source code security on TFS - security

I have been working with a Visual Studio project by myself for a while. and now we have a new coder with me. We are not sure yet how trustworty he is. so we need to block him to run or read the project source codes if he copied and take it to home or anywhere else except our environment with TFS. How could I do it, is it possible. Regards
EDIT: let me clear some points: I want a source code only available in office environment, in TFS, so developers can do anything with it but when they take it to the home, the solution wont run and display codes)
I am asking if this is possible. or is there any similar approach that I am unaware

There is no way to do this through TFS. You woul dneed to look at creating a secured desktop/remote session.
Even if you put him on a desktop that can't be taken home, you will have to disable USB ports etc. etc. so that he can't copy it over to his.her own device.

This isn't supported in TFS and I doubt it ever will. If you are worried about this then you need a tighter interview process. Have them sign non-disclosure agreements and such. Perhaps this is a case of paranoia, however there may be a slight alternative:
Get yourself a public/private key pair from a CA and sign your assemblies with the private key (which is known only to the 'trustworthy' developers or even just 1 of 2 senior members), have your builds compile using this private key (lock down your build server) and publish only these assemblies. Make your customers aware of this and give them your public key.
It will prevent people from stealing and publishing your source code under your name but it's a tremendous effort (and it won't stop them from outright theft and publishing as a competitor). If you are interested start looking up asymmetric encryption with assembly signing.

Related

Database which doesn't need a Private Key to Push Data

I have a project I am working on which will be open source. The project records data from all over. People can look at the instructions on a website, build the prototype, and the prototype will contribute its data to a giant database.
data.sparkfun.com/ is perfect for this, except for a major problem. In order to push data, you need to put the Private Key in the code (docs). This will also allow anybody with the code (which will be everybody looking at my project because it is open source) to edit, modify, and delete data from the database because they have the Private Key.
Is there any alternative to data.sparkfun for free so that I can achieve this? I am using NodeJS as the main language for my project.
EDIT: I also do not have a server to host my own database on. I also would need a hosting service (which is why data.sparkfun is so close to what I need).
I think something like this project http://docs.dat-data.com/ could work. It is built with Node. Its not necessarily perfect because its a bit more oriented towards files than a database, but you may be able to adapt it to your application. It uses cryptography and versioning for security.
I found something called Firebase which is hosted by Google. It has a full suite of databases, filesystems, and a way to identify users. You need an API Key for posting and retrieving data, but it is not meant to be private. It also allows you to set rules to disallow editing and deleting data, unless you own the database.
It supports iOS apps, Android Apps, and Web Apps (easy to integrate with NodeJS). The free version has some limitations, but enough for most hobbyists.

Workflow : Best way to carry my projects over to multiple computers?

I wonder if this question really fall in the topic of this site and feel free to tell me if it doesn't. But anyway, here's the situation : I'm currently in college and when I'm at school, I program on my lap top, and when I'm at home, I'd like to programm on my desktop. I was wondering, what is the best way to carry my projects over from one PC to another? I currently use Visual Studio 2015.
I tought of one solution, set my VS Workspace in my Google Drive so everytime I save a project, it's carried over.
But do you guys have a better solution? Thanks for your responses! :)
I also don't know whether this question belongs to SO. Anyway, I will try to answer your question.
In situation where you program in groups, a source code management system (version control) is absolutely necessary to synchronize code and avoid conflicts. A very popular one is Git which is used in many various projects in different programming languages. For other version control systems, look at the bottom of the wiki article.
It would be too much to explain Git (or version control in general) in this answer, but the general work flow is always the same: There is a server somewhere, an when you start coding you 'check out' your project, which means you copy the most recent updates to your local machine. When you are done, you commit the changes to the server. If you want to work on another computer, you just check your project out again. When finished, commit again.

Is there any local history in Visual Studio 2012

That is a really useful feature, there are many IDEs that can provide it but I can't find any extension which can provide Local History.
By Local History I mean something that tracks any changes and edits that I make on the source code so I can be able to recover it in future.
There is a separate extension that provides local history functionality:
http://visualstudiogallery.msdn.microsoft.com/226c2108-9da9-407d-b90d-9783040d27b8
I think the local history feature complements version control.
What you are describing is a source code control system. Visual Studio does not provide this by default as its primary job is that of an editor. It does support a number of source code control plugins, many for free, which will do this for you.
For example there is a free Git plugin that is now officially provided by Microsoft.
http://visualstudiogallery.msdn.microsoft.com/abafc7d6-dcaa-40f4-8a5e-d6724bdb980c
This can be used with a number of free Git providers
CodePlex
GitHub
Visual Studio Hosting
There is an option to have best of both worlds:
autogit - Visual Studio extension
Here are some counter reasons why local history is different then source code repository:
Some simple reasons:
simple insurance against accidental changes or deletions.
makes it easier to support smarter undo, backtracking, or exploratory programming.
resume a task or track a task by seeing changes at a fine-grain level as they happened.
light-weight, stays invisible until you need it.
Some deeper reasons:
Better Task Resumption: research suggests that resuming an interrupted task or reviewing a change made by another is made easier when changes can be reviewed in an time-ordered manner (in comparision to a flat commit).
Auto-blog: automark is a sister project that can examine a git repository and then automatically generate a markdown file, in a format suitable for publishing a blog post.
Personal Analytics: Watts Humphrey has advocated the idea of tracking personal activity for self-improvement, using methods such as the Personal Software Process. Using services, such as codealike or codeivate, you can track things like time spent editing, etc. Tracking the actual changes can take this analysis to another level.
Api Analytics: Frequent mistakes are made when programming or using particular apis. This can be analyzed: "You spent 3 hours figuring out how to correctly use pygit2.create_commit(), create github issue?"
There's also the Auto History Extension: https://visualstudiogallery.msdn.microsoft.com/dfcb2438-180c-4f8a-983b-62d89e141fe3
It's like the one Juha Palomäki linked to, except has more downloads, reviews, and a slightly higher average-review. (haven't tried either myself yet, though plan to in a day or two)

