I have recently gotten in touch with a small software company that created a piece of software that I would like to modify and resell under their name. The CEO has agreed to collaborate with me on this project. They will provide everything I need to develop and I will develop the software to the liking of a niche market I am close with. The one condition is the code needs to be secured against theft (from me or any outside entities). Anything that will prevent the source code or copies of the source code from leaving.
Is it possible to set up a remote server in their office that will limit all network activity except through ports necessary to run the development environment (db, data-feeds)? Could this be secure enough? Does anyone have any other ideas?
Related
I am trying to figure out a way to create a secure data entry process using Microsoft Office (cannot use Azure by the way). The obvious way is to use Microsoft Forms, but the form would be too large as there are over 150 data points that need to be entered.
I have instead created an Excel file that has the ability to load responses to a SharePoint list. This works as long as the list is public and viewers have contribute privileges. The downside to this is that the data is not secure and anyone can view the list. The data has phone numbers, ssn, passports, etc. I tried to make a work around for this by creating a flow that captured any new entries and moved them to my personal private SharePoint list, then deleted the original. This works great, but after testing with my colleague it seems that anyone can join the first team and make an identical flow to that team to capture data themselves.
Is there a way to accept data from anyone internally while also preventing them from accessing the data? I am capable of using SharePoint, Teams, Power Automate, and Access to accomplish this. I am less familiar with access but have used it before. I'm just not sure how secure it is.
I'll be happy to provide further information as needed. Thanks
You could consider Access forms, and then have the tables reside on SharePoint.
You can then say base the form on a query, and in that query you could provide (have) the user name included as part of the query where clause (thus a user removing or changing the forms filter will only provide a view of their own data.). However, such uses if they fired up Access (or even Excel) could wind up with seeing all rows in the table and not what the Access query restricts the data to (the one user).
Unfortantly with Access desktop? And like most desktop software? Well the goal and design and history is that of allowing ease of data editing and viewing. So, just like when you walk into a bank, and wait in line? Well, when you get to the teller, they will fire up a access form based like system and pull up your account information. And any and all tellers can see/view and pull up that data because that is what the software supposed to do, and do well. (get at any customer data).
Now, flip this problem, and create a user web banking system, or even a instant teller. Now the problem is backwards. The software's goal is not ease of editing data in a table, but ONLY allowing the user to see THEIR data. So a very different kind of problem.
It is very (beyond very) to note that web development tools do not out of the blue or automatics restrict data to JUST the one user. It is YOU the developer that makes that choice. So, if we could press a button and have a access form converted to the web? Well, then that access form would do its job in life. That job is to allow you to edit all that data in a table. Not just YOUR data.
For example, have you ever written a Access application that JUST displays each users own data? I am betting not! It is hard to do. (because the roots of Access is ease of editing data). As noted, I cannot stress that web development tools do the SAME thing. They can let you edit data. The editing of data is thus a software issue and development issue. The data system or Access or even SQL server? They just hold data. It is YOUR software that has to decide that ONLY data for the one user is to be displayed.
Now so very often web systems ONLY show YOUR data. But that VERY common case is due to the nature of web systems, and that your not a bank teller, or a company employee, but that of a consumer of that system. And each consumer now is 100% opposite of what most software systems do naturally (that is get data from a table).
So, I can't stress this concept enough. That concept is that web software and systems do NOT make this restricting of data choice for you. It is your developer tools that MUST have this ability and ALSO the choice of how you build such systems.
Web systems can do this data restricting data better for several reasons.
One big reason? Well, most of the time you adopt some kind of security and logon system.
Thus, parts of the web site now are restricted based on your logon system. (hey, maybe you use Facebook logons). So web systems have a very good and wide and broad system of supporting some kind of logon system. For desktop software? not so much.
But EVEN with that very robust and type of security system and logon system?
You the developer STILL have to make the choice of what data they see. Maybe it is traveling salesmen on the road. And thus every user of that web system still has to be able to edit, view and add customers to that system. This common case is not really different then a typical Access form to edit data.
So only SOME types of web applications need that restricting of data to JUST the one logged on user. But, because web systems have that "better" logon system? Then you the developer can thus now use that logon to restrict data with greater ease then what desktop software dev tools often offer (say like access).
So, a lot of this will come down to the web tools used. If you pulling data with Excel, or Access? Then it considerable more difficult to pull JUST data that belongs to a given user. And your software will require designs from day one with these restrictions in mind.
