24

I am currently planning to develop a J2EE website and wish to bring in 1 developer and 1 web designer to assist me. The project is a financial app within a niche market.

I plan to keep the source closed. However, I fear that my would-be employees could easily copy the codebase and use it or sell it to a third party. The app development will take 4-6 months, perhaps more, and I may bring in additional employees after the app goes live.

But how do I keep the source to myself. Are there techniques companies use to guard their source?

I foresee disabling USB drives and DVD writers on my development machines, but uploading data or attaching the code in email would still be possible.

My question is incomplete. But programmers who have been in my situation, please advice. How should I go about this? Building a team, maintaining code-secrecy,etc.

I am looking forward to sign a secrecy contract with the employees if needed too. (Please add relevant tags)

Update

Thank you for all the answers. I certainly won't be disabling all USB ports and DVD writers now. But I think I should be logging activity(How exactly should I do that?) I am wary of scalpers who would join and then run off with the existing code. I haven't met any, but I have been advised to be wary of them. I would include a secrecy clause, but given this is a startup with almost no funding and in a highly competitive business niche with bigger players in the field, I doubt I would be able to detect or pursue any scalpers.

How do I hire people I trust, when I don't know them personally. Their resume will be helpful but otherwise trust will develop only with time.

But finally even if they do run away with the code, it is service that matters after the sale is made. So I am not really worried for the long term.

samthebrand
  • 368
  • 2
  • 12
  • 27
abel
  • 697
  • 10
  • 15
  • 28
    I know that I (and no other sane, competent developer) would consider working under the conditions you have hinted at (disabled pendrives, dvd writers…). – Jonathan Sterling Oct 09 '10 at 17:54
  • 5
    Simply poisonous. – Jonathan Sterling Oct 09 '10 at 17:57
  • 55
    To be honest, when I meet someone who refuses to extend any trust, I always think it says more about their own trustworthiness than mine - which is to say, if you think I can't be trusted, it's because you know you can't be trusted. – James McLeod Oct 09 '10 at 20:08
  • 3
    Yet at the same time, whenever anyone feels the need to say "to be honest", I do have to wonder how much I can believe what they say. :/ – Peter Boughton Oct 09 '10 at 21:11
  • 1
    @Peter - "to be honest" is a figure of speech, not something you should take literally. Like when someone says "I literally died when he said that." or a random shop assistant says "Have a nice day.". – Stephen C Oct 10 '10 at 02:50
  • LOL! So only believe me if I prefix my statement with "To be honest..." – James McLeod Oct 10 '10 at 03:01
  • 2
    Thanks Stephen, _I didn't know that!_ :| Next time I'm pointing out irony, I'll be sure to add a disclaimer. – Peter Boughton Oct 10 '10 at 12:00
  • 3
    +1 @Jonathan Sterling I wouldn't want to work in such an environment either. I asked because I do not have the experience of working in an industrial environment. – abel Oct 11 '10 at 09:05
  • 5
    Re your updated question: stop worrying about scalpers who are looking to steal your code. The chances of you succeeding in your business are too low for you to spend any of your time not pushing toward success in implementation; it's unlikely someone is going to steal your code, and if they do, it's even more unlikely they'll know what the hell to do with it. Don't use trackers, for the love of God. Would make me, for instance, uncomfortable with visiting sites like SO during work hours, which is a valuable use of time. – Jonathan Sterling Oct 11 '10 at 14:20
  • 8
    @abel: Boiling down some of your previous remarks, you don't have any experience doing professional software development. But you're trying to enter a "highly competitive business niche", and succeed against "bigger players" when you have "almost no funding". You have much bigger fish to fry than worrying about programmers running off with your code. If I were you, I'd write up a business plan and have it reviewed by businesspeople who've already succeeded in your target area, and then think about whether you really have the resources to succeed. – Bob Murphy Oct 11 '10 at 22:08
  • 38
    @abel: After your update, your question is like this. You don't have much money, and you've never even worked in a restaurant, let alone run one. But you're determined to open a restaurant anyway - and in San Francisco, which already has lots of great restaurants struggling to make a profit. So you go to a chefs' convention, and ask how to hire a chef who won't poison the food. And when they tell you chefs don't poison food, you admit that nobody you've ever known was poisoned, but somebody told you that you should worry about it so you're going to worry anyway. – Bob Murphy Oct 11 '10 at 22:41
  • 1
    @Bob Murphy very true! – abel Oct 12 '10 at 08:48
  • log the usb ports and do a regular check – Belun Oct 10 '10 at 19:36
  • If it involves military or related institutions they only allow you to know about one portion of the program, rather than the entire program. Doesn't seem like this is the case for you. – O.O Apr 19 '13 at 21:34
  • Since the real question here is how to stop your programmers from *selling* code that they wrote for you, this question is related: [Source code stolen\hacked by rival company](http://programmers.stackexchange.com/questions/72004/source-code-stolen-hacked-by-rival-company/95190) – user16764 Apr 21 '13 at 00:55
  • see also: [How do you prevent the piracy of your software?](http://programmers.stackexchange.com/q/10340/31260) – gnat Aug 25 '16 at 10:18
  • All responses stating you have to trust developers are pointless and disregarding the question. There can be situations where this is a potential problem. Although it does sound odd in this case where your highly sensitive code is yet to be developed, by the very people you want to keep it from. Anyway, locking down development machines and disconnecting them from the internet could work. And have the machine in a locked room with only some cables for screen and keyboard coming out? Expect a lot of support calls from your developer (who won't mind because he is paid by the hour). – Martin Maat Nov 11 '21 at 20:09
  • A good programmer is capable of finding a way to solve problems in spite of various technical obstacles. This includes getting software out even without USB-ports etc. The traditional way is to do this using legal constructs like contracts and treat your employees well. This will become clearer to you when you get more experience. The value is not on the harddrives, it is in the brains. – Thorbjørn Ravn Andersen Mar 31 '22 at 11:54

