DevTeam.Space Product Development Blog

Explore our in-depth product development tutorials and new technology announcements published by our software development experts

All articles

How To Use Blockchain To Secure Your Code?

The world of business is an ever increasingly complex thing.

No matter what your industry or place in the market, technology must be regarded as one of the primary instigators of growth.

Naturally, in a technology-based industry like software development, being on the cutting edge and getting to the market first often means the difference between being a unicorn company and one that is struggling to survive.

But in this rush to develop software products, companies often overlook one important aspect of software development security, namely securing their code.

Several high profile cases that involved billion dollar companies have highlighted the absolute need for companies to be able to prove their ownership of code.

In this article, I will explain how security conscious development companies such as DevTeam.Space use blockchain technology to secure your code.

Since a blockchain-based approach acts as an immutable database, any company or individual caught stealing your code better look out! Thanks to our approach, and others like us, the days of unpunished code theft could soon be at an end!

Contents

Why the ownership of code matters?
Proving the ownership of digital products: The bigger picture
Current solutions, their limitations, and an alternative
What is blockchain?
Using blockchain to secure your code
Planning to use code secured by blockchain?

Why the ownership of code matters?

Clients sign often lucrative contracts with software development companies to bring their projects to life. Such contracts have specific terms and conditions regarding the ownership of the code. Typically, contracts assign full ownership of code to the clients from the moment it is written. Read more about this practice in “Who owns your software development code?”.

But what happens if the development partner actually didn’t write that code in the first place? What if they have misappropriated the code from other sources? This is a serious issue for all clients who are now legally responsible for code theft!

Such malpractices not only diminish the trust in the software development business, but more importantly, can lead to severe legal actions that can bankrupt the innocent party. You can now see why it is imperative that development companies can prove that they indeed wrote the code.

Proving the ownership of digital products: The bigger picture

In this era of software development, creators of digital products often find it hard to protect their work from unauthorized usage. Even worse, proving the ownership of code is not always easy.

It’s also a challenge for consumers since they can’t be sure if the content they are purchasing is won’t be withdrawn when it is found to contain unauthorized for use code. And it doesn’t stop there. If consumers purchase any kind of digital content or product, which contains illegally obtained code, then they too might find themselves falling foul of the law.

As a result, the overall impact on all kinds of technology companies is distinctly negative. Read more about this in “Impact of counterfeiting on the performance of digital technology companies”.

Current solutions, their limitations, and an alternative

Businesses currently rely on 3rd party auditors and certifiers to ascertain the authenticity of digital content. This is a time-consuming process, as it involves lots of manual labor. This also requires stakeholders to explicitly trust a 3rd party service provider.

Within software development, product owners simply have to trust their developer. Very few companies provide anything in the way of proof of ownership in regards to the code they have written. Product owners simply have to be reassured that the product works properly and trust in the honesty of their development partner.

However, times are changing. Blockchain technologies’ decentralization, immutability, security, and transparency promise to revolutionize code security. Companies are already exploring how to use it to prove the authenticity of digital content or code for all manner of industries.

Finally, you can have proof that your code was written by your development partner(s). This interesting article examines more on this topic in “How blockchain technology is revolutionizing data provenance”.

What is blockchain?

Blockchain is a decade-old technology that incorporates the following characteristics:

  • It’s a “Peer-to-Peer” (P2P) network. Read more about P2P networks in “What’s a peer-to-peer (P2P) network?”.
  • Blockchain first emerged as the foundation of Bitcoin. Bitcoin and similar digital currency networks are all blockchain-based.
  • Every computer on this network has all the data in the blockchain. These computers are called “Nodes”.
  • The duplication of data on all nodes makes blockchain a distributed database, therefore, it’s also known as “Distributed Ledger Technology” (DLT). Read more about DLT in “Distributed ledgers definition”.
  • Every node on a public blockchain network has equal authority. There are no central servers. Even if hackers compromise one server, the network remains undisrupted and the database cannot be altered.
  • Participants use digital signatures to sign their transactions. This involves modern data encryption technology, thus improving security.
  • Blockchain uses cryptographic hash functions and consensus algorithm to secure data on the network.
  • These security measures raise the bar above any current ability for hackers to attack such networks.

