Open sourcing might lay bare some flaws which could be fixed. Or it might lay bare some flaws which could be exploited. This is mostly theoretical, we will probably not OSS it right now, but I consider it a useful exercise to crowd-think through the possibilities.
In the rare chance that it is actually something novel, secure and useful, it might help other companies secure their deployments in a zero trust way.
I think with security products like this, open sourcing can be a good idea as it allows users to inspect the code and feel more confident that it is indeed secure. Plus you get feedback (and maybe even help) you wouldn’t otherwise get. And you can charge for services, etc even if open source (if you want).
https://www.gnu.org/philosophy/free-software-even-more-impor...
If there are flaws(, and there are!) it might be preferable to have the chance to learn about them from grumpy security open source contributors than after the exploit
Don't open source it because you want/need/expect other people to work on it because statistically, that is not going to happen.
Open sourcing your project will create more work for you, not less. Good luck.
Zero-trust approach: This is a strong foundation for security, eliminating the need to completely trust any component in the system. Leveraging PKI and blockchain: These technologies offer robust cryptographic guarantees and tamper-proof records. Focus on cryptographic guarantees: This prioritizes strong security over obfuscation, which can be bypassed with enough effort. Immutable secure logs: This provides an auditable trail of license activity, aiding in troubleshooting and potential legal situations. PKI chain of trust: Utilizing a hierarchy of root authorities strengthens the overall trust model. Considerations:
Open-sourcing: This can be a double-edged sword. While it might expose vulnerabilities, it also allows for community review and improvement. Consider a private beta with trusted security researchers before full open-source release. Offline scenarios: While not perfect, exploring options like pre-downloading licenses or implementing secure, limited offline functionality could further improve usability. Threat model: Clearly define the types of attacks you're trying to mitigate (e.g., unauthorized license use, license server compromise). Overall, your approach seems promising! Here are some additional thoughts:
Performance: Consider the impact on application performance, especially with blockchain interaction. Scalability: How will the system handle a large number of clients and licenses? Integration: How easily can it be integrated with existing licensing systems? Open-sourcing for crowd-think is a valuable exercise. Here are some ways to mitigate potential risks:
Security audit: Before open-sourcing, consider a professional security audit to identify and address any critical vulnerabilities. Phased release: Start with a limited open-source release, allowing trusted partners or researchers to review before a full public release. Strong license: Choose a license that allows for contributions while protecting your intellectual property. By carefully considering these points, you can build a robust and secure zero-trust licensing system that benefits your company and potentially the wider software community.
You’ll need a lot of money and stay in it for the long run to take on companies like that. It’s possible though.
We use CodeMeter. It is possible your product may be competitive to other SW license server products.