Encrypting Stored Procedures Doesn’t Make Me Avoid Looking at Your Code

Published On: 2020-06-22By:

Dear Vendors that encrypt stored procedures in SQL Server,

Stop It!

We were having a discussion on Twitter about vendors encrypting stored procedures recently, and this justification came up that had been told about why vendors encrypt stored procedures some times.

To this I point out, that if you’ve encrypted your code so that I won’t look at it by accident, you are actually getting the exact opposite result. Because you are encrypting code that means that I can’t see if. That means that I want to make sure that you aren’t hiding any stupid practices from me. That means that as soon as I see your encrypted procedures I’m decrypting them to see what is going on with this code.

Along with this, because you’ve bothered to encrypt the stored procedures that means that I can’t get an execution plan, and query store can’t be used for the queries within the stored procedure. And since I’m guessing that I can performance tune your database better then your developers can, I’m going to be decrypting the procedures so that I can tune the system.

But It’s Our IP

Another reason that companies have for encrypting stored procedures is that the code is their IP. Does the vendor have a patent or trademark on their code? The answer to this is no, as you can’t patent or trademark the actual code, and anyone that tells you that they can trademark their code, is wrong.

If you have given me your code, then I can look at it. If we have an NDA in place then I can’t use the code. If there’s no NDA in place, then I can use your code all I want. You at that point have no legal way of stopping me.

If you want to stop supporting the software that we have purchased from you, is there something in the EULA about us not decrypting the stored procedures? No, then support it or get risk getting sued for violating the EULA and support contract. And assume that you’ll be loosing us as a customer and that your competitor will be gaining us as a customer (yes I’ve done this at companies, so it’s not an empty threat).

Running Code

When you sell your customer a license to run your software you are giving the customer your code, and you have to trust the customer to not use your code in order systems. The customer has to trust that you are providing them a system that will perform well. You usually don’t and someone has to to some performance tuning on the application that you provided in order to keep their business up and running. If you hamper or slow that process down, expect to have your application replaced in short order. No application is so critical to a business that it can’t be replaced, so make it so that your application doesn’t make the live of the people that have to actually maintain it suck less.

Denny

Contact the Author | Contact DCAC

Video

Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.

Awards & Certifications

Microsoft Partner   Denny Cherry & Associates Consulting LLC BBB Business Review    Microsoft MVP    Microsoft Certified Master VMWare vExpert
INC 5000 Award for 2020    American Business Awards People's Choice    American Business Awards Gold Award    American Business Awards Silver Award    FT Americas’ Fastest Growing Companies 2020   
Best Full-Service Cloud Technology Consulting Company       Insights Sccess Award    Technology Headlines Award    Golden Bridge Gold Award    CIO Review Top 20 Azure Solutions Providers
Share via
Copy link