Code/Document Management for a very small company

I work for a very small company (~5 employees, 2.5 coders). We have gotten away with no code or document management for several years, but it's starting to catch up with us as we grow a bit.
Any suggestions for a management system. Free is better, but cheap is acceptable. We just don't want to spend more time on installation/configuration than it is going to save us.
We use mostly VC++ 6, but we're branching into VC# 2008. Also, we need to keep track of mechanical drawings and circuit diagrams for several pieces of hardware, as well as user manuals for both hardware and software (but I don't really expect to find one tool that will do all of this, just hoping).
Subversion (SVN) is an excellent option for you. It's free, integrates nicely into Windows with TortoiseSVN, and is well-tolerated by users.
We are using it for source code, as well as for document management.
http://trac.edgewall.org/ - might be a bit hard to install but otherwise is very good if coupled with svn repository
Mantis is good for issue tracking. Subversion for source control. Both are free.
For documents, I do not know. Sounds like you would do fine with a network share.
You may want to look at Trac.
I work for a similar sized company, and when I got here I was in the same place as you. I implemented SVN/Subversion http://subversion.tigris.org/ quite easily. If you use the svn protocol and use svnserve (can be setup as a windows service that auto starts on your server) it should take you 1.5-3 hours to setup depending on how much you want to read http://svnbook.red-bean.com/, see collabnet http://www.collab.net/downloads/subversion/ for the Windows package download
Using Windows, you can use Tortoise SVN which integrates into the windows shell. There is also a new release of Ankh SVN (2.0) http://ankhsvn.open.collab.net/ that integrates into Visual Studio. Ankh is very nice (has pending changes window, kind of similar to Subclipse like functionality) but it is a new release and is somewhat buggy (we have experienced some memory probs and slowness). We currently use both Tortoise for initial checkouts or imports and Ankh for everything else and are pretty happy.
If you have any Mac users, there are a lot of options out there. We have a mac user here who uses Versions http://www.versionsapp.com/, though it sounds like they will charge for it once they get out of beta.
I would recommend SVN because it is widely used out there and I feel that is important with open source projects you are going to use daily for production purposes. Just to spell it out, everything (other than Versions) mentioned is free.
Perforce!
It's extremely fast compared to most other source control systems. It works great remotely. (SSH tunnels, in my case)
The VS plugins are quite decent... I haven't tried the Eclipse one that much yet.
If you can get by with two users with 5 workspaces each, then you can use it for free. (I do, currently)
If that won't work, then it does cost a bit... something like $800/user I believe. Sometime next year I'm probably paying that. (5 workspaces is tough when you work on several machines with VMs)
Still, I heard the slower-than-glacial ClearCase/ClearQuest system one client one mine is using was something like $10k per developer, so expensive where source control is concerned is a relative concept.
Don't skimp on the source control, man! Slow source control is a serious pain in the a$$.
Avoid SourceSafe-like systems that only version files... use systems that track tasks or change sets. It's very useful to see what all belongs together as a task. Tags are not an acceptable substitute.
Also, the journalling nature of Perforce makes backups and recovery a lot easier.
Use Git for source control, Basecamp/Pivotal Tracker/Unfuddled for coding workflow, and Sharepoint/Google Docs for document management.
If you get a MSDN developer license, you can run TFS workgroup edition. That has source control and document management rolled all up in one package that's pretty easy to use and manage. That, in addition to an internal wiki, is what my company does.
Use Subversion. It's free and is the preferred source control system for the vast majority of open source projects.
SVN uses shallow copies, so when you have large files in a repository and you branch, a full file copy isn't done... just a pointer to the original. As for text files (code) only diffs are stored.
Use TortoiseSVN for windows explorer integration.
TFS is a pig, and you'd need to open visual studio to interact with source explorer. Stupid for a CAD engineer to have to need a license to TFS for that.
For document management, just use Windows Sharepoint Services that comes with Windows Server 2003 (or 2008).
I also work for a small company and we mainly develop in .NET languages. We have decided to use Visual SourceSafe for source control, despite its questionable reputation, since it integrates nicely with Visual Studio. VSS works very well for us, and we have not experienced any serious problems with it. Also, we host a SharePoint server, which we use to store documents like coding standards, storyboards, and even our SCRUM log.
We use HostingPlayground. For $6 per month we get multiple Subversion repositories and an instance of Trac. Can't beat it. And since its a service its available immediately.
It seems the solution for your 'management' requirements will require at least a tool or set of tools in the following categories: (sorry about the links, not enough reputation to put proper ones in the reply)
Source Code Management
Trouble/Bug Ticketing
Document Management
Definitely take a look at stackoverflow.com/questions/15024/tools-to-help-a-small-shop-score-higher-on-the-joel-test Tools to help a small shop score higher on the joel test referenced by stackoverflow.com/questions/84303/code-document-management-for-a-very-small-company/84363#84363 Kristopher
Each have various free/open source solutions, and likewise there are commercial solutions.
Source Code Management (SCM)
A significant trend(?) of source code management is evolving from centralised code management with something like TFS(?), cvs or subversion.tigris.org svn), to decentralised 'distributed' source code management with tools such as www.selenic.com/mercurial/wiki/ or git-scm.com/. Some of the tools either integrate into continutation
The above mentioned source code management tools all have nice ms windows integration tools, and some even have closer Visual Studio integration (e.g. TFS, ankhsvn.open.collab.net/ ANKH svn mentioned by Mario).
A simplistic generalistion would recommend git/mercurial when your coding involves a good portion of time away/off disconnected from your centralised source code repository (such as doing a lot of coding from home when your repository is not accessible through the Internet.)
Wikipedia has a en.wikipedia.org/wiki/Source_code_management nice overview of the various issues related to source code management, and the benefits of various options.
If you haven't used scm before, just pick one or two of the tools that fits your groups requirements and test it. Of course, if you know someone near who has experience with a particular scm solution it may help with the team's learning curve to have that shared experience around.
My pick for your scenario: Subversion with ankhsvn.open.collab.net Ankh SVN for Visual Studio integration.
Trouble/Bug Ticketing
None of the tools available solve everything for everybody, each have their advantages and most require some compromise from a development teams existing modus operandi. Again, wikipedia is your friend with a en.wikipedia.org/wiki/Bug_tracker general summary and en.wikipedia.org/wiki/Comparison_of_issue_tracking_systems comparison of major tools.
Installation
The php based tools are the easiest (in my experience) to get up and running, and the perl tools more involved(?) Of course there's python one that's real easy to install, but then requires a better mind than mine to configure.
My pick for your scenario: trac.edgewall.org/ Trac
Trac is an enhanced wiki and issue tracking system for software development projects. Trac uses a minimalistic approach to web-based software project management. Our mission is to help developers write great software while staying out of the way. Trac should impose as little as possible on a team's established development process and policies.
It provides an interface to Subversion (or other version control systems), an integrated Wiki and convenient reporting facilities.
Trac allows wiki markup in issue descriptions and commit messages, creating links and seamless references between bugs, tasks, changesets, files and wiki pages. A timeline shows all current and past project events in order, making the acquisition of an overview of the project and tracking progress very easy. The roadmap shows the road ahead, listing the upcoming milestones.
Drawings/Document Management
If you use Subversion with Trac then much of your document management may be solved with these tools. Otherwise another stackoverflow discussion topic: stackoverflow.com/questions/587481/developer-documentation-sharepoint-document-management-vs-screwturn-wiki Developer documentation sharepoint document management vs. screwturn wiki, for Windows centric environment, is a good read.

