0

I am wondering how I can control the organization's code from being leaked or stolen.

Currently we are using GitHub, in order to protect the code I am planing to use GitLab on a local server, so the code will be pulled and accessed only from the office.
My question is, even if I implement this, it will still be possible for the code to be leaked. If the the developer is using the machine in the office he/she can pull from the local server and send it somewhere from the machine he/she is using.

Is there anyway to solve this problem ?

S.L. Barth is on codidact.com
  • 5,524
  • 8
  • 40
  • 47
Petr
  • 665
  • 7
  • 12
  • Short answer: no. If they can read it, they can copy it. You need to make sure that your developers are trustworthy. – S.L. Barth is on codidact.com Feb 21 '17 at 07:33
  • Thanks for your comment, but do you think all the companies trust all of their employees? Do banks have to trust all their developers? They all have various security measures in place to prevent tangible theft. I think there must be some controls in place in the OS level and network level though. – Petr Feb 21 '17 at 07:55
  • Some companies trust some of their employees. Unless you want to frisk your developers for hidden USB sticks every time they leave the building, what you're asking is nearly impossible. (Let me pre-empt the obvious reply - locking the USB ports on your computers is not a solution, it merely hampers legitimate use of these). – S.L. Barth is on codidact.com Feb 21 '17 at 08:15
  • 1
    Regarding banks, BTW - their concern usually isn't theft of code, but backdoors. The usual way to prevent malicious developers from creating backdoors in the code, is to have a code review process in place - so they'll get caught before the code is used. If your concern is backdoors in the code, that is something you can do. – S.L. Barth is on codidact.com Feb 21 '17 at 08:18

2 Answers2

1

Your developers will, by necessity, have access to the code. Implementing some system that, say, only allows them to edit code in a special application that doesn't allow copying into the system clipboard will annoy them, and they'll circumvent it, if only to be less annoyed.

The standard alternative approach is a legal one: employees sign contracts, and if there's a sniff that they've taken proprietary information elsewhere, your corporate lawyers get in contact and scare the pants off them. This will be cheaper and much more effective than a technical solution.

Xiong Chiamiov
  • 9,432
  • 2
  • 34
  • 81
1

There's no foolproof technical solution to what you want (the classic quote is, two can keep a secret if one is dead); only social solutions.

My first day at my first company out of college, someone came by and made a point out of showing me how to access ALL our source code. Implicitly and explicitly, as a new hire I was trusted.

Like respect, trust is a two-way street: if you want your employees to respect the privacy of your source code you should explicitly ask them to keep it secret but you also have to trust them to keep it private. If you treat them like you don't trust them they won't be motivated to behave in a manner that is (to you) trustworthy.