Again, at the risk of repeating myself?
the tools don't' make the data restrictions for you. If you need secure data for ONLY the given user, then you simply have to adopt a set of developer tools that allow this concept in mind. And that tends to mean the tools you use do NOT by default allow users to directly edit or link to some big table of data that contains all users data.
This is also why say a program written in VB6, or now vb.net can be more secure then Access. (because those tools by default don't provide forms that are designed from day one to edit all rows of data). So, the UI does not present default forms and things that gives users the ability to edit all rows. As a result, then the software can now control what records the users sees, and since they don't' have some default form that allows viewing of all rows.
It thus becomes more practical to write software that only dishes out their own data. But again, and I can't stress this:
The choice of what data to display is a choice of the software developer - not the database nor the web development tools.
It thus stands to reason then you have to chose the appropriate tools that will allow you to write software that restricts the data in a manor you require.
General questions on SO in regards to what flavor of ice cream or what dev tools to use tends to be frowned upon, and is quite much against the general rules for solving software and code issues you have and post on SO.
But, if you come from say Access with VBA skills? Then I would suggest adopting the free verison of Visual Studio and go with vb.net + asp.net web forms. Web forms are close to end of life, but they are by far and away the best choice, the least effort (coming from Access) and will give you a robust security model in which you can restrict data on a per user basis.
I would not duck tape and try to cobble together such a system with office tools, since they are not really designed for that type of data restricting you need. So, go with some good quality web tools like Visual Studio (free version is fine) and use SQL server (free version again) is really the way to go here. If you need a truck in place of a car, then get the right kind of truck, and don't try and use a car for that transport of goods, or in this case build a secure web database system.
We (ISV) are currently planning to offer our software on a rental/subscription basis as a service.
It's a native Windows (C++ / .NET) B2B application.
Our software needs access to the file system (drives) on the customers computer and it also needs access to the network (e.g. be able to find other computers in the network).
We want to offer our customers a service where they do not have to bother themselves with setup/updates and always work with the newest version of our software. So we need a single point of maintenance.
In the first phase we do not expect a lot of our customers (let's say 20) to change to this model, so it would not be a problem to have to set them up and manage them manually, but in the long run a solution that allows an automated set/sign up process would be required.
What I found most promising was Citrix XenDesktop/XenApp with VM hosted Apps and personal vDisks, but it seems that the Citrix solution is not able to get access to the network on the client PC (I tried it with the trial in the Azure Marketplace). Also it seems to be high priced.
What would be other possible ways to meet these requirements?
Unless you can make some significant architectural changes to eliminate the need to access the local filesystem and and eliminate the need to do local network browsing, I would recommend focusing on optimizing your local installation and update process. And skip the virtualization/service idea "for now".
You can still go to subscription model with a locally installed application. Just require your application to "phone home" to check its licensing/subscription status on startup.
We are developing open source benchmarking software that users can download, execute on their system (which runs some benchmarks for some stuff) and then uploads the results to a central database. Those anonymous, crowdsourced benchmark results are then displayed on a website for everyone to see.
A big feature of this software is that it's open source. It will be hosted on GitHub and will include instructions for anyone to download and compile the source themselves, for peace-of-mind or whatever just incase people don't trust our program.
But we obviously cannot divulge the security credentials that allows the software to upload benchmark results to our central database. So we aren't going to include these in the public source.
So people could compile the software themselves (which is good) and use it, but it would be useless because the software wouldn't be able to upload to the database, which is the entire purpose of the crowdsourcing software. So users would be forced to use "our build" of the software that has credentials hidden away inside. Many people are smart enough to not bother with unfamiliar .exe's these days, so that doesn't help the situation. Also, since the source is open, anyone could modify it, compile it and distribute with malicious intent, saying that it's our software.
How do you get around this problem of security credentials in open source software? Obviously rule #1 is you don't include it in the distributed source. But if the credentials are required for the software to function as intended, then what do you do? We want to keep it open source so that users have a reason to trust the software.
You can ask for each project owner to register into your site, create a public/private key pair for them and use an asymmetric encryption for identify your results source
I'm sure many of you are familiar with the IBM i5 series emulator (looks like this poop)
My company uses this religiously and there is no Biz logic in it so anytime somone in our finance dpt makes a human error it accepts it and adds it to the database. Not to mention its ugly, hard to use, not intuitive, etc....
I would like to create a frontend for this interface so that we can control the logic before its submitted to the system (we dont control the system itself) so in effect I need to make my own emulator app.
