1

the company has created a cloud solution , but some of the customers require the app to be hosted on their infrastructure which might lead to some serious security threats such as decompiling the code. the web application uses dynamic frameworks such as spring,JPA,struts,DWR which makes the obfuscation realy difficult (i tried using Proguard).

is obfuscation the only solution ? is it even worthwhile ? any opinnion would be helpful.

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Genjuro
  • 7,405
  • 7
  • 41
  • 61
  • 1
    By security threat you mean the customer threatening to steal your code? Because for the "outside" threats (like remote vulnerabilities) it should not make a difference between it being hosted in the cloud or on-premise (in fact, if they keep up with security fixes, on-premise could be safer because they can limit it to Intranet use for example). – Thilo Apr 11 '12 at 10:16
  • 1
    maybe helpful: http://stackoverflow.com/questions/1879061/how-to-protect-java-codes-against-decompiler – Thilo Apr 11 '12 at 10:26
  • yep i meant the customer stealing the code – Genjuro Apr 11 '12 at 10:31

2 Answers2

2

The easiest (and pretty standard) thing would be to make it part of the license agreement that they may not reverse engineer or otherwise mess with your software. This assumes that you trust your business partners to keep a contract (which one could argue is a prerequisite to doing business with them in the first place).

is obfuscation the only solution ? is it even worthwhile ?

You could refuse to deploy the code to customers if you cannot trust them.

If treating your clients that way is necessary is up to you to decide. I would assume that they have better things to do than try to rip you off. But if you are so worried about it, a pure ASP model (code never leaves your servers) seems the only solution for you.

Thilo
  • 257,207
  • 101
  • 511
  • 656
  • i'm a developper so i'm only focused on a technical solution , since some customers are stubborn and won't trust their data to be in the cloud and prefere to have it in their own servers so the ASP model you suggested won't respond to the specific requirement of these customers , that we can't afford to lose as freshly started company. on the other hand i found obfuscation to be real difficult to pull off since we highly depend on dynamic frameworks (spring , jpa , struts,dwr...) – Genjuro Apr 11 '12 at 10:36
  • @FrozenFlame you could always sue any customer that breaks a EULA. – Demi Jul 22 '13 at 16:34
1

As an alternative you could deploy your service in the form of a closed virtual appliance as suggested in What are the problems of deploying an application in a virtual machine file?

Community
  • 1
  • 1
mac
  • 5,627
  • 1
  • 18
  • 21
  • i need to learn more about this , plz provide me with useful links thanks :) – Genjuro Apr 12 '12 at 09:14
  • 1
    The basic idea is to deploy your app into a stand-alone virtual machine using VMWare or VirtualBox for instance. This virtual machine can be installed on your customer's computer who will benefit from your service as a black box without you giving him operating system access. Ideally, you would request the customer to let you access your VM via ssh for software maintenance purposes. Otherwise, you'll just have to ship him a new VM for each software update. – mac Apr 12 '12 at 09:21