Steal this source code - Alan Zeichick

When reading one of the cover stories in the Sept. 1 issue of SD Times, I was struck by a comment from Ashok Reddy, a manager at IBM Rational. In “Negative View of Security Standing in Way of SaaS,” he was discussing how willing people were to put critical data out on hosted CRM services, such as Salesforce.com, and how that compared to the slower acceptance of software development on hosted platforms.

Reddy told SD Times senior editor Jennifer deJong, “Source code is intellectual property, and it is perceived as more strategic to the company [than customer data].”

That comment stopped me in my tracks… not because it’s not true, but because of the implications. Think about big news stories about data loss. It’s of criminals steal credit card numbers, social-security numbers, customer databases, secret documents, and the like. Data. When was the last time you heard in a news story that someone stole a laptop with a company’s source code database?

Of course, one reason that we hear so much about database theft is because victims might be forced to disclose such crimes, so that people can change their credit-card numbers, and be alert to potential identity theft. By contrast, if someone steals some source code from your company, there’s no external requirement (as far as I know) to disclose that to the local newspaper.

Another reason is that, for most criminals, source code isn’t very valuable. Any laptop filled with credit card numbers is surely going to appeal to many criminals, who can use that data or sell it. But how many buyers are there for second-hand source code? So, the incentive to steal such data, except for specific cases of industrial espionage, is pretty low.

That’s from the criminal’s perspective. But what about from your company’s perspective? If someone steals your source code, what they going to do with it? They could study it for exploits (like embedded passwords), or clone your product’s secret features, or reverse-engineer a critical algorithm or protocol. Those would be bad… but you think those would be less bad than, say, having someone steal your customer database. Or, if they have read/write access, they could modify the code to embed bugs or create a back door.

(All this assumes that your source code is proprietary. If you’re using only open source, then in theory stealing your source code would have absolutely zero impact whatsoever.)

Is having someone steal (or have unfettered access) to your source code a bigger risk, or a smaller risk, than of having someone steal (or have unfettered access to) your customer database? What do you think?