Software is in everything from our automobiles to our mobile devices, and as the world becomes even further immersed in the digital era, new security threats are arising. Software piracy first emerged in the 1980s, but is no longer the only threat to the software industry. Today, software products are becoming more susceptible to incidences of reverse-engineering and code tampering – not just outright theft.
Intellectual Property (IP) represents the vast majority of a typical software company’s market value. The same is true for intelligent device manufacturers, who are increasingly developing IP in software-based products running on commercial hardware. Software developers invest an enormous amount of time and money into developing and creating their unique products and they stand to lose it all – revenue, customers, competitiveness, and the overall value of their brand – if they do not employ strategic and efficient security measures.
A recent survey from SafeNet reported 33 percent of software vendors believe reverse-engineering and theft are having a major impact on their businesses and 63 percent of respondents see code protection to prevent reverse-engineering as a challenge.
In today’s market, it’s essential for software publishers to solidify their competitive advantage by securing their innovative and unique products against reverse-engineering, which can lead to duplication by competitors looking to fast-track their development efforts and time to market with a competitive alternative. With competitive espionage becoming more and more common, valuable software IP containing code, algorithms, application data files and trade secrets is at risk of prying eyes, reverse engineering, theft, and copycatting by competitors.
For example, consider a printing company that has created a way to print inexpensive inks on a difficult substrate, like glass, that no competitor can match – but the software running the printers is unprotected. Competitors quickly dive into the code to understand how it’s done, and just as quickly create a knock-off version, wiping out competitive advantage and stealing market share.
Best Practice Case: Halting an Attack and Protecting Against Reverse-Engineering and Theft
A small business manufacturer of multi-site digital video surveillance systems originally created their own copy protection in-house. However, their homegrown protection made it difficult to move a software license to a different machine or copy it. In addition, if someone spoofed the MAC addresses of network cards, they could continuously re-use a single software license key.
The company’s worst fears became a reality when they discovered a breach in security. Someone was attempting to reverse-engineer both their hardware and software products. The attack led the company to SafeNet’s software licensing security solution, Sentinel HASP.
The company’s video surveillance software is spread across many different applications, each of which is dependent on an ASP.Net web service used for sharing media, such as video and snapshot images. This method enables the synchronization of media across various machines and users, requiring an access code to obtain the information. Due to the security requirements for these applications, having a closed network is an absolute necessity.
Creating a system using Sentinel hardware keys to protect access to the ASP.Net web service allows the company to create a single point of failure, rendering the other applications useless. The Web service performs real-time checks to the Sentinel hardware key during each call. If the hardware key is not present, the key throws an error to the client application, rather than fulfilling the desired request.
With the imminent threat of a hack underway, speed in implementation was of the essence. Because the organization is a small company providing a highly specialized turnkey solution for a rapidly changing and elite market, it was imperative it be able to protect their assets.
SafeNet provided quick and simple instructions, along with sample code that the company was able to modify. With Sentinel on their side, the company was able to quickly protect their software before the threat could manifest itself into actual theft of IP.
While theft of trade secrets can be catastrophic, for many software vendors and intelligent device manufacturers, code tampering poses an equally devastating threat. Tampering occurs when someone gains access to your software code and makes a change to how the product functions. Code tampering can be done intentionally and maliciously, but it can also be accidental or performed with good intent. Accidental tampering by an end user usually goes undetected until they have irrevocably damaged the product.
Take this example: a piece of medical diagnostic equipment contains internal software designed to control how tests are run. An administrator thinks the system is slow and decides to “adjust” the standard settings within the software code just enough to speed up calculations by 20 percent. Mission accomplished –the hospital is now able to test more patients per day. There was no malicious intent, but by speeding up a diagnostic process, the equipment now fails to meet several medical industry regulations, and the non-compliant equipment now becomes the responsibility of the manufacturer or software vendor.
Without the proper encryption and code obfuscation technologies, software developers are unknowingly leaving their code vulnerable to tampering and reverse-engineering. By effectively controlling access to software source code, software publishers and intelligent device vendors can protect revenue and safeguard the integrity of their brands and products.
Although research shows large numbers of software publishers worry their business is negatively impacted by unprotected IP, the research also indicates not nearly enough software publishers have implemented the proactive defensive measures required to ensure their intellectual property is properly protected.
So why aren’t more software vendors putting emphasis on protecting their products? Sometimes they are overwhelmed by the challenge and may not have the bandwidth or support from the top to implement a reliable method of protection. Or it may simply be they have not yet experienced an IP disaster and don’t realize the level of risk to their overall business.
Best Practice Case: Leading Packaging Industry Manufacturer
A leading manufacturer that develops software-driven equipment to process liquid consumer food products (such as milk and orange juice) utilizes software to run their packaging equipment that is programmed to comply with dozens of public health and safety regulations.
The company’s IP protection concerns center around controlling access to the software running the machines and limiting the ability to tamper with key parameters controlling processes such as pasteurization.
The packaging industry manufacturer uses a combination of SafeNet Sentinel RMS and EMS software monetization solutions to protect their software code from being accessed and tampered with and to strictly control who can change the parameters that control the packaging equipment.
Software piracy results in revenue leakage over time, but the effects of reverse-engineering and code tampering can be shattering, with the potential to change a business overnight. It is nearly impossible to recover such losses.
Finding ways to decrease and prevent software piracy, reverse engineering and code tampering has widespread benefits. The end user is assured the programs they use are as the publisher intended, and as such are afforded appropriate support and warranties. The software industry is paid for producing quality products, stimulating a competitive market and further product development.
It is important for software publishers to take proactive and positive steps in the form of implementing software protection strategies to defend their intellectual property against illegal use, copying, theft and tampering. For most, a commercial software rights management solution will provide them with the security features they need without the engineering headaches of developing security measures internally –not be a core competency for most of them. Commercial solutions feature automatic file wrapping technology that provides powerful IP protection via file encryption, code obfuscation and system-level anti-debugging — ensuring algorithms, trade secrets, and professional know-how embedded in software are secured against those without the proper authorization to access it.
By proactively and effectively controlling access to software source code, software publishers can protect themselves against reverse-engineering and code tampering, increase their revenue and manage the overall integrity of their brands.
About the Author
Michelle Nerlinger is the VP of marketing for SafeNet, a leadingprovider of software monetization and data protection solutions. She has extensive experience in software licensing, entitlement management, software provisioning, IP control and usage monitoring – the elements of effective software monetization. Michelle graduated with honors from Towson University in Baltimore with a dual B.A. in Marketing and Mass Communications.