How to protect source code from remote developers?

Question

My company is going to hire an external developer to create some new modules and fix some bugs in our PHP software.

We have never hired an external developer by the hour before. How can we protect the source code? We are not comfortable giving out source code and were thinking that everything remained under a surveillance enabled VPN which external developer would log in to.

Has anyone solved this problem before? If so, how?

Edit: We want the developer to see/modify the code but under surveillance and on our machine remotely. Does anybody have a similar setup?

Edit 2: NDA is just a formality. IMO, even people who are in favor of NDAs know that it'll do nothing to protect their property.

Edit 3: Let me clarify that we aren't worried about the developer copying an algorithm or a solution from the code. Code is coming out of his brain, so naturally he is the creator and he can create that again. But our code is built over several years with tens of developers working on it. Let's say I hire an incompetent programmer by mistake, who steals our years of work and then sells it to the competitor. That can make us lose our cutting edge. I know this is rare, but such a threat has to be taken under consideration if you're in business. I'll make points of my comments so its easy for everyone to communicate:

1. Why NDA sucks? Take this scenario, if anyone is capable of suggesting a solution to this scenario I will consider the NDA effective. Ok, here goes: We hire 2 external developers, one of them sells our code as it is to someone else after a year. You are no longer in touch with any of the developers, how are you supposed to find out who ripped you off? NDA does provide a purpose, but you can't rely completely on that. At least we cannot.

2. I did not meant to offend anyone while I was posting this question, even though unintentionally I did. But again to people answering/commenting like 'I will never ever work with you' or that Men-in-black-gadget thingy: It's not about you, it's a thread about how feasible a given technical solution would be. And if anyone in this community has worked under such an environment.

3. About 'Trust', of course we won't hire anyone we do not trust. But is that it? Can't someone be deceitful at first? We all trusted a lot of politicians to run our country, did they not fail us ever? So, I'm saying 'trust' is a complete other layer of protection like NDA, and my question was not directed to it. My question is rather directed towards technical measures we can take to avoid such a thing from happening.

Answer 1

Use source control. There is nothing a remote developer can do that will not be reversible.

Apart from that, depending on what you mean by "protect", you should have the right contract with him, including NDA.

On another note - why hire an external developer in the first place, if you are not going to trust him?

---

Update:

Now that you have clarified that by "protect" you mean "not allow to get the sensitive code", my points above about NDAs and trust remain unchanged.

When it comes to source control, if you have several repositories where you have different levels of code (boilerplate - not sensitive, infrastructure - not sensitive, business logic - very sensitive etc...), you can select which repository to give access to this developer. Of course, this depends on whether you can segregate like this and still have a working application (for this to work, some repositories may require having binary dependencies checked-in - these would be compile artefacts from the sensitive repositories). The feasibility of this depends on what you want the developer to work on.

Even with the scheme described above, you need to consider decompilation and reverse engineering of code (this is always possible with a determined enough attacker) so obfuscation of code/binaries may be another thing you need to consider (again, this is not perfect - with enough know how and determination, the best obfuscators can be defeated).

In essence, my point is that if you want to protect a sensitive code base, you should only give access to the sensitive portions to people you trust.

Answer 2

There are two ways of working with people:

1. Control:
   • monitor all their actions
   • dictate their processes
   • restrict their freedoms
   • keep them exchangeable
   • make a clear distinction between them and you
2. Collaboration
   • respect their freedom
   • trust them
   • build a long term relationship that both sides benefit from
   • work as a team

You go choose. But IMHO you shouldn't expect people, whom you openly treat as if they were potential criminals, to treat you fair in response. So here is a crazy idea:

• be forthcoming and fair
• actively engage in creating mutual trust and loyalty
• don't be greedy and pay on time

If you make people feel, that they are in a satisfying, productive and lucrative business relationship, they will stick to you. And that is exactly the same for contractors and employees. Nothing can stop your employees from quitting and taking the source code with them, except an incentive to stay.

So make your work pleasant and worth working on, rather than wasting resources on freakish control.

Answer 3

Simply put: You don't.

Professional developers take this kind of thing seriously. They are well aware of the importance of the code, and the consequences of stealing bits and pieces of it. If they are caught, it is a stain on their reputation as a professional, and could affect their livelihood in a meaningful manner.

