Is there a way that I can guarantee that no one at my web host peeks at my code?

Honya
Honya used Ask the Experts™
on
Let's say you comes up with a great new web app but you are unable to host it yourself. So you do what everyone else is doing these days, you put it on the cloud. Is there a way to guarantee that no one at your hosting company peeks at your files?

My Concerns
It seems to me all forms of third party hosting, I.e. traditional web hosting, cloud hosting may not be a good idea for business who want to keep their information secure. If we place all our data on servers controlled by other companies and those companies create AI programmes dedicated to finding useful bits of information; we may soon find ourselves living in a world where before we are able to execute our ideas, some AI programme has already stolen our ideas and those of 10 other persons from the cloud and converted it into the 2045 equivalent of what cell phones are today. We continue to toil at our 9 to 9 jobs (not a typo)

Has anyone seen any solutions to address those concerns?

I have some other questions about AI but perhaps another time.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015

Commented:
I don't think there is anything that can guarantee that your data isn't being viewed by the hoster's employees. You have to believe their terms of use and trust them there. It is usually also better if you look for a hosting company that is based in your country. If something should happen, it is easier to sue them as the jurisdiction is then also in your country. If it is somewhere else it is often impossible to take proper legal action against them.
Exec Consultant
Distinguished Expert 2018
Commented:
Actually you cannot stop other from peeking your web app since it is hosted at their premise. Even though there is segregated hosting and agreed contractual agreement that unauthorised access will not be done or allowed, there is no sheer guarantee such activities cannot occurred with your knowing. They would still administer your hosted environment.. You can’t secure what you don’t know you own.

I am thinking the web app requires its native protection - sort of embedded some sort of copyright and code protection against tamper and abuse. There is also need to securing of environment and establish regime of security testing and update. See one example of Azure cloud to secure web apps.

1 - make sure the apps went through the regime of security testing internally so that attack surface due to exploiting vulnerability by public and 3rd party is reduced. Like conducting penetration testing of your apps in the hosted site.

2 - secure your apps which besides the security testing, there is need for hardening and obfuscation into the code itself. For example, look at  Cryptanium Code Protection. It does it by inserting hundreds of overlapping integrity checkers into the code. Each checker monitors a particular range of the binary file. If an application is modified, the embedded checksums no longer match the binary footprint, and the application can defend itself by terminating the execution. Besides checksum, there can be embedded platform-specific anti-debug and anti-piracy code to safeguard the code.  

3 - ensure there is two-factor authentication and one-time passwords, to add another layer of security when anyone is connecting to access your apps. I know it is not foolproof but best effort to mitigate against simple weak credential replay login.

4 - for cryptographic key used for data encryption or integrity check, consider having to host a HSM (harden security module). The HSM is a tamper-proof solution that is verified to store your key and never to be leaked out without your knowing. Cloud provider has that with other partner or you can ask them to have it to see if on-premise HSM is supported.

5 - protect the apps data at rest, and data in transit. Consider a private cloud and tunnel a trusted connection via IPSEC or VPN to prevent siphoning of personal data, login details etc that can lead to abuse and access to apps. May consider to establish a trusted gateway. e.g. connect the gateway like Cisco Identity Services Engine (ISE) in your data center to your cloud hosted apps. ISE will communicate with the application using a standards-based protocol. It serves as trusted services that consider the context of a request before granting access.

In fact, it is also our (as customer) responsibility to demand periodic security reports from its cloud vendor and thoroughly understand how they ensure your data and their environment are being protected and in tip top secure state. This is also to retain a measure of control such that you understand the security measures that are in place at your cloud vendor and also to require that vendor to provide periodic security updates. Knowing it is still necessary as it is also a means to the end...

Author

Commented:
Concerning BTAN's comment is there a way to encrypt the web app files place them on a webserver and have the webserver read handle the files at it usually does? I would like to know if it is possible for a webserver to access files that was encrypted bta third party software.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

btanExec Consultant
Distinguished Expert 2018

Commented:
I am thinking of an encrypted virtual vault which is accessible by a password. In other words only upon supplying a correct password the files are decrypted on the fly and accessible. Generate a strong password minimally 16 alpha numeric with symbols and varied big and small caps.

