Secure business logic from any developer (even from same team or developer who written this code)

Question

0.00/5 (No votes)

See more:

Hi,

We have a web application which fetched PDF from government site base upon the current username, and this username is encrypted. But as a developer, I can pass the different username during debug mode and I can fetch PDF of any user.

Since this is a confidential file so my client wants to hide this business logic from the developer or want secure this so that no one can fetch PDFs of other users.

Is there any way to achieve this?

ASP.NET using VB.NET

Thanks

What I have tried:

I tried to add the password to PDF file but if the developer knows the logic then he can generate that password as well.

Posted 21-Aug-18 9:15am

Amol Sagvekar

Updated 21-Aug-18 19:06pm

Add a Solution

2 solutions

Solution 1

Quote:
But as a developer, I can pass the different username during debug mode and I can fetch PDF of any user.

True but developer should not access usernames from production users (that's common sense). Debugging shouldn't be done in production environments. If you are working on a real development that involves sensitive data then your team should have a different sets of environments and databases where you can move application code from development to production. For example:

Dev/Test Environment - this is where you would test your application logic, including fetching PDFs based on usernames. This also where you fix code and add features to the app.
Stage Environment - this is where you push changes from Test environment. This is where integration testing is done. No development should be done here aside application specific configurations.
Production Environment - this is the final product which real users used. No debugging and development should be used.

And you can't hide business logic to developers, however you can add restriction to some source code that only authorize developers can have access to it. Do a research on source/version controls for your code repositories.

Posted 21-Aug-18 9:40am

Vincent Maverick Durano

Comments

Amol Sagvekar 21-Aug-18 15:50pm

username is common in all environment, and it pass to function but you can change that value in debug mode. as i mentioned its fetching PDF from a government site and they don't have other environments.

Vincent Maverick Durano 21-Aug-18 15:57pm

the government site should give you test username for you to test out the functionality in your end. And what do you mean by change the value? value of what?

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Er. Puneet Goel · Accepted Answer · 2018-08-21T19:07:00

Solution 2

One approach I would suggest is using create the separate project and use its dll.

Posted 21-Aug-18 19:07pm

Er. Puneet Goel