What is the correct way to approach the request that "new developers should not be able to access the codebase"

Question

We are a small team of developers working on a web app. I answer directly to the company directors, who are responsible for hiring decisions. As a cost saving measure, new developers are often hired from countries such as India, Nigeria and Nepal.

Due to the potential difficulties in legally pursuing someone from such countries, the directors are unwilling to give these new developers access to the codebase, even with a watertight NDA.

This comes from the belief that they have spent £x thousand on development costs so far (where x is a big number), and they do not want someone to be able to take the thing they have spent so much money on.

This leaves me with the difficult problem of "How can I make the developers produce any useful work, without being able to steal the codebase".

If someone is invested enough, if they can see the codebase, they can steal it. We have been down routes of working on remote virtual machines, where the ability to copy-paste is limited etc, but even then, they could take a photograph on their mobile phone and type it up themselves. (I agree this is extreme, but I want to explore their request as much as possible).

I'm therefore left with the problem "How can I make the developers produce any useful work, without being able to see the codebase". Which seems like a nonsense statement. How could this possibly be satisfied?

When I explain this to the directors, I am often met with "well how do Microsoft stop people stealing their code?". Which I'll admit is a question I don't really know the answer to, but I suspect it is something to do with not hiring people who would be difficult to legally pursue.

My question is therefore:

How can I satisfy their request (is there something I have missed?)

OR

How can I explain that the request is unsatisfiable

Comments are not for extended discussion; this conversation has been moved to chat. — Kilisi, Apr 08 '22 at 23:34

score 288 · Answer 1 · answered Apr 06 '22 at 21:03

288

Due to the potential difficulties in legally pursuing someone from such countries, the directors are unwilling to give these new developers access to the codebase, even with a watertight NDA.

If this is their feeling, they should stop hiring developers from such countries.

answered Apr 06 '22 at 21:03

Joe Strazzere

382,456
185
1,077
1,492

18

This does not answer the question. – Evorlor Apr 07 '22 at 16:29
235

This does answer the question. – Vanity Slug - codidact.com Apr 07 '22 at 16:42
6

I think the answer is more like "they should stop hiring individual developers from such countries." You do it by hiring companies that you can have a contractual arrangement with, and have legal recourse against should they misbehave. Of course, that means that you only hire such companies where those contractual arrangements are respected and the legal recourse is available and sufficiently compensatory... – davidbak Apr 07 '22 at 17:22
31

Unfortunately this is the answer. If you cannot trust the people you hire, don't hire them. Or, if you trust the people, but not the laws or legal system to which they are subject, then don't hire those people (unless they move to a more favorable jurisdiction where they are subject to laws that are enforced). – Greg Burghardt Apr 07 '22 at 19:09
@davidbak Why do you think that hiring a company vs an individual changes anything? If the legal system in those countries is broken and useless for OP's companies I doubt it would make any difference whether they hire individuals or a company. – GACy20 Apr 08 '22 at 10:08
15

-1 While this is an answer, it is a typical knee-jerk SE one-line answer. There are plenty of good, positive ways to work around the issue and still keep this part of the workforce in a project (e.g. see 520...Monica...'s answer; or if this is indeed "the" answer, a bit more than one sentence would be in order, i.e. an explanation of why that one line is the only possible action. – AnoE Apr 08 '22 at 10:27
4

@AnoE while it may be a knee-jerk answer, it's also the most pragmatic (imo) and clearly the most recommended due to the number of votes. – Matthew Apr 08 '22 at 15:17
9

@Matthew, IMO this is an example where the SE voting mechanism simple fails hard. OP is crystal clear that he is not in the place to decide whether to hire people from such people. He is between the hammer and the rock. He asks how to make it work, or how to explain to management that it's impossible (the latter of which is always incredibly hard). These are non-trivial, valid questions, and we're helping OP in no way whatsoever with a one-liner that doesn't remotely target his question. – AnoE Apr 08 '22 at 15:48
3

