Re: [GENERAL] Securing stored procedures and triggers

On 10/31/07, mgould <mgould@allcoast.net> wrote:
>
>
> We are currently migrating from Sybase's ASA 9/10 to PostGres 8.2.4. One of
> the features that is really nice in ASA is the ability to add the attribute
> hidden to a Create procedure, Create function and Create trigger.
> Essentially what this does is encrypt the code so that if anyone or any
> utility gets into the database they cannot see any of the actual code. This
> is a great feature for protecting intellectual processing techniques. I
> don't know if there is anyway to do this in PostGres. Before the hidden
> feature was added, we had a competitor steal some of our stored procedure
> processing code. Is there anyway to protect this from happening in
> PostGres?

I know to the untrained eye this looks like security, but honestly, even the most junior of hackers could likely break into it and get whatever code is supposedly being protected.

You are MUCH better off having your legal department work on this with the proper paperwork.

You can, of course, write all your stored procs in C and compile them.  Then they're also "encoded" in such a way that joe six pack can't read them. But again, it's not real protection. If the database can run it, it can be decompiled and examined, whether it's in sybase or postgresql.

If you don't want your customers to see what's happening under the hood, you have one, and exactly one, option. Host the databases locally and do not allow the users admin powers. Once you start handing out code, in whatever format, the genie is simply waiting for someone to open the bottle.

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
       subscribe-nomail command to majordomo@postgresql.org so that your
       message can get through to the mailing list cleanly