Others have suggested an NDA, and while it is not a technological means of "protecting the code", it is often all that is needed. Functionally, there is no difference between internal and external programmers. You have to cede some amount of trust to all of them.

Answer 4

You should never allow outsourced or I would argue temporary contractors access to any code that is highly proprietary, extremely sensitive, or code that contains valuable algorithms or other business secrets.

Even having them sign an NDA or a Non-Compete is likely useless as they commonly do not hold up in court.

This mad orgy of offshoring all development possible is a pox on the industry and self defeating strategy. Offshoring or outsourcing makes sense with menial, tedious, or well solved and understood development problems. It was never meant to save money on the unique work and bread and butter.

When you lay your companies most proprietary and industry specific code to bare for the world to see then you are literally inviting future competitors to rise and challenge you.

With that being said, do a close evaluation of your code base and decide what code you would not like them to see and see how easy it would be to restrict their access to this through source control. If there is nothing to troublesome or worrying about your code then the application likely has very little substaintial value to steal.

Many companies like to think their codebase is special and highly proprietary when in reality it is little more than a simple CRUD app. In which case you might be more concerned with exposing all of your business requirements and possibly your data model, where the most business knowledge would be stored. This can be mitigated by focusing on giving them access to presentation code and restricting access to data access code.

Answer 5

Make a contract with the external developer that he's not allowed to give out the source code to outsiders nor keep it after his hire has ended. If he violates the contract, then it's a legal case. You surely can't protect source code from the developers' eyes though!

Answer 6

A number of points here.

Its highly unlikely that anyone except you and your company attaches any value to the source code.

If you expose you php on a public web site, unless your encoding DNA or something intrinsically complex then any competent developer could reverse engineer your algorithm in days or weeks.

Why would an external pose any more risk than an employee, the office cleaner or any other person who could access the code.

If the code is truly valuable then a standard freelance contract would give you all the legal protection you need.

Answer 7

Probably 90% of the value in source code is the development team, support team, and user community you build around it. Unless this is some kind of super-secret game-changing start-up, the source code is essentially worthless to a third party. Even Microsoft released Windows NT code under NDAs at one point to certain people outside Microsoft. My advice is to require an NDA and be prepared to defend it with litigation in the extremely unlikely event that your IP is used somehow without your permission.

Answer 8

Why not give the contractor a company laptop that can only connect to your VPN? Then put a firewall on the VPN that blocks of any email/bastebin type sites, install a keylogger on the machine, and fill the USB slots with krazy glue.

Answer 9

The best way to ensure you get a poor developer is to treat him like a criminal with his every move monitored through some surveillance system. No one competent would put up with that for even a couple of seconds.

Do not hire people you can't trust for any postion.

Answer 10

You could black-box sensitive parts of you project and separate them from the rest. Give an easy, well documented interface to interact with those modules without exposing what goes on inside. This way hired programmers can easily work on your project without even seeing what they don't need to see while still being able to use what they need to use.

Answer 11

How does your company protect the source code from you and your fellow developers? What's the stop you and your coworkers from stealing the valuable source code and selling it to the competitor?

Whatever works for you should work for the remote developer.

Answer 12

Microsot did protected it's code, has anyone any idea how? well here is the thought, Microsoft paid it's employees so well that they never thought about leaving the company, the ones who left certainely tool the code with them, look at the example of Iron Python and it's development team, no one could do anything about it, it was taken to google, besides you can just get the NDA's and documents which can say that you cannot get the intellectual property, but then again

a) it's hard to proove, a developer may easily say that they had the code before they even started your company, how would you proove that wrong. I have read a lot of legal books which makes it impossible to determine that the code belonged to a certain organization.

b) There is no law in the book which prohibits writing a competitive software, if this happens it's called antitrust( there are a lot of IP lawyers who deal in antitrust cases), which means monoply in promoting open and fair competition, in england it could be reported to OFT (office of fair trading) not sure what they do in USA, from what I heard the district attorney(attorney general) or public prosecutor deals with these cases.

Answer 13

If you are really that jumpy about allowing an external developer access to your source code, then just hire them to create the new modules, and fix the existing bugs yourself.

That way, the only code the outsider ever sees is the code she has written herself.