@AnoE The OP has stated that the policy is being set by the directors of the company. With policy being set at that level, there is literally nothing that the OP can do at their level to make changes that would assist the developers. – Peter M Apr 08 '22 at 18:44
2

@AnoE: That just means we have yet another question that doesn't have a solution. This is the answer. If he can't apply it than it's somebody else's problem. – Joshua Apr 08 '22 at 21:19
-1 from me as well. I understand this point of view, and it's probably accurate (if a bit terse), but of course OP most likely has this reaction as well - however if OP is not the decisionmaker, this does nothing to help OP with their problem. OP did include "how can I explain that their request is unsatisfiable", and an answer would be satisfactory if it included that; this doesn't. – Joe Apr 08 '22 at 21:54
2

IMHO the problem is that the OP is trying to choose between two alternatives, satisfy the directors or convince them that their requirements are unsatisfiable, when there is a third alternative: find another job. If they really believe anyone can write software without seeing the code, something is seriously wrong with their thinking. If they are trying to write save money by hiring people they don't trust, they may be playing their own game. I have been in an analogous situation, and the only solution I found was to get away fast., before the directors need a scapegoat. – Simon Crase Apr 10 '22 at 05:09
@Joshua, there are other answers here which show how a proper, useful answer can be written. A quick look at the second-highest voted shows that it at least tries to be on-topic (i.e., takes the details of the question into account) and successfully addresses parts of the question deeply. The point is that just running away is so obvious that it's not worth an answer at all. This question is for people who want to solve this kind of problem (which occurs again and again due to the way management in big companies work). If SE cannot come up with a better answer than "run" then it's pointless. – AnoE Apr 11 '22 at 07:42
This is a horrible answer, we are not here to question the motives behind the question, but it is a common issue and there is a very simple solution, the implementation is going to be slightly different in different languages or frameworks, but as a general concept, this is very easy to achieve. OP has clearly missed something, the whole point really, I would find it hard to try to "explain that the request is unsatisfiable" because it is very reasonable and satisfyable, even if their arguments are not good ones. – Chris Schaller Apr 11 '22 at 13:27
3

@AnoE: Said answer gives a false sense of hope. If I have commit rights to a significant module in your codebase, then most of your organization is mine. Don't hire people you cannot trust. – Joshua Apr 11 '22 at 14:14
@joshua, I'm happy to agree to disagree. Primarily wanted to give feedback for the downvote, which I consider good practice. Have a nice day! – AnoE Apr 11 '22 at 14:33

score 152 · Answer 2 · edited Apr 08 '22 at 01:51

152

Modularize your application and give people access only to the components they are working on.

If your application is split into several different bits with developers only having access to what they are working on, you can then set your exported workforce to working on non-sensitive bits of the program (and vet their work with code reviews before merging!)

As for "well, how does Microsoft stop people stealing their code?":

Microsoft is a company with a worldwide presence and a lot of influence everywhere. They can pursue people everywhere. Even if the government in question doesn't feel like playing ball, Microsoft can either shut down their pirate copies if they have them or play hardball when it comes to contract negotiations if they don't. Remember, pretty much everyone uses Microsoft Windows and Microsoft Office in some critical capacity.
Microsoft has freaking Harvard and MIT graduates making their code, they don't outsource for cheap labour.
Microsoft pays really freaking well. There is no way you'd catch them giving security-sensitive work to someone who can be bribed with $500, because they all make more than that in a week.
Microsoft modularises their codebases for their most critical products. So does Apple.
Even with all that, Microsoft does suffer major leaks. Source

edited Apr 08 '22 at 01:51

Community

1

answered Apr 07 '22 at 10:51

520 says Reinstate Monica

14,872
3
29
60

33

And finally... the leaks kind of don't matter, in any practical way. Even if you got the whole source code of MS Office... so what? What does that give you, that you wouldn't already get by buying (or pirating) Office? – Luaan Apr 07 '22 at 12:26
5

