0

I have a solution and it have 2 project in it, Project-1 is web form application and Project-2 have some confidential methods like decode and encode methods. I want to let my junior developers access to Project-1 and use my Project-2 methods (which I reference before and add to my Project-1) but can't see inside Project-2 methods because I don't want them to see how I encode and decode string and numbers for security reason.

I tried to deny read access in Project2 security (like picture Project2 Security Page) but after that developers can't use any method from Project2 and they receive error.

Is there any solution I can do this because is really important to me my junior developers don't see my encode and decode method

Edit : I have to say I can't use web service for my Decode and Encode because this application is for a customer and he will use it on local network without internet access.

Ali Poustdouzan
  • 220
  • 2
  • 16
  • Possible duplicate of [How can I protect my private funcs against reflection executing?](http://stackoverflow.com/questions/8357469/how-can-i-protect-my-private-funcs-against-reflection-executing) – John Wu Feb 13 '17 at 19:51
  • 1
    Maybe you want to remove the Project2 from the solution, and make the reference to it by assembly (dll). But this is not enough to "hide" your code (they can use many techniques like decompilers, reflection...), also try to research about obfuscator. Finally, if you can't trust about your developers, why hire them in first place? – JCM Feb 13 '17 at 19:54
  • @JCM Thank you, This is exactly what I'm doing now but problem is every time my senior developers edit these methods they have use a tools like .NET Reactor and update our Project2 DLL on TFS, It take so much time and that's why I'm searching for another solution – Ali Poustdouzan Feb 13 '17 at 20:03
  • @JohnWu this is totally different question – Ali Poustdouzan Feb 13 '17 at 20:06
  • You keep using the word "see" as in "Deny a user to see inside a class." What does "see" mean in this context? If you don't mean "reflect and view the code," what do you mean then? – John Wu Feb 13 '17 at 20:12
  • Dear @JohnWu my question is about TFS 2015 security, I want to somehow deny my junior access to "read","see",or anything you name it. but in TFS security – Ali Poustdouzan Feb 13 '17 at 20:15
  • You mean block them from retrieving the source code from TFS source control? – John Wu Feb 13 '17 at 20:16
  • Yes exactly, I want to block them from retrieving my encode and decode methods, but from TFS – Ali Poustdouzan Feb 13 '17 at 20:19

2 Answers2

1

  1. Put the sensitive code in its own folder in source control

  2. Modify the developer permissions on that folder. See this question and this documentation, which provides this step-by-step:

  1. On the Visual Studio View menu, click Other Windows, and then click Source Control Explorer.

  2. Right-click the folder or file for which you want to set permissions, and then click Properties.

  3. In the Properties dialog box, click the Security tab.

  4. In the Add users and groups area, select Team Foundation Server Group to set permissions for a Team Foundation Server group. Otherwise, select Windows user or group.

  5. Click Add.

  6. In the Users and Groups box of the Properties dialog box, select the user or group for which you want to set permissions.

