Third Party Code Review? 89
An Anonymous Coward asks: "It looks like our sale-person is about to land a big contract with a very large US Bank, however there is a large catch in that the bank is demanding that we let them do a full audit on the source code of the software application we are selling them. After the recent rash of identity thefts of credit card and other personal info, they now mandate that all internet facing applications that store potentially private information have to have a full source code audit. This includes software from 3rd party vendors such as my company. They want to run our Java code through some software called Fortify (we looked up the price -- around $80,000) and also do a manual analysis of the code. This software is our company's life-blood. We would be ruined if it fell into a competitor's hands. We aren't storing private information about their customer's; all of the information can be found from government county auditor web sites. I understand their point of view, but it is a very scary step for us to take. Has anyone else done this and how did it work out?"
ruined? (Score:4, Insightful)
then it sounds like you are in the business of selling disks with programs on them. in that case, you're already sunk. you need to move NOW to a model where you make your money deploying and supporting software.
show them the bleeding source code, you pansy.
Re:Security with closed and open source (Score:4, Interesting)
OK, this is flamebait, but what the hell. It annoys me when people claim something is proven, without actually supplying any proof.
As a thought experiment, try this out. Start off with a software project that forks into two branches. One branch is developed with an open source model. The other branch becomes closed source. Assume that the original software project had a certain number of bugs. Now I ask you, as time goes on, which branch would contain less bugs? The closed source, or the open source?
It seems obvious to me that the open source project would quickly have its bugs fixed, because of two reasons. The coders on the project would have ego on the line, and would therefore be much more careful with publicly available code. Due to the immense availability of peer review, issues are discovered and reported much more quickly and thoroughly.
It also seems obvious that the closed source project would have many more bugs, for many different reasons. Programmers are more likely to ignore issues, because "nobody can see it". The pressure of getting a release out means that things are quickly cobbled together without much thought for security. If there is a review of code, it is not likely to be as thorough as what is available to open source.
If the code is hidden, a program is not more secure. Otherwise, how do you explain the numerous security issues found in closed source software every year?! Whoever found the bugs, didn't have access to the source, yet they were still found. And once it is found, how can you fix it? I'd say that closed source software is far more insecure than open source, because not many have access to the source.
Re:Security with closed and open source (Score:3, Informative)
OK, this is flamebait,
Well the gp wasnt flamebait but funny
Re:Security with closed and open source (Score:2)
Re:Security with closed and open source (Score:1)
I guess I'll tone down the "mock and deride" statement a little. In the best world, people will constructively help you improve your skills. If you refuse or fail to learn, then they'll mock and deride -
Re:Security with closed and open source (Score:3, Insightful)
To be fair, a thought experiment rarely provides proof of anything. Yes, they're useful for figuring things out and demonstrating things, but they don't prove anything.
As for the `far more secure' claim, there is some truth to it. (Or were you
Re:Security with closed and open source (Score:2)
To be just as fair, I never claim to prove anything :). I was just annoyed with the original poster, and his claims about closed source being proven more secure. But while I don't really prove anything, I hope I've shown that open source can have many reasons for being more secure.
Whether it's open source or closed source, it is impossibl
Re:Security with closed and open source (Score:2)
It also seems obvious that the closed source project would have many more bugs, for many different reasons. Programmers are more likely to igno
Re:ruined? (Score:3, Insightful)
There is nothing fundamentally wrong with selling software.
Re:ruined? (Score:2, Insightful)
Exactly, this is specially true in the case of niche applications for vertical markets, where open source competition is not an issue.
Re:ruined? (Score:5, Funny)
Talk to the bank manager, let him know that you whole heartedly support security audits. Then ridicule him for trusting Fortify, a closed source tool, for sucah an important audit. Enlighten him about the possible conspiraces involving Fortify, Nigerian Scammers, Dick Cheny ,
Whew, another success story for the books.
Re:ruined? (Score:5, Funny)
Re:ruined? (Score:4, Funny)
At some point in the above-mentioned plot, mostly around the end, you should laugh like a maniac, like "BWA HAH HA HA HA HAAAAAAaaah". For more information, see this entry on Wikipedia [wikipedia.org]
Re:ruined? (Score:2)
First off, I know nothing about this Fortify product, so you may want to take what I say with a grain of salt. However, it does appear as if the bank is putting a LOT of faith in this product that it will find these supposed security holes. A wise man once said that there is no such thing as a "silver bullet", but it appears as if this bank has not taken this wisdom to heart. They are under the false impres
Re:ruined? (Score:2)
It takes money to write software, yes they will make money on support and updates but with the source to your software your competitor can easily take the work that you have done for free. Then they can offer an initial lower cost purchase and make the same on support as you did.