@Luaan There might be interesting libraries that a malicious user might want to use for their own app. And in the case of OP, it's a web app, so buying/pirating the service wouldn't be an option, but running their own instance / clone once they have the source would be. Having the source also makes it easier to search for and exploit vulnerabilities in the application. [not saying that OPs boss is justified in their actions, but imho there might be some practical implications to leaked source] – tim Apr 07 '22 at 12:39
22

Though I fear that the company in question is unlikely to be able to modularize the codebase without a rewrite--just a guess based on their extreme focus on low cost development... That said this is a great answer. – bob Apr 07 '22 at 13:11
8

...this starts to sound like how the Funniest Joke in the World is managed. – J... Apr 07 '22 at 14:24
1

So... redesign and redo everything from scratch? – Josh Part Apr 07 '22 at 22:40
12

Although MS does modularize, it's worth noting that they make their "source code viewable within Microsoft" and don't restrict access based on responsibilites – lights0123 Apr 08 '22 at 02:24
This is what the company I work for does. Everything is packaged up in Nuget packages or DLLs and a given project may have anywhere between 1 and a dozen or more such packages being referenced. Usually less rather than more. The result is that I can pull a front-end project up, work on it and submit it, without ever having the ability to even look at the more sensitive business-logic. For a company with a single product, this probably wouldn't work, but the business-logic (the really valuable bit) could be separated, packaged up and provided as a black-box like this. – Ruadhan2300 Apr 08 '22 at 07:48
Although not fore cheap labour Bill Gates has been critical of the US government for not giving people from overseas that he wanted to employ work permits. He would absolutely like to outsource expensive labour. – Neil Meyer Apr 08 '22 at 16:36
@Luaan although I have not been personally involved in those projects it would not surprise me if Libre office and Open office was not just a type of reverse engineered ms office. How exactly those programs could save document in ms word file types without accessing word source code I'm unsure of. – Neil Meyer Apr 08 '22 at 17:08
2

@ NielMeyer years and years of reverse engineering efforts :) – 520 says Reinstate Monica Apr 08 '22 at 20:45
Do you have any actual facts and numbers for statements like "Microsoft has freaking Harvard and MIT graduates making their code, they don't outsource for cheap labour." and "Microsoft pays really freaking well. There is no way you'd catch them giving security-sensitive work to someone who can be bribed with $500, because they all make more than that in a week." . Otherwise they feel like subjective generalities. Same for "Microsoft modularises their codebases for their most critical products. So does Apple." – Patrick Mevzek Apr 08 '22 at 22:15
1

@NielMeyer MS Office "format" was published, exactly to make it appear open, where it is not really because full of intractable details and missing points, but still. See https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offfflp/8aea05e3-8c1e-4a9a-9614-31f71e679456 for example. – Patrick Mevzek Apr 08 '22 at 22:17
@PatrickMevzek Not the OP but you might want to check out https://www.levels.fyi/company/Microsoft/salaries/. The numbers reported there are not official, but they do seem roughly in line with what I expect those kinds of jobs to pay, at least in the US. – David Z Apr 09 '22 at 05:58
@DavidZ Yes that is one datapoint however it is only what people report themselves so no way to know if this is real or not or what percentage of all employees it represent. The assessment in the answer that people are deterred to be bribed just because of high pay is flawed: politicians salary is also said to need to be high exactly to ensure their independance, however bribes still happen. So it is far more complicated than just a number on a paycheck. – Patrick Mevzek Apr 09 '22 at 18:15
2