See cryptomator a free tool. It can be access via webdav client for it case.
https://cryptomator.org/architecture/#masterkeyDerivation
https://cryptomator.freshdesk.com/support/solutions/articles/16000011284-can-i-use-alternative-webdav-clients-

Another is Boxcryptor which can be use for developer. There is a commerical copy for increased concurrent client session, the free copy allow max two client connections.

https://support.boxcryptor.com/plugins/servlet/mobile#content/view/6521195
Distinguished Expert 2017
Commented:
Depending on where you are based, and where you host, there are mechanisms/steps you have to take to "record" that your code and any progression of it is properly recorded/copyright to preserve as others pointed out your better chances in the event of litigation.

Depending on the language/used for the web app, see if there are native coding technique that will mask/compile the code so those where it is hosted will not be able to seethe raw source..

Author

Commented:
Concerning Arnold's comment, I am using php. Is there a way to compile or mask php so that the hoster will be unable to see the code?
tl;dr - use ioncube. http://www.ioncube.com/

The question is specifically about hosting environments, isn't it?
Although the most secure place from prying eyes would be in a safe disconnected from the net, there are actually a few steps to take in a hosting environment.

Regulatory steps
Does your hosting service comply with ISO 27001, PCI, HIPAA ? It they do - chances are they have the controls to stop a rogue employee from getting at your IP, and the capability to deal with incidents when they happen. A PCI compliant service is likely to compensate you rather than risk losing their compliance.
Have your lawyer go over the service agreement and amend it if necessary to protect your IP, hopefully the service will cooperate.

Use binary code
Write your code in C, C++, C# or any other compiled code, and do not keep the source on the hosting service.

Use obfuscated code
If your code is in php, use ioncube.
If in python - convert it to bytecode.

However, all byte code and obfuscation can be reversed with the proper knowledge, this is not a full protection.
btanExec Consultant
Distinguished Expert 2018
Commented:
Another option id phpshadow that encrypt your PHP code either by using their supplied Encoder Tool that can downloaded or by uploading your files to their Cloud Encryption Service.
http://phpshadow.com/tour

You only pay a fee when you want to encrypt your files. Once encrypted, your code will work forever at no cost. There are no on-going monthly subscription fees.

However it has some limitations

PHPshadow will not work in situations where an included file returns a value. Some frameworks, such as the Zend Framework, use this technique.
The workaround is to identify the files that you have written yourself and only encrypt those.

PHPshadow will not work with the Windows version of XAMPP.

Is there a Windows version available?
We have not yet released a Windows version. However, you can run the Encoder Tool under WSL on windows.
http://phpshadow.com/known-issues

Author

Commented:
Concerning Shalomc's comment about using C, C++ or C#. Does everyone agree that using those, or any other compiled languages guarantees that the hoster will be unable to view the code?
btanExec Consultant
Distinguished Expert 2018

Commented:
Binary codes make it harder. However, there are also tools/plugins such as HexRays decompiler which attempt to analyze assembly and convert it to a more readable, C-like  pseudo code. So as long as  the codes are not encrypted reverse engineering attempts are possible though non trivial. Secure coding is also a necessity to prevent it being exploited as well as protect its integrity with digital signature. Go through the Secure development lifecycle. The safekeeping is in the secret and crypto key requires in encrypting the codes.
Consider that for the past 30 years shipping out compiled executables was the favorite way to distribute software to millions of users.
Reverse engineering and decompilation is not easy and not for the faint of heart. All in all, what you need is not an impregnable wall of protection. You need to raise the difficulty of reverse engineering to the point where it is not worthwhile to do it. Maybe php with ioncube is good enough?

Author

Commented:
Thank you. I got a lot of very useful information. Some facts relating to the legal aspects of implementing security and others relating to programming languages and encryption. I certainly will need to sort through all the information to see which is the best option in my situation. But thanks again!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial