May 20, 2019

SaaS in a private cloud

sakalauskas @sakalauskas

I have a client that would like to deploy the software in their own servers for data privacy compliance.

Has anyone tried deploying close-source SaaS software in a private cloud?

How you ensure that the code is not tampered with. Unfortunately, the software can't be compiled to C++ to prevent tampering.

  1. 3

    First: do not rely solely on technical obfuscation to enforce business terms. Assume the customer can get your source code & will be able to tamper with it.

    Next, ensure that you have licensing terms sufficient to protect against the things you're worried about (IP theft, unlicensed usage, misuse of code, etc.).

    Now, price the license at such a price point that you make your target margin after expected legal fees etc.

    Keep in mind that many companies license IP with no expectation of being able to obfuscate it. Examples: font foundries, companies like Getty that license images, companies that license music, many companies that provide SDKs (like Berkeley DB). Licensing generally works.

    Finally, if it doesn't break the client's use case, feel free to obfuscate the parts that you can. But remember the obfuscation is there to preserve the veneer of magic of what you're shipping and not at all to protect your IP.

  2. 1

    If your language doesn't care about formatting a lot (ex: javascript with NodeJS) you could quickly write / use a code obfuscation tool like https://obfuscator.io/.

    This tool will remove all variables names and mix all functions so that no human can read it to modify it.

    You could even add useless trash code in the mix.

    If you do this, keep in mind that debugging will be a bit harder though.

    Hope you'll figure out how to do what you want.

    Alex

    1. 1

      It's a mix of java, python, php and javascript, so with the current stack, this wouldn't be possible.

      1. 1

        You can obfuscate Python using https://pypi.org/project/pyarmor/ or compile it using Cython (https://medium.com/@xpl/protecting-python-sources-using-cython-dcd940bb188e)

        For the PHP part, you can also obfuscate it (https://www.php-obfuscator.com/ does it).

        You can also obfuscate JAVA after its compilation to Bytecode using tools like ProGuard.

        1. 1

          Hm, that seems like an option, but that'll require quite a lot of changes in deployment workflow and as you said, debugging will be going to be awful.

          I wonder if any other simpler option exists...

          1. 1

            From a technical standpoint, you can't do anything else than obfuscation. If your client controls the server, he controls what he's executing. If you don't compile/obfuscate your app, he'll always be able to see what he's running.

            The other way to go is with licensing. Keep in mind that if they violate it:

            • You'll have to prove it

            • You'll have to pay for legal fees. They can be very expensive and not worth it for a small contract. (That's a mistake I did. We gave them the code, they use it, never paid us, and legal fees aren't worth it.

  3. 0

    You could try compiling to a docker image

    1. 3

      Wtf?! A docker image wouldn't be compiled. They could access the container to get all the source code.

    2. 2

      That's what I thought, but unfortunately, docker does not do any sandboxing and root user may access the programming code.

      Thus, I would need to trust the client that they wouldn't access the proprietary code, but I do not want to do that unless that's the only option.