General discussion

Locked

Source code policy

By ChandraRam ·
Hello everybody

I am now working for a company whose major work is in internationalizing software products developed by its clients. This necessitates that we work directly with and modify their source code. I am required to create a policy document that would spell out the security measures that my company can put in place to make sure that the clients' code is kept confidential.

Any body in similar situations now or in the past? Any suggestions on what I should include in this document?

Thank you in advance

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Confidential from whom

by Tony Hopkinson In reply to Source code policy

From those outside your organisation, would be the hopefully sound measures you have to protect your own stuff.

What's the plan for getting hold of their source?

How are you going to store it while you are working on it?

How are you going to send it back?

Who is going to be working on it?

Where are they going to work on it. Telecommuters or those with portables will increase the potential failure points for instance.

Another thing I'd look at is attempting safeguarding my company from being blamed for a leak in the client's company.

Collapse -

Securing from...

by ChandraRam In reply to Confidential from whom

We have restricted access to the client's dedicated code-server whenever the client needs to drop-off the latest source to our team.

After this, the code resides on our internal server and is only accessed by our developers from inside our office premises.

What I am looking at is creating and implementing a source code security policy that will increase the confidence level of the client.

And, thank you for that information about making sure that client leaks are not blamed on us.

Collapse -

Well hopefully you have a version control system

by Tony Hopkinson In reply to Securing from...

Put the source in that and restrict access. If each client is a project you can even limit the number of devlopers who can access it, though that might limit your operational freedom.
Given your own network is secure and you have a secure link to the client.
Concerns would be your own employees disclosing the code, which should be unlikely. Or an operational failure where you mixed your clients up and sent them someone else's source.
You can do a bit about the latter, mainly somesort of signoff procedure which highlights the potential danger, so hopefully that sort of carelessness is inflicted on you.

IP confidentiality with you employees applies as much to you company's own stuff as it does to your clients. Certainly any protection and confidence measures will be the same.

Collapse -

Yes, we do...

by ChandraRam In reply to Well hopefully you have a ...

We have a fairly good version control system in place, where I can set user access rights for each folder.

I will have to include the bit about the signoff procedure in my document.

Thanks

Collapse -

Another thing to think about

by JamesRL In reply to Yes, we do...

Backups.

I would suggest that those with access to the accounts which are allowed to do backups are also those who need to be "controlled" in order to keep the data confidential. In some cases people encrypt the backup files so that not every sys admin can access it (as long as there are at least 2).

Do you put the software in escrow? Thats another group of people with access....

James

Collapse -

Backups

by ChandraRam In reply to Another thing to think ab ...

are the domain of the sys admin and we have just one. I do believe the backup is encrypted.

Could you explain a bit about what you mean by putting the software in escrow?

Thanks

Back to Security Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums