M
M
Maxim Cherepantsev2017-02-04 15:04:46
Information Security
Maxim Cherepantsev, 2017-02-04 15:04:46

How to protect code from theft in a large company?

Good afternoon.
How is it possible to protect the source code and project resources in a large company? For example, there is a company of 100+ people, 80% of them work with the source code. The project is commercial, the code is closed, there are unique developments, up to 3 people can work on one section of the code. How can you avoid leaking code and resources to the Internet? How do they do it in Google, Microsoft, Yandex and others?

Answer the question

In order to leave comments, you need to log in

8 answer(s)
S
Sergeyj, 2017-02-04
@RevHarris

You can implement full (or almost) protection on the principle of banking "shadow" servers. Sergey
described a similar security system. When I worked at X Bank, we went down the elevator to the development office, there you go through frames, give away mobile phones and other electronics. Issue an office walkie-talkie for communication. Each computer is in such a position that, if desired, another person will not see what you are doing. In system units there is only one usb (and even then not everywhere), which has physical protection. Serves for bank keys. Peripherals connected ps/2. The entire local network has no access to the outside world. The code is laid out on the combat system through the gateway server. Those. data from the working network is laid out on the gateway, the local network is cut off and then on to production.
The gateway is probably well protected, but I don't know that anymore.
There is also a camera block on the table. When you move away from it (from the computer), the system is blocked and asks you to enter your login / password.
That's the kind of security system I had at my old job. Maybe there was something else, but I don't know.

S
Sergey, 2017-02-04
@edinorog

Physically remove ports from system units. No wifi or bluetooth. Cameras for every office. Full logging of the set on the computer. Withdrawal of mobile phones at the checkpoint. Only corporate internal mailer. Twisted to the maximum security policy. The mouse and Klava are stuck with roundels. System units sealed with locks. With fillings. The code server is selected individually. But with clear rights to volume and access. Network wires with locks on both ends. Cell phone jammer and frequency analyzer around the clock. Inspection at the entrance. The head of security with a muzzle seemed to have been drinking for 2 years in a row. Preferably a little sick in the head. They won’t put him in jail later ... he has a certificate)
This is for a workout. You can implement terminals. The network is uniquely isolated from the outside. A full-time observer from cameras and plus one more leading security specialist are taken for the position. Attempting to save at any stage ... nullifies all of the above.

I
index0h, 2017-02-06
@index0h

Just code - nothing worth it. The value is only in how and what he does. This is important to understand.
Many programmers keep copies of projects they are involved in or have been involved in at home. Most often they are used as a set of snippets. For example, in one project there was a convenient class for collections, in another several tables were well designed, in the third - a large list of exceptions for any sneeze and fart ... The project itself "communize" - as a rule, there is no point, since it is not only code , it is also a whole ecosystem and a bunch of people who serve it.
As for transferring the code to third parties, this is already a legal and administrative issue, all sorts of NDAs, etc.
IS can be smeared up to the very do not indulge, and this must be done, but reasonable boundaries must be observed.
Friends once spoke about a project where all development was carried out on servers in the USA via rdp, most of them solved problems "on the father ** s" not because they are scoundrels, but because the response of pressing a key is 5-15 seconds. The project was closed after some time, too long, expensive and of poor quality.

M
mace-ftl, 2017-02-04
@mace-ftl

The correct answer is to hire a specialist, Google Yandex does just that.
And if on the topic - introduce a trade secret regime, sign the necessary documents with employees on responsibility, put stamps on the necessary resources, etc. And last but not least - close the USB ports and put it all on monitoring

R
Rou1997, 2017-02-04
@Rou1997

1. Share responsibility, if someone "merges" then only their "piece", but for this it will be necessary to increase modularity, and this also leads to a narrow outlook, although the listed companies need this, especially Google.
2. Technically restrict access, such as "kiosk mode", so that the only way to take out the code was to memorize it, or with a pen on paper.
3. And the most correct... Motivation!

M
McBernar, 2017-02-05
@McBernar

As far as I know, in the same Yandex, they work on search according to a very simple scheme - only a few people have a complete picture of the project and full access, the rest are working on their part of the system and have no idea what others are doing. Yes, someone can leak their part of the work. But will it be useful to at least someone in this form?

V
Vladimir T, 2017-02-09
@32bit_me

NDA only. By itself, the code is worth nothing, the programmer will be able to keep it at home, but will not be able to transfer it to someone or put it in the public domain.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question