"Microsoft has freaking Harvard and MIT graduates making their code, they don't outsource for cheap labour." Actually they do. A lot of work is done in India. You didn't take into account that to write an OS you need a big team with people with different experience and different skill. There is also room for not so stellar and not so highly paid developers. – FluidCode Apr 09 '22 at 21:00
It worked so well in the 'Cube' movies, that the characters didn't even realise what they were working on. – Horizon Apr 10 '22 at 00:20
Microsoft has a >5K dev site in Hyderabad, India. Having been a Microsoft developer, I can personally attest that folks there have access to code of their respect code, including Windows 11, Office etc. They are actual, blue-badge Microsoft employees, not contractor from IT outsourcing firms like WiPro (although those do exist as well) – Jonathan Apr 10 '22 at 09:06
@Jonathan true, but they aren't cheap - at least not by Indian standards. Those jobs aren't going to the lowest bidder. – 520 says Reinstate Monica Apr 12 '22 at 11:38

score 27 · Answer 3 · answered Apr 07 '22 at 17:26

27

Stop hiring individual developers from such countries. Microsoft, Amazon, Google, etc. do not do that (with minor exceptions for exceptional reasons.)

They offshore by hiring companies that do such projects, so that they can have a contractual arrangement with them, and have legal recourse against them should they misbehave.

Of course, that means that they only hire such companies where those contractual arrangements are respected and the legal recourse is available and sufficiently compensatory...

answered Apr 07 '22 at 17:26

davidbak

1,123
7
11

This is the correct answer. It's not going to be as cheap as hiring your own offshore developers. But this is the correct answer. – Stephan Branczyk Apr 09 '22 at 01:54
1

And even if those companies might be hard to reach legally if they misbehaved, if they have been in business for a long time, then they had built up trust, and they'd care about their reputation. This is how trade was done even in ancient times, where there was even less chance to prosecute people living in other jurisdictions than yours. – Val Apr 09 '22 at 20:57

score 18 · Accepted Answer · answered Apr 07 '22 at 19:18

You have had a few answers to the first question; how to do it. I wanted to suggest an answer on the second line: how to persuade them it cannot be done.

There is of course a slight frame challenge. It can be done. What I would suggest is preparing a few scenarios with estimates of the associated costs and risks. This entire conversation exists because your boss believes that the expected or perhaps worst plausible case cost of the approach is lower than the alternative.

As such, your best option is to speak the same language. Don't say "this is impossible." but say instead "I have prepared a rough plan for implementing this scheme. <insert one of the other excellent answers about tooling, modularisation, and vetting.> however I do have to let you know that

licensing relevant additional software would cost X
we would have to hire D additional devs who we can trust to handle the vetting and integration, at salary plus overheads. We would have to hire Q additional QAs to handle the additional integration load.
the productivity of the remote devs working under these constraints would be y percent of normal, corresponding to an effective increased staffing cost of Y
it is likely that this would harm morale, corresponding to increased turnover and hiring costs of W. In particular A probably wouldn't stand for it, and it would be quite hard to find someone of a similar calibre who would.
even with all this in hand, we would only make it about 3 times harder for a bad guy to walk away with our code, and only about 1.5 times harder for them to insert malware, which would cost X in legal risk and reputational damage.

Meanwhile getting the same development throughput with a trusted foreign remote team would cost this (including the higher risk costs), and doing it with a domestic team would cost that (including the higher base salary costs)"

You could perhaps frame this in terms of a "cost-benefit analysis", or "total cost of ownership", for each of several options. As pointed out in other comments, this could also include a frame challenge of exactly what the cost would be if a developer did steal the source code - how much of a material advantage would that source code actually give a competitor? — IMSoP, Apr 09 '22 at 17:57

score 17 · Answer 5 · answered Apr 06 '22 at 20:36

17

Modularization, unit tests and continuous integration.

Very often there is a core part of a product and interfaces which are work to do but in itself don't provide much value to anything but this product.

