[Zope] Zope+Python source-code security

Adam Manock abmanock@earthlink.net
Wed, 01 May 2002 08:50:28 -0400


>
>In my case the licensing issue is not a problem. The problem is how to
>protect the developed solution not to be copied and modified by a "naughty"
>customer. Unfortunately the application would have to be running on his
>server.

With any database backed solution there is a strong possibility that a customer
will find a way to access the database directly. Often, the schema of the back-
end database represents about half of the work required to recreate the app.
The developer's analysis of the data set, and a large part of the requirements
for the app can be reverse engineered from good a 3NF or 5NF schema. With
Zope, hiding the source code of the application and presentation layers will
be a problem too...

The solutions to this problem fall into the categories of legal and technical:

Technical:
Lease an application server "appliance" to your customer. Keep it current
with vendor security patches, etc, back it up for them, don't give the
customer root, or even a shell at all!

Or sell your app as a hosted service, charge per month per user for access ;-)

Legal:

Get a non-disclosure / non-competitive contract to make you feel better.
Often this kind of contract is put in place when source is to be delivered
for a particular contracting or subbing arrangement. Strict clauses about
how, when, where and for what the source may be used for are the norm.
A contract to cover your concerns is nothing new, good IT lawyers should
already be familiar with them as they've probably done a few hundred....

Conclusion:

I personally prefer the software as a service idea, as it produces a nice
constant, possibly never ending cash flow, removes the need to create nice
pretty install routines for the software or any patches....
Your marketing dept won't be bugging you to completely re-design the
interface every six months so that they can sell a visibly new "upgrade"
either.

Don't forget about the SLA double edge sword, it can be used to make the
customer feel better about the availability of your service, but can also be
used to limit your liability in the event of a server or network outage....
Better to refund $50 for a day of downtime than get sued for $5M 'cause
your customer lost a contract while your server was down that day....

Adam