In the real world it would be like releasing your software under BSD! I know the RMS faithful will understand that.
A small company probably doesn't ha
Give them the code (Score:5, Interesting)
Handing over the source code should be part and parcel of any non-retail software package. Like Free Software, but without all the philosophical bullshit.
Re:Give them the code (Score:1, Insightful)
Yeah, having an opinion is BAD! Only idiots and terrorists have opinions!
Re:Give them the code (Score:2)
NDA (Score:4, Informative)
Re:NDA (Score:5, Insightful)
An NDA and possibly a Non-compete agreement should be fine. This stops them from sharing the source and from giving the source to in-house developers to try to pick through your source to make a product for themselves.
Also, since they do this with all applications they use, you have the right to ask for the contact info of a few places they've done this with. This allows you to talk to X Company about what happened during and after the process. Tell them this is your security check on them.
Either way, as with most business related "Ask Slashdot" articles, you need to consult your lawyer.
Re:NDA (Score:2)
To make this work, in addition to an NDA, you would need to make the source for each customer just a little bit different. Then, if it turns up elsewhere, you know, and can prove in court if necessary, where it came from.
Having said that, I still think that the "sell disks with ones and zeroes on it" model is flawed. In my long experience, most custom software should be a thin layer of Open Source glue around Open Source components, distributed under an approrpriate and most likely Open Source license,
Re:NDA (Score:2)
Actually, on most days, I am a successful businessperson. My clients get their money, and their clients don't get their knees busted. :)
Seriously, I've done consulting and development freelance in the past, and hope to get back to that someday, but for now I do software development for a megacorp. It's not exciting, but it pays the bills.
It they steal your code (Score:5, Interesting)
As for the use of a $80k code audit tool. If the bank's paying for it, that's how it's going to happen. BTW, expensive niche software companies don't always like it when their quotes become public knowledge. Companies like that often try to guess what each customer is willing to pay, within reason.
Re:It they steal your code (Score:1)
Re:It they steal your code (Score:1, Informative)
Re:It they steal your code (Score:2)
You need a human for that. Not a developer by the way. You need someone with a good architectural view that will not get bogged down into the details for that.
Re:It they steal your code (Score:2)
So what? Keeping the price secret helps producers to dictate the price, knowing it benefits the consumer. Capitalism is a constant battle between consumers and producers, do you want to allow producers to use the weapons they have available, while depriving consumers from the same right?
Exactly (Score:2)
You'll sue. You'll win. You'll be fine. Your competitor will be ruined. The person who leaked the code will be ruined.
This is it exactly. I don't understand how it got to be this way, but the "Oh, no! Our source code must be kept secret or we'll be ruined! Ruined, I say!!" attitude is almost as silly as it is widespread. That's what copyright is *for*: You can hand out copies of your source all over the place and no one is even allowed to compile it without your permission. Certainly no one is going
Not too sympathetic. (Score:5, Insightful)
very large US bank
What, pray tell did you expect? It looks as though you blundered into a pot of gold and kept going despite the fact that you're not large enough yet to carry it away.
Of course they'd demand third party review. I hope *my* bank would! What I also don't see mentioned is any mention of a three inch NDA that would be signed.
Established companies like Microsoft can sell stuff with some (or all) of the hood welded shut. They are an authority. They dictate who our browsers trust. They're huge and they could afford to pay for resulting damages (good luck pinning any on them
If you really want to use this as a spring board I'd let them have at the code. Unless you're in the middle of an "Oh SHIT we gotta re-code all that GPL stuff we used
Why would you worry if there wasn't anything to worry about? And why risk your "life's blood" on one single venture?
Order happy meal first. Big mac later.
Off my soapbox.
Re:Not too sympathetic. (Score:3, Funny)
Re:Not too sympathetic. (Score:4, Funny)
Pointless Haiku
containing big mac
always ends with
toilet flushing.
I doubt that qualifies. But then I don't qualify for much either
Re:Not too sympathetic. (Score:2)
Re:Not too sympathetic. (Score:5, Funny)
Order a Big Mac later.
Fries with that?
My god its late and I need to go home
Re:Not too sympathetic. (Score:2)
Make it "Having fries with that?"
And you've got Haiku.
Re:Not too sympathetic. (Score:2, Funny)
NDA (Score:5, Insightful)
Of course, there is the bargaining position of if they are really in need of your software, then you could be in a good position to strike up a trust and maybe negotiate your way out of being audited.
I've done a few defence contracts where they've demanded the same type of auditing, and in a few I've managed to get out of the auditing process for non-mission-critical systems by negotiation.
Re:NDA (Score:4, Interesting)
Spot on. With that in place, no real reason to worry about the source code. The Java decompilers out there (try JAD for instance) are good enough I stopped bringing source with me and would just decompile the class files if I needed to look at something. If you think a Java class file will keep code out of your competitor's hands - you are in for a real shock.
Re:NDA (Score:2)
Kind of naive (Score:2)
> Spot on.
Tell that to Cisco [google.com]
Re:NDA (Score:3, Informative)
Re:NDA (Score:1, Insightful)
This is how many of the govt contractors go from having just a foot in the door to having multi-million dolla
Uhh, java class == source code (Score:4, Insightful)
Re:Uhh, java class == source code (Score:2)
Re:Uhh, java class == source code (Score:2)
Re:Uhh, java class == source code (Score:2)
Re:Uhh, java class == source code (Score:2)
Single you out? (Score:3, Interesting)
The system will fail security at its weakest link, whether it be your banking software or the operating system it runs on.
Re:Single you out? (Score:1)
http://www.pcworld.com/news/article/0,aid,64184,0
Re:Single you out? (Score:1)
Woo! Free Audit! (Score:2)
If I were your competitor, and i wanted your code that badly, I would have already disassembled it by now. If it's Java, I would have had a really easy time of it.
Just do it (Score:3, Insightful)
Re: (Score:2)
It ain't windows. (Score:2, Insightful)
If we somehow got hold of the source to SAP R/4 and MySAP, outside of a quality review, it would be worthless to us. The support, maintenance fixes, and configuration assistance SAP provides are worth far far more than the code. And the risk that comes with internally-compiling the code (and we
Re:It ain't windows. (Score:1, Informative)
Let me clarify - the source code for the kernel is not included - but for the bits that you would actually care about, the business applications that run your company, the full source code is there in the system. The first time you access a transcation after an upgrade you can sometimes see the li
Third Option (Score:1)
Banking MO (Score:4, Interesting)
Code Auditing (Score:4, Informative)
* get a good tight NDA from the auditors
* get a well-respected firm to do it, one that has something to lose. Someone like Ernst-Young.
* insist on it being done on your site, and that you receive all work products at the end of the audit. This won't keep someone from walking off with a copy of the code anyway (not when you can buy a 2 gig USB key for a hundred bucks) but will strengthen your case if anything does get pirated.
* Look for a firm that doesn't have a software business in your area of expertise. You don't need to be buildign bank apps to audit the code; if you pick someone who doesn't have bank apps in their product line, and they suddenly start some after the audit, you'll have a good hint that there's a balrog in the woodpile.
Re:Code Auditing (Score:2)
Generally, production code is not of excellent quality since there is no time in the real World of business to make it super-duper. What is really important is something you can't steal: the knowledge and experience in your employees head.
Anybody who has had to maintain other people's code knows that often it is easier just to re-write it (or large chunks of it) anyway.
As for getting somebody reputable like Ernst and Young: be
Allow them their audit. (Score:2)
Yes. LOTS of profits. (Score:2)
Allow audit of the source under full NDA and without leaving any technical means to circumvent the NDA.
As an extra: advise and provide help of lead programmers of your company - they will be able to immediately explain any doubts, possibly fix immediately all easier security bugs found by the audit (no waiting for feedback: "here's an error, fix it", week later "here's a fixed version, audit it", another week later "the fix is not satisfactory, fix again" and so on), and in the
Government code reviews (Score:4, Interesting)
Notes from the experience:
* We requested examples of code that met specific auditing criteria, and received back several somewhat-anonymized methods, apparently taken from competitor's products. You should verify that the bank has appropriate "handling procedures" for protecting 3rd party source code.
* Our audit criteria was spelled out in an FEC ruling in decent detail. We found that 50% of the rules could be easily expressed as existing Checkstyle "checks" [http://checkstyle.sourceforge.net/ [sourceforge.net] ]; it was pretty easy to build custom "checks" to catch another 30%. We then used an Eclipse plugin [http://eclipse-cs.sourceforge.net/ [sourceforge.net] ] to get real-time highlighting of detected issues (plus Ant scripts for command-line checking).
In your case, Fortify "rulepacks" appear quite proprietary/complex, so using their product is probably your only option for pre-audit auditing. If licensing is out of the question, and you can't strike a cross-promotional bargain (i.e. you market with "Secured by Fortify", they use you as a case study, you get a discount), try and get access to the tool through the bank before the official audit, or negotiate an appropriately flexible window of time in which to address any discovered issues.
* You're not "innocent until proven guilty" in an audit. In *many* situations, we had to argue against rules that were nonsensical in Java, or false-positive issues discovered by the audit. Some we won, most we lost; we faced an uphill battle on all.
* Our auditor was apparently not fluent in Java, and flagged several issues regarding the method names on classes in java.lang.*. Be thankful for automated auditing
Good luck!
Sarbanes-Oxley (Score:5, Informative)
So you've only got two choices: "Let them audit the code" or "Lose a customer".
FYI, I work as a programmer at a bank.
Here is your solution: (Score:2)
What does Fortify do, anyway? (Score:3, Insightful)
The main issues in Java are going to be logic errors and misimplementing security protocols. Things like bad packet handling in a network server. There is NO WAY an automated system can detect problems like this: it is the Halting Problem.
So what can this program do? All I can imagine it doing is checking to make sure that you're not using any function calls that Fortify's authors consider "unsafe", no matter whether the particular context makes it safe. It probably will also yell at you for using variable names that don't follow its stupid rules.
I can imagine how things like this exist. They approach these security-paranoid companies with offerings of a magic solution that will allow them to verify that their system is secure. Extremely afraid of being the next target of a class-action lawsuit, they are eager to pay large sums of money. The people who make the decisions aren't trained in computer science, so they don't understand that an automated system such as this is truly impossible.
It is the small companies who have to deal with this that suffer. The magic oracle says that you used a single letter as a variable name, so you absolutely must change it, with no excuses. You spend a lot of time and money "fixing" it to please the oracle, when you have done absolutely nothing for true security.
Melissa
Re:What does Fortify do, anyway? (Score:2)
Re:Avoids certain morons.....hum,hum? (Score:1)
I would think first that they have a big database of source code (of which they probably put a disclaimer for in their license agreement and put your code in their db for further use...) and compare to see if you have not already used someone else's code signature or even GPLed code for that matter.
Second, t
Re:What does Fortify do, anyway? (Score:1)
DISCLAIMER - I work for a software company that specializes in application security. Just not Fortify.
High-level languages like Java tend to have high-level security weaknesses, just like low-level languages like C/C++ have low-level weaknesses. Especially in web-accessible code (just because it's not an applet doesn't mean it's not web-accessible), there are right ways to do things (such as parameter validation, proper encoding, crypto usage, etc.) that even simple static analysis (or hand-scans, if yo
Re:What does Fortify do, anyway? (Score:1, Informative)
I think a lot of people get confused about how the halting problem applies to real world software engineering. The halting problem proves that you can't determine if a program halts with 100% accuracy. However, you could write a program that estimates if a program halts,
Re:What does Fortify do, anyway? (Score:1)
Static analysis has a lot more to offer than looking at the names of methods and variables. FindBugs ( http://findbugs.sourceforge.net/ [sourceforge.net] ) is an excellent open-source tool for finding common problems in Java, though it's focus is much more on code quali
Things to consider (Score:5, Informative)
I work for a lab that does seurity reviews and evaluations. There are a few things you might want to consider:
Merely an audit? (Score:3, Insightful)
As the other poster said, if you're in the business of moving bits on discs, you're already ruined. You're just waiting for the time delay to kick in.
just think about it a minute.... (Score:3, Insightful)
Your company, virtually certainly, isn't even vaguely important enough to them to mess with. If that code leaked and the word got out, the reputation of both the bank and the auditor would be badly damaged...a financial loss greatly in excess of the net worth of your entire company.
If for some reason they wanted to leak the code, it would be a lot cheaper for them to just buy you out, lock, stock and barrel.
Use your brain. Give them the damn code. They'll probably treat it better than you guys do. They have a lot more to lose if they don't.
Re:just think about it a minute.... (Score:1)
there are standard ways to do this (Score:2)
What we did (Score:1)
We thought it was pretty draconian, but the bank thought it was a great idea; bank IT staff by necessity live in a paranoid world, so I guess they
Re:What we did (Score:1)
Been there, done that (Score:2)
Even with the NDA, Taint it Before you Share it! (Score:2)
Ever heard of legalese ? (Score:1)
1. you are a software developer with big clients such as US banks
2. you must submit your source code to a 3rd party auditor
3. you think slashdot is a good source of advice
Well, seeing as you're in business I'll assume #3 is just a temporary brain fart on your behalf. If you're really worried about your code falling into the wrong hands, then have a lawyer write up a nice contract that expressly forbids the bank and any other party from using the code for purposes other than security
Handling Auditors (Score:1)
Give them access to a another machine if they need Internet access.
What would I do? (Score:1)
Industries with requirements for source code (Score:2)
'Most of the code audits though, are for the low hanging fruit only, since a huge codebase can take a very long time to become familiar with, and the auditors never attain the same level of understanding as the original authors' (paraphrased as told to me by a defense code auditing guru).