Set up an continuous integration server which pulls the developers new code, builds it together with the confidential code and provides the result either as a service, performs tests or a virtual desktop infrastructure access where somebody could do usability tests.

answered Apr 06 '22 at 20:36

Sascha

17,910
2
39
67

Unfortunately they want the developer to work on all areas of the codebase :( - For example they may be asked to change the colour of a button - which isn't something you could modularise out of the main codebase – Louis Apr 06 '22 at 20:43
20

@LouisIrwin: What? Your Main Codebase is tangled with UI Style information? – Sascha Apr 06 '22 at 22:47
9

+1. @LouisIrwin there are many software design patterns that absolutely would allow changing of the colour of a button without access to the back end code that does the clever stuff (eg. MVC). The exact details will vary, but this sort of separation of roles could allow you to keep valuable algorithms private while allowing external workers to develop user interface changes. – User65535 Apr 07 '22 at 10:47
Maybe my question wasn't clear on the size of the project. We're developing a small web app - there are no real 'valuable algorithms', nothing new or unique is being done. However, the directors still see the entire codebase as valuable because they have spent so much money on developers salary making it. The entire web app is essentially just API calls and UI to display the results. So to answer "Your main codebase is tangled with UI style information" - the whole codebase more or less is just style information - it's a bunch of HTML and a little JS to make the API calls. – Louis Apr 07 '22 at 12:39
2

@LouisIrwin So, let me get this clear - they are afraid someone steals the code and launches the app clone, the API you make requests to is public, and they somehow think this is worth a lot of money and potentially getting into legal trouble? Do they really believe it will hurt their pocket if someone demonstrably infringes on their IP and NDA while operating on the same markets as you do?! – Lodinn Apr 07 '22 at 13:22
38

@LouisIrwin wait, so your boss is afraid of them stealing HTML/CSS/JS code that will be sent anyway to the users when they open your web app to draw the UI on their screen or am i missing something? – John Doe Apr 07 '22 at 13:35
17

I don't see how unit tests or continuous integration have anything to do with the question at hand. – JamesFaix Apr 07 '22 at 13:43
27

@LouisIrwin it sounds like the correct answer is to tell management that their code base isn't nearly as valuable as they think it is – Esther Apr 07 '22 at 14:32
4

@Esther is 100% correct, In my opinion. I do NOT, however, know how you put this to management in a palatable fashion. – kpollock Apr 07 '22 at 15:03
25

"the directors still see the entire codebase as valuable because they have spent so much money on developers salary making it" - your directors obviously flunked Econ 101. The value of a product has nothing to do with how expensive the inputs were. If I set a highly paid professional to make mud pies all day long, that would cost me thousands of $$$, but the mud pies would still not be valuable. No, I'm not suggesting you tell your directors that... I just hope they bring other qualities to the table than their business acumen... – Stephan Kolassa Apr 07 '22 at 15:31
8

"I do NOT, however, know how you put this to management" If the developers have access only to tests DBs, no view on production, you could emphasize how the data is more valuable than the app. – FluidCode Apr 07 '22 at 16:01
While the company I work for doesn't worry about its employees stealing its code or practices, we do have most of our code compartmentalised into packages and APIs. Access to a given project is granularly controlled by IT and the project-managers. If we had reason to distrust an outsourced developer, we could absolutely keep them away from sensitive code and provide them with only the fully assembled packages to work with. The reality though is that we expect our employees to act in good faith and will pursue them with frightening legal power if they don't. So it's a non-issue. – Ruadhan2300 Apr 08 '22 at 07:41
@Esther actually that's more like the correct question; the correct answer would be a plausible way to tell them that and make them understand – Josh Part Apr 08 '22 at 14:37

score 8 · Answer 6 · answered Apr 07 '22 at 12:08

What do you really have to protect against?

If you want to protect against somebody copying the whole code base (+scripts and other tools needed to deploy it) a remote-desktop solution where the developers only work on company servers over e.g. VNC could be sufficient. Of course you can still copy&paste text from files or take screenshots, but it would be horribly slow. If you supply some necessary tools/parts in binary format only they’d also be almost impossible to copy this way but the developers could still use and execute them just fine. The disadvantage with this approach is that developers need (fast) internet access to your servers where the VNC session is running.