Read more about these characteristics in “How to build your own blockchain using Node.js”.

The above is a generic description of a blockchain network used in a cryptocurrency project like Bitcoin. The technology has since evolved; i.e. Ethereum introduced smart contracts etc. There are now also permissioned blockchains for enterprise usage such as Hyperledger Fabric and R3 Corda.

Using blockchain to secure your code

Let’s now look at the following questions:

How to secure your code? How to use blockchain for that purpose?

Key considerations:

  • Developers should sign code to prove their ownership.
  • Programmers need to securely store transaction records that prove their ownership of the code.
  • The system should maintain a clear audit trail with date and timestamp.
  • Developers should be able to guard against any unauthorized use of their code.

I will now explain how blockchain lets you accomplish this points:

1. A digital signature to prove ownership

Blockchain makes heavy use of digital signatures to authenticate transaction initiators. The following points are relevant here:

  • Blockchain networks use modern data encryption technology. This is the foundation of the users’ digital signatures.
  • Popular public blockchain networks like Bitcoin or Ethereum use the “public key-private key encryption”.
  • Users have two keys. One is the public key, which can be shared with others. The other is the private key, which users should always keep secret.
  • Users encrypt the message using the public key, whereas they decrypt the encrypted message using the private key. Read more about this in “What is public-key cryptography?”.
  • The public key is mathematically related to the private key.
  • One can use the encryption algorithm to create the public key easily from the private key.
  • However, the reverse is simply impractical. Creating a private key from a public key will require so much computing power that today’s computers will literally take billions of years to complete it. I touched on this point in an earlier article called “Quantum computing: will it kill blockchain?”.
  • Cryptocurrencies are mathematical money. A digital coin is, in effect, just a piece of information.
  • When cryptocurrency users get a blockchain wallet to store their cryptocurrencies, they set up their public and private keys. A good example is “eth-lightwallet”. From that point onwards, they only need to secure their private key.
  • They can sign their transactions using their digital signature, and that completes the authentication process.
  • Proving the ownership of a digital coin actually boils down to proving the ownership of that piece of information. Digital signatures and wallets enable users to guard this information.
  • Now, look beyond cryptocurrencies. You will find the same concept of user authentication using digital signatures in enterprise blockchains.
  • Enterprise blockchains like Hyperledger Fabric (Fabric) don’t operate cryptocurrencies. However, these networks still deal with information. There are users that create this information. There are other users that consume the information.
  • Fabric uses digital signatures and even provides a “Hardware Security Model” (HSM), i.e., hardware-based enhance security for digital signatures. Read more about this in “Pros and cons of Hyperledger Fabric for blockchain networks”.

Software development companies can use blockchain and digital signatures to prove they are the owners of the code. As I said in my introduction, at DevTeam.Space, we already do this.

2. Store your code on blockchain

Developers need to store their code securely. This helps them in proving that they indeed are the owners of the code. This can be done two ways, as follows:

2a. Store the code on the blockchain

This is similar to how blockchain developers deploy smart contracts. This works as follows:

  • Developers code their modules.
  • They can then store it on the blockchain.
  • In the case of Ethereum smart contracts, the code is stored in “Contract Accounts” (CAs) on the blockchain. Read more about it in “How to deploy smart contract on Ethereum?”.
  • Developers working on enterprise blockchains like Fabric deploy “chaincodes” on the blockchain. “Chaincodes” are smart contracts in the Fabric parlance.

2b. Store the proof of the existence of the code on the blockchain

Suppose you want don’t want to reveal the content of the code. You can use the “Zero-Knowledge Proofs” technique to do this. These work as follows:

  • Programmers code their module and store it in an underlying database.
  • They store only the proof of the existence of the code on the blockchain.
  • This way, they don’t reveal the content of the code. However, anyone wishing to know about the ownership of the code can view the proof.
  • This technique is also called “Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge” (zk-SNARKs). You can read more about it in “Blockchain zero-knowledge proof in a nutshell”.

