During my talk at the inner source summit, I was asked about the following worry with establishing inner source at a company:
But if we lay all source code open within the company, don’t we run the risk that a disgruntled employee has it too easy to steal all code and publish it on the web?
The main answer to this question is to weigh benefits against risks. The benefits of inner source have been explained elsewhere, for example, in said talk of mine. The risks may seem less clear. So, could it happen that an employee steals all source code? What damage would it do?
First, this would obviously be illegal. If the thief was to publish the code, or if they were to sell it to another company which then would use it, it would ultimately become known and the original company could sue the heck out of the employee or the other company. Why would they run the risk?
So, if anything, there might be a risk that code is stolen more easily and that it gets exploited secretly. One form of exploitation is that some other company learns something important from the code. Maybe. Programming a new variant takes time and effort and is buggy.
So, perhaps, highly critical code, true crown jewels, may not be made available to everyone. Most of the code within Google is laid open to everyone, but I’m being told PageRank is kept separate. But these are special circumstances. Most code is run-of-the-mill and not that unique.
Another concern is that with source code being available to a possible attacker, they will have it easier to devise a cracking attack. It is a common but wrong belief that closed source code is inherently more secure than open source code. It is not. What counts is process and people, not access to the source code.
Which brings me to the last point: So what? Code is rarely worth much without the people. We already discussed that the thief can’t use it. Learning will be hard without the people at hand. Until that learning has been turned into action, some time will pass. Results may be incompatible with the thief’s own code base. If anything, it will be a distraction to the thief or buyer of the source code.
So, I’m not worried that laying open most source code within a company for purposes of establishing an inner source ecosystem will harm the company. The benefits far outweight any risks.