As others have already answered, another approach is compartmentalization. Only give access to parts of the project. This can create a lot of permission management overhead and can make developers less effective if they can’t see code which is related to their work. If you have some kind of super secret algorithm you really want to protect this is pretty much the only way.

" Of course you can still copy&paste text from files or take screenshots, but it would be horribly slow."
Not really. With some tinkering, it should be relatively easy to automate the extraction of code from a series of screenshots or video. Heck, we're talking about explicitly heap to contract labor - so the effort of even manually transcribing would be fairly minimal.

It's far faster to copy code than it is to write code. — NPSF3000, Apr 08 '22 at 03:31
You expect to give people access to compilers on at least somewhat internet-connected machines and think they can't find ways around your blocks. I can't imagine being that optimistic. — Joshua, Apr 08 '22 at 21:17

undercat · Answer 7 · 2022-04-10T01:26:37.457

6

how do Microsoft stop people stealing their code?

Microsoft has successfully open sourced a lot of their projects.

Your company can, too.

And much like Microsoft, you can assist the more successful remote developers with a work visa and relocation so that they would be under the same legal framework as all other regular employees.

edited Apr 10 '22 at 01:26

answered Apr 08 '22 at 03:35

undercat

216
1
6

score 3 · Answer 8 · answered Apr 07 '22 at 09:59

I'll assume that ensuring that these off-shore developers are productive is part of your responsibility.

If so, then the usual solution in this type of case is to be the gatekeeper of all information shared with these developers so that they only have access to the bits of your codebase that they need to complete their work assignments.

It's going to be your job to break down work into independent parts that do not require a broad knowledge of the system's source code. You may need to write specifications for APIs and the like so they know what to code against.

Yes, this is certainly a less than ideal situation but it's not at all uncommon both with off-shore developers as well as on-site contractors. Both are basically treated as short-term workers who are available to perform specific tasks and then either move on to another assignment or are given another independent bit of work if they continue with their current assignment with your company.

Yes, this is a lot of extra work for you but clearly this is the business model that your company management believes is best for them at this time.

score 3 · Answer 9 · answered Apr 10 '22 at 09:52

"well how do Microsoft stop people stealing their code?"

Not successfully

https://appleinsider.com/articles/22/03/22/hackers-allegedly-leak-37gb-of-microsoft-source-code https://thehackernews.com/2020/09/windows-xp-source-code.html
https://www.techpowerup.com/267517/original-xbox-windows-nt-3-5-source-code-leaks-online

But that isn't really the question is it? While I agree with Joe's reply and 520 already hints at this, I want to give answer to how to actually do it.

Even though what your directors are asking for is a little bit silly, it still is good to have an answer for them so the decision is up to them.

The answer is: Software Architecture

While this is not the place to go into details (better ask on Software Engineering SE for that), you can build software in a way that new functionality can be developed with only having to know small parts of the code base and defined APIs.

The short version is:

Apply open/closed principle, that allows new code written by extending the code-base with new code rather than modifying existing
Ensure separation of concerns so that a developer only has to touch their own teams code.
Have clearly defined and documented APIs that allow interaction between modules without knowing their internals.

To get there your organisation will have to hire one or more decent architects, a team of very senior core developers and technical writers to develop your software's core APIs.
This will be expensive, but then extensions can be done at scale and outsourced to developers you only have to trust with the code they are writing themselves.

You probably would have to think about quality assurance as well, if you already are hiring developers you don't trust, but that is not really asked here.

score 1 · Answer 10 · answered Apr 06 '22 at 20:51

1

IMHO, it depends on technology you are using

One of the options could be is to compartmentalize any expensive IP work in to assemblies or API`s, accessible only by interface.

answered Apr 06 '22 at 20:51

Strader

13,415
1
26
59

What is the correct way to approach the request that "new developers should not be able to access the codebase"

10 Answers10

Modularize your application and give people access only to the components they are working on.