3. Secure your transaction on the blockchain

Now that you have stored the code or the evidence of its’ existence on the blockchain, you need assurance that there will be no tampering. Blockchain ensures immutability of records in the following way:

3a. Public blockchains

An assertion of ownership of the code can be a transaction, which is secured as follows:

  • Multiple transactions are grouped in a block.
  • Cryptographic hash functions are used for creating the hash of one block. The next block stores this hash value along with its’ transactions. This pattern continues as new data is added.
  • Even a minor change to the data in any one block will produce a completely different hash.
  • If someone tries to change a block, he or she will need to change all subsequent blocks. This is impractical since it requires a very high amount of computing power.
  • Public blockchains are transparent. Anyone trying to modify so many existing blocks will also attract the attention of other nodes on the network that will then resist this change.
  • The consensus algorithm comes into picture when creating a new block. Users need to perform computing power-intensive operations to solve complex mathematical puzzles.
  • This is in a competitive environment. Hackers need to manipulate the majority of the participants to compromise the network. That’s quite impractical. Read more about it in “Proof of work vs proof of stake comparison”.

These blockchain security measures protect the transaction against tampering.

3b. Enterprise blockchains

Enterprise blockchains are permissioned networks with trusted participants. They prevent the tampering of records as follows:

  • Fabric uses a consensus algorithm that involves multiple roles. These roles have separate responsibilities in the transaction validation process. The transaction validation process is modeled on organizational approval workflows.
  • R3 Corda uses a consensus algorithm that checks for transaction validity and uniqueness. Smart contracts check for validity. The protocol program checks if any other transaction has used any of the input states of the transaction in question. If no other transaction did, then it is a unique transaction.

Read more about this in “Public vs private (permissioned) blockchain comparison”.

Important note: A transaction record in the blockchain includes transaction authentication, which was done using a digital signature. A validated block also has the required date and timestamp information.

4. Use blockchain to prevent unauthorized use of your code

Now that you have signed your code, secured it using blockchain, and have a comprehensive audit-trail, you need to prevent unauthorized use of your code. Blockchain smart contracts accomplish this, as follows:

  • Smart contracts are open-source pieces of code with “If-Then-Else” conditions.
  • They are tamper-proof, moreover, they execute autonomously.
  • They transfer cryptographic assets based on fulfillment of conditions, and their execution is irreversible. Read more about them in “Smart contracts”.
  • You can set up smart contracts to specify conditions that will only allow authorized parties to use your code.
  • There are several public blockchain platforms where you can code smart contracts.
  • You can develop “Distributed Apps” (DApps) on public blockchain platforms. Using these, you can allow only authorized parties to use your code. I have earlier explained DApps in “How to convert web app into a Dapp”.
  • Ethereum is the most prominent of these platforms, where developers can code smart contracts using Solidity or Vyper You can read “Blockchain software development using the Ethereum network” to learn more about Ethereum development.
  • Other well-known public blockchain smart contract platforms are NEO, EOS, etc.
  • Blockchain developers can also code DApps using JavaScript on the Lisk This is not a smart contract platform, however, programmers can integrate smart contracts with DApps running on Lisk.
  • Since late 2018, developers can set up Ethereum smart contracts using Hyper Fabric. I have described this in “Using Hyperledger Fabric to setup Ethereum smart contracts”.
  • Developers can also use enterprise blockchain networks to code smart contracts. I have earlier described these options in “What to plan for when undertaking blockchain software development?”.

Planning to use code secured by blockchain?

Blockchain has significant potential in regards to data provenance.

Securing code using blockchain is enormously beneficial. However, blockchain is a relatively new technology, and is still evolving rapidly. Blockchain development platforms and frameworks are also evolving, adding further complexity. Consequently, development using blockchain can be complex due to its current status as a niche technology.

It is therefore imperative that you find the right software development partner to secure your code using blockchain. You can read my article on “How to find the best software development company?” before engaging a development partner.

If you require more information regarding how we use blockchain to secure our client’s code, please get in touch with us.