. briefly looked to see if there were obvious missing pages. They can't see my notepad, and my instructions were to write small, though the cameras were not supposed to see the monitor or desk surface. After their side examined the pages I printed out, they allowed a lawyer to pick up the copies, as I had to review the printouts in the lawyers offices and not personally ever posses them. Under those conditions with a 10 hour work day (8 onsite, 2 writing up the days notes onto a computer at the hotel room) it is amazing how little code can be reviewed in a day. They did allow tools of our choice to be installed on the computers at their expense. And they installed the software versions we said were suspect in source form.

Under these conditions, if you forced them on developers, you'd be paying them what I was paid for forensic investigation, somewhere around $250-300 an hour if you want top quality people. And they will burnout in short order, so keep a queue filled with replacements. I could do that for only short bursts at a time.

Even then, I could have copied the code onto paper line by line. And in some cases did for short segments that showed infringement.

In even the harshest of conditions code can still leak. But your biggest weak point is if your network is not air gapped and you use source code control, keeping the social engineering aspect in check so you aren't hacked. For contractors and employees, only hire ones you trust and depend on NDAs and integrity. And a VPN that is appropriately encrypted is like working in the office. Supply the computers and you can install monitoring software on them, and USB management software to provide gentle no-no-no reminders as they try to work they way they normally would.

Open another office

Why don't you open another office space closer to your team. They might not come to work at your place, but they might go to another place where you could still control the environment. Then hire security personnel to watch them work if you want !