Point that most of people who spot the vulnerabilities are paid enough to actually report bugs makes sense.
On the other hand, there's a lot of foreign players and "corporate espionage" which has been lately and issue. I explained that once damaged the comment "your developing faster" makes no sense as we don't care if the bad guys go down, they will at some point anyways, but we should care that some good company got damaged or in this case we're discussing a company that you (the one that exposes code or such) have some involvement in like employee or owner. You can find about what some companies did back in China and it did some damage to companies in US, countries in Europe, and some Asian like South Korea. I really don't want to write in comments about it
Sony was speculated to be hit by these kind of guys however I don't think it was proven to be some other company that wanted damage done to them but rather "wild" hackers. This case is not about exposing the code but rather proving a point that exposing code will help the bad guys also who are paid enough but in this case to damage you.
I mainly focused on good idea getting developed in small startup or some mid sized company in some cases where the "you move faster" is not true and someone can abuse it.
"What's stopping them from doing so even without your code?" way off the point and "sually, any product worth its salt will have both front end and back end code." shows misunderstanding of potential ways to exploit it. Fronted can be different in terms of UI and many methods could be rapidly refactored to look different both for the backend API and frontend. So how could you ever assume that someone took your code? No serious rewrite will happen in terms which I described like small startup with a good idea. Say you take 4 devs to develop a nice project in couple of months. Now most time spent goes on domain research. This whole code can be rewritten in many cases by 1 single guy in a month who didn't spend a dime on salaries, office, domain experts (well someone who knows domain pretty well probably not real expert). Now if he jump starts solution from 1 month without any investments, gets couple of clients without anyone knowing what he did, he can also hire later devs to develop maybe even in different direction. There's a good chance no one will ever know and a fine chance of damaging company that started the project without you knowing nor even considering that they did such a thing. On the other hand they could also be scanning your code for vulnerabilities to make problems to you and back off potential customers of yours
I was mainly having these statements as I read about these cases and was wondering if I wanna start a company is it smart enough to expose the whole code.
Security by obscurity is one thing. Keeping things secrete is another as additional protection layer is another. I don't know any army, national or such projects being open source until they decide they are good enough to let go.
Working in as a developer seeing some things made me realise that not all owners are "capitalistic bas***" they are just taking some additional measurements which they can as they don't want to get burned again. Some of them just trying to ends meet and it usually does provide enough security to hide the code as most of those "kiddie" hackers are people they know in some way and those guys can only benefit from the code.
Real world example 2015, neighbour of a company owner wanted to hack him and make a similar product, he got most of the code and that's how hacking took place. Made huge AWS bill, but Amazon was nice enough to stop attack return the money and tell them to change they're dev keys. Now there's a wrong way of doing things but it was development and they were hitting deadlines thinking who would hack them as no one even knows about the product except potential customer.
In most cases, the API itself will not be worth too much without the content to back it. The latter obviously shouldn't be open-sourced, except if the service you provide is free in any case (then competitors cannot outbid you).
Unfortunately, especially in startups, security is too often an afterthought and not an underlying theme - not only the APIs themselves, but also company security and security of your internal systems. But if your security is bad to begin with, not going open source will not save you in the long run is what I'm saying.
As for your point that one guy can single-handedly rewrite a complex API that took 4 skilled developers multiple weeks to come up with to the point of being completely unrecognizable within a much shorter time, I don't really believe you. This one guy will still first have to understand the solution, which with the code won't take far less time than without it.
It takes renaming API endpoints not to get a warrent to be able to comapre 2 codes. That's all it takes.
On security side I put my money where my mouth is. I would never expose my backend code. I don't see code for AWS stuff nor Azure nor Google search engine and so on.
But if anyone wants to go ahead. I'm not buying "obscurity" statment as good enough to say go expose your code.
You're not fooling anyone if the data structure and the output is still the same. Also, I'm not saying that you should by all means expose your code, just that the "security" argument is leading into dangerous thinking about security.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Point that most of people who spot the vulnerabilities are paid enough to actually report bugs makes sense.
