Protecting ASP code

[John]

Dear all,

I've got a security question that is so difficult that "maybe" there will be
no answer for it. It's regarding protecting asp code.

I did write some asp code, that I sell to companies, to control several
dbases. Because I sell the code, it's not that they own the code and can
sell it further or change the code, or add some extra code to it. It's like
I'm selling a program like Excel and that they can use the program, not
change it. I'm still the rightful and intellectual owner.

Also, if you give the raw asp-code, then there is a possibility that they
change to code a bit for there internal usage only. But if I sell an update,
then they have to search and copy/past there old code in the new page, not
knowing, that everything will work eventually.

It would be a lot nicer and easer if I can deliver some protected code that
they can't change! This will make my live a lot easer regarding updates. And
I will sleep better because they can't see the raw asp code,
copy/past/change and sell it or worse, going to competitors.

It would mean a lot for me, if you could help me to protect my code against
this all. Give me some inside views, some snip of your thoughts or some
general ideas to debate.

The thinks I did find and won't help to protect this all is :
a) NT security (server is from the customers)
b) Host the IIS server by myself (cannot be done, customers
request there own servers)
c) AspCodeLock, drawback in executing?
d) Windows Script Encode, this can be broken.

Using dll's would be nice and could be a solution, but then
a) I've to buy "Visual-Basic" or something else to do this.
A question that is running in my mind is : Is "visual-Basic"
the good/perfect programming language to do this? Some people
did always say that C++ is mutch better in performance and
is thread save. I can write Delphi also, is this a way to go?
But how?
b) Then I have to put all my pages in DLL form. (login.asp ->
will be : login.dll) or do I have to protect only portions of
my asp pages, but still then, they could change or implement
some extra code in the pages and that is not what I'm searching
for.
c) will this dll solution be steady enough against asp code. I
know from asp-code (I'm writing in UltraEdit, so I have a low
cost regarding buying all the software I need for my work. This
is important for me!) that I can write heavy used pages with no
problems at all. What with dll-pages? What with MTS?
d) Asp gives you the fast solution in debugging, because there is
no compilation involved so you can directly write/change your
code without compiling, installing and register your code. Is
this not a drawback in a dll solution, or is there a good
debugging environment for dll coding for iis?

The best solution for me is : some sort of opensource script language that
you can use like asp, but with some build in

function like
a) Create iis readable script
b) Create iis dll script

So when a webpage is done, you could create a filename.dll file and put this
on the webserver without losing any functionality from the previous readable
script like filename.asp. Better would be, that the file extension would
stay filename.asp for the dll version, this to protect my inline hyperlinks.

Thnx for helping me
Best regards,
J.

 

[Adrienne Boswell]

Dear all,

I've got a security question that is so difficult that "maybe" there
will be no answer for it. It's regarding protecting asp code.

My feelings are these:

1. You should have a license agreement with the customer that clearly
states that they are not to change the code.
2. Put something on the top of each page you do, eg: 'This is licensed
software and may not be edited without violating the software license' or
something to that effect.
3. You should have some sort of access to the server where the code is
running. From that you can find out if they did make changes to the code,
and then you can act accordingly. You should also have this so you can
backup/install pages yourself.
4. If they really want to break the code, or they really want to roll their
own, they will.

My suggestion to you is to give them as many admin pages as you can. If
they can make updates in their browser, they're not going to worry about
changing code here and there.

 

[Rob]

You may also try Microsoft's "Script Encoder" to encrypt your asp source
code. It's free.

 

[Curt J Raddatz]

If this is really a concern then you need to be developing in another
language. Assuming you want to continue using ASP, I would take the
low-tech approach. Why go though a bunch of code that can likely be hacked
anyway. Find a contract lawyer, draw up a software license agreement and
have you clients sign it. Problem solved.

 

[Jeff Cochran]

I did write some asp code, that I sell to companies, to control several

dbases. Because I sell the code, it's not that they own the code and can
sell it further or change the code, or add some extra code to it. It's like
I'm selling a program like Excel and that they can use the program, not
change it. I'm still the rightful and intellectual owner.

Make sure your license agreement states that.

It would be a lot nicer and easer if I can deliver some protected code that
they can't change! This will make my live a lot easer regarding updates. And
I will sleep better because they can't see the raw asp code,
copy/past/change and sell it or worse, going to competitors.

It's called a DLL. Put at least some of your logic, maybe
authentication code, into a DLL and it's tough to reverse engineer.

Using dll's would be nice and could be a solution, but then
a) I've to buy "Visual-Basic" or something else to do this.
A question that is running in my mind is : Is "visual-Basic"
the good/perfect programming language to do this? Some people
did always say that C++ is mutch better in performance and
is thread save. I can write Delphi also, is this a way to go?
But how?

Bummer. Haviung to buy developer tools to be able to develop and sell
a product. That's shameful. As bad as having to buy a pizza oven and
a delivery car to run a pizza shop.

b) Then I have to put all my pages in DLL form. (login.asp ->
will be : login.dll) or do I have to protect only portions of
my asp pages, but still then, they could change or implement
some extra code in the pages and that is not what I'm searching
for.

If you want them to change *nothing* then you have to use an
environment that isn't designed for simplicity in changing code.

c) will this dll solution be steady enough against asp code. I
know from asp-code (I'm writing in UltraEdit, so I have a low
cost regarding buying all the software I need for my work. This
is important for me!) that I can write heavy used pages with no
problems at all. What with dll-pages? What with MTS?
d) Asp gives you the fast solution in debugging, because there is
no compilation involved so you can directly write/change your
code without compiling, installing and register your code. Is
this not a drawback in a dll solution, or is there a good
debugging environment for dll coding for iis?

The best solution for me is : some sort of opensource script language that
you can use like asp, but with some build in

function like
a) Create iis readable script
b) Create iis dll script

So when a webpage is done, you could create a filename.dll file and put this
on the webserver without losing any functionality from the previous readable
script like filename.asp. Better would be, that the file extension would
stay filename.asp for the dll version, this to protect my inline hyperlinks.

So write this type of environment yourself.

There are advantages and drawbacks to every programming choice. Match
the techniques to your needs.

Jeff

 

[Bob Barrows [MVP]]

It's also ridiculously easy to defeat. Just Google for Script Decoder to see
how easy it is

Bob Barrows