However I cant seem to find any information on how to interface with the i series, namely login, send commands, and view or gather data from the screens it would normally send back.
Any suggestions?
The problem is not the iSeries but the software package your company is running on it.
There ARE advantages to use green screens: it's fast and it's almost unbeatable at data entry, provided you get used to it.
But to answer your question, the iSeries is a J2EE enabled machine: a HTTP server comes installed and depending of the version of the iSeries, WebSphere might be already installed, or are entitled to install it. Then you can use JT400, which is the java toolkit for the os400 containing the jdbc drivers to connect the database and the necessary classes for calling programs.
If you prefer php, there is a flavor of the Zend framework made to work on the iSeries but I never tried it.
I'd recommend that you take a look at both the Attachmate Verastream Host Integrator (VHI) and IBM's Host Access Transformation Services (HATS) products. They effectively just screen scrape the green screen terminals to allow you to pull and push data and provide macro recording and editing tools to automate the process. App integration can be achieved via web services or html/jsp/servlet programming (plus .Net for VHI and EJB's for HATS). They do come with enterprise pricing however which may be an obstacle for some. They do have free trial offerings for evaluation purposes to help determine if they are an appropriate solution to your problem.
What software packages are they using? Most programs that I use in the 5250 emulator has some business logic that error checks the data before adding it to the database. Can you get us some more information so we can direct you in a better direction.
There are vendors that sell products that screen-scrape the 5250 data stream and produces a web front-end. Or you can write your own front-end in the language of your choice and just do SQL calls to the database.
THere's got to be some source code. Start by looking at the menu and menu option your users are accessing and figure that's running behind them.
Use command STRPDM to look for source code - look in different libraries (they are like folders)
You might have source code in a "member" called something like xxxMNUSRC xxxRPGSRC (rpg program source) or xxxCLSRC (cl programs), xxxDDSSRC (display/screen source, physical/logical file source)
Objects a "compiled" objects such as files (tables), screens, priter files (reports)
Stay away from Qxxx and #xxx libraries - those are system libraries.
http://systeminetwork.com/ is a good resource for iSeries related questions.
My company is a custom development shop for a number of projects, some larger and some smaller. Currently we handle all of our client communication through email. So we email a design doc, they mark it up and send it back. Then we roll out a beta version of their product and they email us with any bugs, new features, etc. And so on....
As I am working on implementing a new bug tracking system (it looks like it will be Mantis right now), I got to wondering how we could best allow our customers an interface with our development process that would provide better tracking of feature requests and client submitted bugs as well as communicate our responses back to the client.
If anyone is aware of a a bug tracking system that does this exceptionally well I'd be interested to hear of that. Otherwise I'm just looking for some general guidelines or good business practices that have allowed your companies to interface effectively and efficiently with your clients.
UPDATE: My company uses a LAMPP stack and as we are a small shop with a limited budget we tend to stick to tools that are open-source and free.
Do most people either use Team Foundation Server to handle this or emails back and forth?
I think the key is to have the dedicated tracking system there for bugs/requests, and to establish a set process for communication. With that at minimum you will start getting consistent feedback. From there you can tweak it to get your specific needs.
As an aside, rather than just using e-mail for your communication, I strongly recommend going to smething like BaseCamp for a project management tool. I find that it helps greatly with keeping messages, documentation, and timelines communicated to the client.
If you are using Team Foundation Server, I recommend you to install TeamPlain Web Access. They allow you to expose a web interface to your TFS project. The only things left to do, is give rights to your client and a username and a password.
Otherwise, there is some paying tools like FogBugz. Of course, the principal is having to bug reporting tools directly linked to your Source Control so that the developers can easily fix bugs.
Although I know of no specific tools (at least no open source ones), I suggest that you setup a system which will cover your overall requirements gathering and implementation process. Requirements could be tracked in the system, which would also contain the design documents (which could be "checked out from" and "committed to" the system). This way, you would tackle the problem of having multiple revisions of design documents around. Addionally, the design documents and the requirements could be tracked easily. If this system were linked to your source code management system, you would additionally ease your development process/requirements tracking.
Another possibility is to use two products in concert, here's our current setup with a team of 12:
osTicket for incoming requests from clients
Allows for issues to be handled by support staff and bugs to be verified
Status can be checked with just an email address and ticket ID
Typically users don't submit detailed enough bug reports so is a good first step
redmine for development tickets
Ticket created by QA or a developer if issue is a real bug
Provides solid enough project and release management
Is a solid step up from trac and mantis (and provides migration tools)