9 Answers9

78

You need to trust your developers.

Virtually all professional developers won't steal your source. It's understood that if you work for somebody else, it's the employer that owns the code that you write. Developers might copy code for reference purposes, but it's highly unlikely they will offer it for sale to anyone else. If they did offer it for sale to a new employer then the likely outcome is them being shown the door and possibly even arrested (as Bob Murphy points out in his comment). Getting caught isn't worth the risk.

More importantly, distrust breeds distrust. Disabling USB ports and DVD writers will engender a feeling of distrust which will, paradoxically, make it more likely that the developers will copy the code.

By all means add a secrecy clause to your contract, but it's probably unnecessary to highlight it as the most important part of the contract.

Community
  • 1
ChrisF
  • 38,878
  • 11
  • 125
  • 168
  • 2
    A brief secrecy clause is perfectly normal in development contracts and employment agreements - but as ChrisF said, don't go overboard with it. To anyone who's done more than a handful of contract development projects, a long secrecy agreement with dire threats just says you're a clueless amateur. There are standard clauses you can find online that run anywhere from 6-20 lines of text. That's plenty if you're willing to lawyer up in case of breach - and if you aren't, any secrecy agreement is pointless. – Bob Murphy Oct 10 '10 at 03:08
  • 47
    Also, in the real world, third parties don't want stolen code. The risk is too great. Back when Informix and Oracle were duking it out for the enterprise relational database market in the mid-90s, one of Informix's developers quit to join Oracle (which was quite common), and took a hard drive full of Informix source with him (which wasn't). He told his new boss at Oracle, expecting a warm welcome, but instead he got a security team and an arrest. Then Oracle security called Informix security, and the hard drive went back to Informix without anyone from Oracle having looked at it. – Bob Murphy Oct 10 '10 at 03:29
  • 1
    @Bob Murphy I hope everyone is so sincere even at the bottom of the food chain. – abel Oct 11 '10 at 09:08
  • 1
    I was just about to type up this exact answer. Trust is actually critical to the success of the project. As ChrisF stated, disabling components of developers' computers will only sour the relationship and inform those developers that they are not trusted. The only way to truly protect your code would be to control where the developers sleep, where they eat, whom they talk to, etc. Just make sure you have a well written contract to give you the legal ammunition you need to punish any violators. – TheBuzzSaw Oct 28 '12 at 20:53
  • *"I hope everyone is so sincere even at the bottom of the food chain."* - 99+% are, and that's as good as it gets. Being an entrepreneur involves taking risks, and this one is much smaller than others you will be up against. – Stephen C Apr 21 '13 at 11:00
  • @BobMurphy Interestingly, Pepsi did the same thing when a former Coke employee came to them with confidential recipe information. – Chris Thompson Apr 21 '13 at 16:19
  • 2
    Two words: Edward Snowden (http://en.wikipedia.org/wiki/Edward_Snowden). Even the most secretive divisions within the US Federal Government don't have a good solution to this problem. What makes you (the OP) think you can do any better? Build your solution on trust and reasonable containment, not on superficial technological restrictions! – rinogo Feb 04 '14 at 20:05
  • 1
    @BobMurphy And as an example of when even the possibility of not doing that can get you in big trouble, just look at the Uber-Waymo dispute going on right now. – JAB Jun 14 '17 at 20:51
74

If these programmers can write the software in the first place, then...

THEY DON'T NEED TO STEAL IT.

They can just simply rewrite it in a fraction of the time it took to originally develop it. Yes, it's true, developers aren't complete idiots... once they figure out how to do something, they can often remember how they did it.

So, I guess you're just going to have to trust them, or write the software yourself.

Glorfindel
  • 3,137
  • 6
  • 25
  • 33
GrandmasterB
  • 37,990
  • 7
  • 78
  • 131
  • 3
    Is that an argument for a non-compete clause? ;) – Tim Oct 10 '10 at 07:23
  • 8
    Indeed: your programmers have already copied your code, by virtue of having that knowledge in their heads. – Frank Shearar Oct 11 '10 at 07:25
  • I understand that. I do not want newly joined developers scalping code. – abel Oct 11 '10 at 09:10
  • 3
    @abel, stolen code just isnt as useful as you seem to think it is. An app can be 'cloned', even without the source code. **proprietary algorithms**, now **thats** what you want to keep safe. Developers dont need to 'steal' code to learn those, just read it and then recreate it. Heck, just using the program might be enough to deduce an algorithm. So, as others have said, a simple non-compete clause will do the trick and is about all you can do. Physically securing the code is just a waste of your time because any developer worth their salt can easily bypass that. – GrandmasterB Oct 11 '10 at 18:06
  • 11
    +1 for truth... and for making me fall out my chair laughing. Cows don't need to steal milk. 8D – TheBuzzSaw Oct 28 '12 at 20:56
  • and to add to that - once the devs have done it for you, they can do it better again because they have experience of all the crappy things in your architecture and codebase that didn't work out well! – gbjbaanb Jun 30 '16 at 12:31
  • @GrandmasterB but in many company ,software dont write by one developer,they can write only part that the worked on!but what if they attempt to steal whole code? – AminM Sep 03 '16 at 17:16
22

I've heard it said that no idea on its own is worth more than $20 (and that's Canadian dollars!) The idea only has value if it is executed well. Even if it comes to them stealing the code and trying to make a go of it themselves, odds are you have a better idea of what the next steps are, and more contacts with prospective buyers of the software.

You should definitely only hire people you trust, but even if they steal your code and try to sell it, they are unlikely to get very far.

James McLeod
  • 7,613
  • 4
  • 21
  • 34
  • 9
    This is absolutely true. Forget keeping your Unique Idea super-secret and concentrate on executing it better than anybody else. Most ideas are a product of their time and occur to several people independently. (Henri Poincaré was working on relativity in the early 1900s, too, but Einstein beat him to publication.) Chances are there are eight other crews trotting your idea around to the VCs on Sand Hill Road this month; it's the ones with credible business plans and professional teams who will get funding. – Bob Murphy Oct 10 '10 at 03:24
  • 1
    Related: https://sivers.org/multiply . Bad ideas wouldn't even be worth 2 pence, but good ideas can well be worth over $20. – Pacerier Oct 04 '15 at 20:28
6

If this is some sort of startup, then the number one thing you need to do is get a product built. You need good developers who will work hard and be dedicated to the project.

One really easy way to get rid of them, or at least to sap their morale and dedication, is to show them up front that you don't trust them. In fact, they're likely to start thinking of ways they can get the code out (although they almost certainly won't follow through), and if they can come up with a way they'll think you not only paranoid but stupid. (There are organizations where this level of caution is justified, and a financial website startup will not be considered one of them.)

A few clauses in the contract about how the software is your property will be fine. If somebody will violate that, they'll violate any more severe language you've got, and probably feel more justified. Non-compete clauses that aren't narrow and time-limited will just chase off the people you want, and may in fact not be legal in your jurisdiction (consult a local lawyer to find out).

If you hire good people, they can rewrite the software later. If you hire beginners, they won't know how to further develop what they walk off with, and anybody building on it will be running serious legal risks to come in late with an inferior version of what you've got.

In short, this should be way low on the things you worry about. If you hire bad people, you're sunk no matter what. Concentrate on hiring good people and let this slide.

David Thornley
  • 20,238
  • 2
  • 55
  • 82
6

The hard truth is that nobody wants your code. You may think that you develop a solution everybody wants to know how it works. But more often than not you don't.

What would you do if you took over the source code of your competitors? You can't distribute it. You can't copy any parts of it into your project (even if it wasn't so hard to integrate thirdparty code into your codebase). What you can do? You can study it. But often it's harder to read the code than to write it in the first place.

Look at the open source software. It is a closest analogy to a stolen source code. There is a vast amount of unmaintainted code. A large portion has a license that doesn't suit your needs. Others has incompatible programming language or needs porting to your platform. The code which suits your needs will take plenty of time to read.

There are many open source projects with a closed source mentality. I.e. they don't accept patches. Soon enough your version of code will deviate so much that it would be impossible to merge new versions.

You should understand that what's the most valuable is your team who maintains your code, moves it forward. Not the code itself.

Vanuan
  • 361
  • 1
  • 3
  • 7
4

Why should your potential customers trust you with there finances?

After all you may run off with the money.

Companies like Microsoft, Google, IBM employ thousands of people to write reams of closed source software, and, are not unduly worried about their staff walking off with the code. Copyright protection and a clear "any code belongs to your employer" clause in the employment contract seems to cover it, and, court cases against former employees for stealing code are extremely rare.

Furthermore once you release your software to the wide world, unless the core involves some really advanced math, any competent team of programmers could reproduce your application without ever seeing the source code.

James Anderson
  • 18,049
  • 1
  • 42
  • 72
3

As others have mentioned, this primarily seems to be a people concern.

However, there are a number of major security vendors who market software solutions to data leaks:

I can't comment to their effectiveness or appropriateness as I have limited experience with these solutions, but just thought that it might be helpful to point this out.

Cliff
  • 590
  • 3
  • 6
  • 12
  • 3
    Like the idea, the only worry is that these products are full of corporate language and don't explain what they are actually doing :) – Mars Robertson Nov 12 '12 at 13:51
2

Honestly, like everyone else said, you just need to trust your programmers.

However, I will add to that by saying you should really consider that open sourcing your project in today's environment is more likely to help you than to hurt you, with the exception of a few specific markets. Just being more open to the idea will make you less worried about your source code growing legs and running off, even if you don't do it yourself. Garner all the goodwill you can, and you're more likely to earn money, in my opinion. Even if the Empire offered the best app in the world, I don't think Luke Skywalker would've downloaded it, because the Empire's ideals were in the wrong place.

coder543
  • 201
  • 1
  • 3
0

Dated question but still not totally irrelevant. Rather than being paranoid about code theft/resell, NDA is a balanced approach. Here is a sample Non-Disclosure Agreement.

See section "Obligations of the Parties" and "Consequences of Breaching the Contract". These can of course be edited to suit your purpose. That's probably the best you can do. Hope this helps somebody.

https://relevant.software/blog/how-to-write-an-nda-for-software-development-template-included/

joym8
  • 119
  • 4