Fighting with Protected Mode in Vista

Our application commonly used an ActiveX control to download and install our client on IE (XP and prior), however as our user base has drifted towards more Vista boxes with "Protected Mode" on, we are required to investigate.
So going forward, is it worth the headache of trying to use the protected mode API? Is this going to result in a deluge of dialog boxes and admin rights to do the things our app needs to do (write to some local file places, access some other applications, etc)?
I'm half bent on just adding a non-browser based installer app that will do the dirty work of downloading and installing the client, if need be... this would only need to be installed once and in large corporate structures it could be pushed out by IT.
Are there some other ideas I'm missing?
This client, is it a desktop application and not some software that runs inside the browser? In that case, please just supply a regular download installer application. My personal experience with browser-hosted installers is that they are just confusing and the few I have seen seemed to be poorly coded in some way.
If you use an MSI based installer I'm sure lots of Windows domain administrators will love you too, as Microsoft has tools to deploy MSI based installations onto large sets of machines remotely.
Its far better to do this right than put it off any longer. Vista is Microsoft's way of saying they aren't letting people get away with ignoring security issues any more and encouraging people to update their code.
I'm sure other users here will be able to point you are some MSDN best practices about writing ActiveX controls.
Have you checked out Microsoft's ClickOnce Deployment?
If I remember correctly you can embed a manifests which would help with dealing with protected modes automatically, saving you those headaches with the APIs.
I believe ClickOnce is geared for the same thing your ActiveX installer was designed to do.
Since you say your IT dept could push this out, I assume you could use this kind of technology as well.
Even though you might not be writing applications on the .NET CLR, you can use Visual Studio to generate those manifest and installers for you.

Resources