Re: Securing stored procedures and triggers

On 10/31/07, mgould <mgould(at)allcoast(dot)net> wrote:
>
>
> We are currently migrating from Sybase's ASA 9/10 to PostGres 8.2.4. One of
> the features that is really nice in ASA is the ability to add the attribute
> hidden to a Create procedure, Create function and Create trigger.
> Essentially what this does is encrypt the code so that if anyone or any
> utility gets into the database they cannot see any of the actual code. This
> is a great feature for protecting intellectual processing techniques. I
> don't know if there is anyway to do this in PostGres. Before the hidden
> feature was added, we had a competitor steal some of our stored procedure
> processing code. Is there anyway to protect this from happening in
> PostGres?

I know to the untrained eye this looks like security, but honestly,
even the most junior of hackers could likely break into it and get
whatever code is supposedly being protected.

You are MUCH better off having your legal department work on this with
the proper paperwork.

You can, of course, write all your stored procs in C and compile them.
Then they're also "encoded" in such a way that joe six pack can't
read them. But again, it's not real protection. If the database can
run it, it can be decompiled and examined, whether it's in sybase or
postgresql.

If you don't want your customers to see what's happening under the
hood, you have one, and exactly one, option. Host the databases
locally and do not allow the users admin powers. Once you start
handing out code, in whatever format, the genie is simply waiting for
someone to open the bottle.