5

I am building a website in asp/c# which I need to deploy to multiple servers which are managed by external people.

I need to avoid the people who have access to the server accessing and reusing our code.

One option that I have heard so far is that I can check the MAC-address inside the code, however, the MAC-address can be changed by the users.

What are the most secure options available to avoid this kind of situation?

Improve this question
6
  • You want to avoid publishing CS files or what? Commented Feb 28, 2013 at 8:02
  • isn't this against hosting policy? "using your application code" Commented Feb 28, 2013 at 8:02
  • you meant they can use reflector to see the code? Commented Feb 28, 2013 at 8:03
  • 2
    "Thou shalt not write code (if thou wilt it not be stoled)" Commented Feb 28, 2013 at 8:05
  • 2
    Your best option is usually to make sure that the licensing agreements are clear. Most technical solutions just make things harder, not impossible, and can increase support costs (as well as costing you time now and in the future when you could be using that time more usefully to make your product better for your well behaved users) Commented Feb 28, 2013 at 8:07

6 Answers 6

Reset to default
3

You have several options, but as commented by many... maybe they are not worth.

  • Legal: Have the external people that work in your server to sign a confidentiality agreement.
  • Trusted External People: Hire people that you trust. Friends, old coworkers, etc.
  • Dummy server: Depending on what you want to be done by external people, you might create a dummy version of your app. For example if you want the external people to install and configure your IIS & WCF services then deploy only dummy version of your WCF services that do nothing. Later, after job is done by external people, you can replace your dummy code with real code.
  • Obfuscate Code: You can obfuscate your code with some tool to make it harder. (Harder does not mean impossible)
  • Take away your code: As Mahmoud Fayez suggests, maybe is feasible to take your code to some external webservices and have your UI totally without any logic. It depends however in what the external people will do for you and the exact details of your app.

The only reliable one is:

  • Deploy to your own server: If your code is so sensitive that you want to warrant that no one copy it, then do the things yourself. No admin task is hard enough for a programmer with enough time and motivation.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

The only 100% reliable method is not allowing others access to the actual deployed files.

Since code must work in the first place, a sufficiently motivated cracker will obtain the underlying source no matter what you do.

You can audit your deploy folders so you have an access log: you won't prevent any interaction, but you'll at least know who got what... Better than nothing.

Improve this answer

2 Comments

Your words are true and I avoid this 99% of the time. We have no choice in this situation and have to deploy it on their servers. Although I appreciate your comment about saying it's impossible, what can I do to minimise the the risk and deter users from bothering to try?
You should require auditing being active on the folders as part of your licensing agreement. I linked some helpful info in the answer.
1

Option that gives you the most cotrol: don't deploy one external servers managed by external people.

Everything else will have less options to protect your code and you just need to decide at wich point price is ok to pay.

Improve this answer

2 Comments

I don't have a choice in this situation regarding the location of the deployment. I want to attempt to minimise the risk of having the code re-used, what options do I have?
The next best option (which sadly covers most of the exisitng code) - write hard to read code without any kind of structure, documentation... More seriously @cad (+1) provided you some more options.
0

You can 'publish' the website rather than put the whole source code up on the server, that turns it into a compiled website.

You can find a guide here

Improve this answer

4 Comments

The code is already going to be published. They can, however, simply take the published code and re-use it elsewhere if they want to create an identical instance of the already existing code. What can I do to avoid this?
@James, If you code so well structured and documented so any random "they" can grab it and deploy anywhere easily - why not to deploy yourself (i.e. one one of cloud services like Microsoft Azure, Amazon AWS, Google App Engine)
@AlexeiLevenkov The client has stated very clearly that the code has to be on their servers. This is most likely for their security rather than mine.
Surely the client will go "WTF is this code" when you upload lots of obfuscated code too.
0

A web app normally cannot be completely "closed" source.

Besides the compiled DLLs (can be obfuscated) in bin, there must be a little "open source" in the view pages (.aspx, .ascx, .master, .cshtml)

If you want 100% closed, you may consider to use a non-standard way to serve the views so that you can pack everything in a DLL and write your http handler code to handle different URLs.

Improve this answer

Comments

0

If you need to do this, it suggests you're doing something wrong at the corporate level. The best proceedure is usually not to try to prevent piracy, but to embrace it. Make the code easily available to anyone, seed it on torrent sites yourself if need be, but only let it run in a very restricted way - say, only one connection at a time, so registering and buying a license show clear advantages.

If you also make your license clear and affordable, and there will be no motivation to pirate your software, and prevention is always better than a cure.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.