On the other hand, there's a lot of foreign players and "corporate espionage" which has been lately and issue. I explained that once damaged the comment "your developing faster" makes no sense as we don't care if the bad guys go down, they will at some point anyways, but we should care that some good company got damaged or in this case we're discussing a company that you (the one that exposes code or such) have some involvement in like employee or owner. You can find about what some companies did back in China and it did some damage to companies in US, countries in Europe, and some Asian like South Korea. I really don't want to write in comments about it
Sony was speculated to be hit by these kind of guys however I don't think it was proven to be some other company that wanted damage done to them but rather "wild" hackers. This case is not about exposing the code but rather proving a point that exposing code will help the bad guys also who are paid enough but in this case to damage you.
I mainly focused on good idea getting developed in small startup or some mid sized company in some cases where the "you move faster" is not true and someone can abuse it.
"What's stopping them from doing so even without your code?" way off the point and "sually, any product worth its salt will have both front end and back end code." shows misunderstanding of potential ways to exploit it. Fronted can be different in terms of UI and many methods could be rapidly refactored to look different both for the backend API and frontend. So how could you ever assume that someone took your code? No serious rewrite will happen in terms which I described like small startup with a good idea. Say you take 4 devs to develop a nice project in couple of months. Now most time spent goes on domain research. This whole code can be rewritten in many cases by 1 single guy in a month who didn't spend a dime on salaries, office, domain experts (well someone who knows domain pretty well probably not real expert). Now if he jump starts solution from 1 month without any investments, gets couple of clients without anyone knowing what he did, he can also hire later devs to develop maybe even in different direction. There's a good chance no one will ever know and a fine chance of damaging company that started the project without you knowing nor even considering that they did such a thing. On the other hand they could also be scanning your code for vulnerabilities to make problems to you and back off potential customers of yours
I was mainly having these statements as I read about these cases and was wondering if I wanna start a company is it smart enough to expose the whole code.
Security by obscurity is one thing. Keeping things secrete is another as additional protection layer is another. I don't know any army, national or such projects being open source until they decide they are good enough to let go.
Working in as a developer seeing some things made me realise that not all owners are "capitalistic bas***" they are just taking some additional measurements which they can as they don't want to get burned again. Some of them just trying to ends meet and it usually does provide enough security to hide the code as most of those "kiddie" hackers are people they know in some way and those guys can only benefit from the code.
Real world example 2015, neighbour of a company owner wanted to hack him and make a similar product, he got most of the code and that's how hacking took place. Made huge AWS bill, but Amazon was nice enough to stop attack return the money and tell them to change they're dev keys. Now there's a wrong way of doing things but it was development and they were hitting deadlines thinking who would hack them as no one even knows about the product except potential customer.
In most cases, the API itself will not be worth too much without the content to back it. The latter obviously shouldn't be open-sourced, except if the service you provide is free in any case (then competitors cannot outbid you).
Unfortunately, especially in startups, security is too often an afterthought and not an underlying theme - not only the APIs themselves, but also company security and security of your internal systems. But if your security is bad to begin with, not going open source will not save you in the long run is what I'm saying.
As for your point that one guy can single-handedly rewrite a complex API that took 4 skilled developers multiple weeks to come up with to the point of being completely unrecognizable within a much shorter time, I don't really believe you. This one guy will still first have to understand the solution, which with the code won't take far less time than without it.
It takes renaming API endpoints not to get a warrent to be able to comapre 2 codes. That's all it takes.
On security side I put my money where my mouth is. I would never expose my backend code. I don't see code for AWS stuff nor Azure nor Google search engine and so on.
But if anyone wants to go ahead. I'm not buying "obscurity" statment as good enough to say go expose your code.
You're not fooling anyone if the data structure and the output is still the same. Also, I'm not saying that you should by all means expose your code, just that the "security" argument is leading into dangerous thinking about security.