Friday, December 12, 2008

Secure the source code

I was recently called in by a company to extend a client's bespoke Java application. The problem was that the company did not have a copy of the source code - only its compiled version. Although I was able to decompile or reverse engineer most of the source code, there remained significant gaps (missing method returns, variable declaration and the like). Such gaps equal project risks and increased costs.

This is not the first time I've encountered this problem. In this instance, it was due to a complicated history of acquisitions, mergers and managerial buyouts. During such processes attention is understandably often focused on retaining the customers, intellectual property, etc, but careful consideration also needs to be given to securing assets like application source code, documentation and the like.

Often the lack of source code is down to the buyer's ignorance - they simply forget to ask for it. Their supplier has delivered a robust and working application, are on hand to support it, and everybody is happy. Why would they need something they don't know what to do with?

However, companies come and go, and you should always secure a copy of any code that is deployed on your servers, or on your behalf, if possible. Sometimes suppliers are reluctant to provide it, due to copyright and intellectual property issues. Appropriate licence restrictions and caveats should overcome these problems, however. This is a core issue with regards to business continuity planning and the like.

My web design and development company provides a copy of all the code we've developed once all outstanding invoices have been paid, should the client desire it. We are usually able to do this in part because we use Open Source Software whenever appropriate.

This is one area where Open Source Software (OSS) comes into its own. Distribution of the source code is not normally a problem - when you use OSS you usually get the source code, albeit with some restrictions regarding reselling it as your own, etc. In this way, your company's software investment is protected to a degree, since you can always get another supplier to fix/support your OSS application.

Whether your application is built using OSS or not, you should always attempt to secure a copy of any source code when a supplier has provided a bespoke application for you. In these uncertain times, this is of more relevance that ever.