  7. In the Permission box, select either Allow or Deny for each permission.

  8. Click OK to close the Properties dialog box.

  1. Make the DLL that results from the sensitive code available in a folder to which the devs have access.
Community
  • 1
  • 1
John Wu
  • 50,556
  • 8
  • 44
  • 80
  • I believe you didn't read my whole question, I did these step before and when I deny read access for my junior developers they can't even use Project2 methods (I even attack a screenshot from my Project2 security tab), and when I allow read access they use methods and even read whole code in it... – Ali Poustdouzan Feb 13 '17 at 20:30
  • You need to make the DLL available but not the source code. – John Wu Feb 13 '17 at 20:58
  • I said before to JCM on my question comments, this is exactly what I'm doing right now, but this solution take time so much because my senior developers have use Reactor tools for encrypt DLL and publish it after every edit. – Ali Poustdouzan Feb 13 '17 at 21:08
  • Sounds like something you could add to your continuous integration build script, assuming you have one. Do you have one? – John Wu Feb 13 '17 at 21:20
  • I have another problem with this solution, if anyone take our encode & decode DLL and use it on home pc he can decode anything encoded with our DLL. I think it's not really secure – Ali Poustdouzan Feb 15 '17 at 17:42
  • That is a different problem (this is exactly why I was trying to get you to use a more specific word than "see.") The best you can do is obfuscate the assembly and ask your developers to sign an agreement not to reverse engineer your code as part of their NDA. – John Wu Feb 15 '17 at 19:14
  • how about our customer? he can take our DLL and use it somewhere else and try to decode some data in SQL. he can't read codes in obfuscate DLL but he can use our decode methods on a new project on his visual studio. my problem is our customer have 3 developer too – Ali Poustdouzan Feb 15 '17 at 19:52
  • If you give the DLL to some third party, there is no technology in the world that will prevent them from learning your trade secrets, if they are determined. If you want to secure the logic you will need to provide it as a service and keep the code in-house. – John Wu Feb 15 '17 at 20:05
  • is there anyway to set password for anyone want add this DLL to a project? I mean if my customer take my DLL need a password or something for use methods and class in this DLL? – Ali Poustdouzan Feb 15 '17 at 20:17
  • You could bake a password into your code base, e.g. by requiring it as a constructor argument. But since they have physical access to the assembly, it would be possible to reverse engineer the code and obtain the password. – John Wu Feb 15 '17 at 20:21
  • imagine you are me, your customer access your IIS data (include your DLL files even they encrypt by obfuscate tools), So we are sure they can copy DLL to anywhere they want, What you can to prevent them use these DLL visual studio new project and use methods for decode some data? I really in dead end right now – Ali Poustdouzan Feb 15 '17 at 20:48
  • If they do not have credentials for the service account for the IIS AppDomain, you could give that service account permissions to a special folder that your client can't access, and put the DLL there. Or you could put the DLL on a different server and invoke it with [.NET remoting](https://msdn.microsoft.com/en-us/library/kwdt6w2k(v=vs.71).aspx). – John Wu Feb 15 '17 at 20:54
  • well I can't use solution 1 because they are admin of IIS server pc. and solution 2 can't be use because they working on local network and have no access to internet – Ali Poustdouzan Feb 15 '17 at 20:57
  • The idea behind .NET remoting is that you'd put the DLL on a different server in the same network. Or are they also AD administrators? – John Wu Feb 15 '17 at 21:00
  • it's unfortunately their network and pcs, anywhere in their network I have no secure place for run a web service or something. – Ali Poustdouzan Feb 15 '17 at 21:04
  • Well after all I resolve this problem with your help, I moved all my secure methods to DLL, and in every call I checked who calling my methods, so now it's little hard to crack thank you @john-wu – Ali Poustdouzan Mar 07 '17 at 11:53
0

TFS can't achieve what you want. If you deny the Read permission for a file/folder, the user won't be able to see/use this file/folder.

You may consider managing your references via a package manager such as NuGet. Your senior developers can create and maintain the nuget package, while your junior developers only need to enable the package restore in their project.

Cece Dong - MSFT
  • 29,631
  • 1
  • 24
  • 39
  • Could you explain how I should do it? I only used NuGet package which provide by visual studio I never create on my own. – Ali Poustdouzan Feb 14 '17 at 11:15
  • @Ali.P, you can check this article: https://learn.microsoft.com/en-us/nuget/create-packages/creating-a-package – Cece Dong - MSFT Feb 15 '17 at 03:01
  • thank you, but my junior need internet to use these package I create? and next question these package are public and everyone can use them like default packages? – Ali Poustdouzan Feb 15 '17 at 17:33
  • You can create Public packages or Private packages, check: https://learn.microsoft.com/en-us/nuget/create-packages/publish-a-package – Cece Dong - MSFT Feb 16 '17 at 08:06
  • I checked webpages and it seems this solution need internet for my junior developer to use packages, Every developer in my office use different pc for internet and different pc for programing, So they can't use package unless I can provide them in local network. Second issue is uploading my confidential methods to internet (NuGet) is exactly what i'm trying to avoid. Our customer will cut off my head if he find out I upload his bank account information to internet. – Ali Poustdouzan Feb 16 '17 at 15:50
  • It seems the only way will be publishing the package in your local network. – Cece Dong - MSFT Feb 17 '17 at 03:33