Security is a differentiator: Refreshing change for the software security industry

As a software security professional, it is a good thing that end users of security technology are beginning to position it as a differentiator in their own offerings. The security industry in general has had to produce subjective ROI or sell fear to support it sales. Application and data integrity will becomes increasingly important especially on the heels of a record setting year of breaches (CIO Today) . The way in which application providers add security  to their products and services will be viewed as a differentiator. This not only true of enterprises, but with traditional software application vendors. Some examples of this trend are:

- Recent article, "Banks Using Security to Increase Customer Trust and Their Bottom Lines "

- Time Warner and others choosing Blue-Ray DVD format over HD DVD partly based on the better DRM controls, AACS.

-Vic

It Takes Microsoft Clout to See Anti-piracy progress in China

China is the second largest economy in the world and still has high software piracy rates. In this Computerworld article there is a informative discussion of the benefits Microsoft has seen with its anti-piracy strategy. According to the article sources, Microsoft was able to recover or convert pirated licenses revenue to the tune of $164M in one quarter. This type of revenue recovery confirms that any ISV can potentially recover revenue because real businesses are using pirated software. However, Microsoft is in a unique position to combine technology and political clout to see these gains. Although, smaller ISVs will not have resources, money, and connections to sustain an anti-piracy campaign like Microsoft there are some lessons learned:

• Used a combination of activation and data collection to aid forensic identification of infringements
• Using in country partner representation and relationships to follow-up and enforce licensing

Based on V.i. Lab’s experience we believe this means additional anti-tampering technologies to prevent crack groups from creating binary patches that disable activation and license enforcement or recover key generation algorithms.

- Vic

Unspoken Security Challenge with Microsoft .NET

When I was reading John Water's RedmondDeveloper article on Sandboxing and .NET it reminded me of the lack of attention to the reverse engineering challenges around using .NET. In the article, the ability to security sandboxing untrusted code within Java and .NET Frameworks was focused on and promoted as something for application provider’s leverage more. However, as vendors and application developers increase their.NET adoption they need to consider the additional risks to their software – piracy, theft, and tampering. In my experience many organizations that have or are in the process of migrating their applications from unmanaged to managed frameworks realize late in the development cycle that their sensitive code can be decompiled easily using .NET.

This is not a Microsoft only issue. The challenges for protecting .NET code from reverse engineering needs to be articulated at the same level as other code security vulnerabilities.

- Vic

Parasitic Malware making a comeback

According to a recent McAfee threat predictions report , crimeware authors are returning to older techniques to deliver parasitic viruses. These viruses are able modify and inject code into application files on a disk. Software protection technology does prevent code injection and tampering threats, but ironically the virus writers are using their own protection technology to make their malware ever more difficult for AV providers to reverse engineer and deploy countermeasures.

-Vic

V.i. Labs Secure $8M Series B Round

Today V.i. Labs reached a significant company milestone. We just announced our new funding and our plans to expand our business. This is a significant event for us and was only possible because we were able secure new customers and demonstrate the large market demand for software protection. Recently, we have secured contracts with large eVoting vendors, global mining software providers, as well as enterprise financial services. All of these organizations were concerned about their valuable or sensitive software IP because of competitive threats and selling their products into emerging high risk environments such as China and Russia.

In addition, our new investors viewed our solution as much more a product offering then the expensive and service-based alternatives that had been norm in the software protection market. We were able to demonstrate how we further differentiate our product by its support of Microsoft .NET Framework. Application providers are only just now becoming concerned about ease in which their source code can be accessed because of the .NET Framework architecture. Our product goes beyond obfuscation by providing active runtime protection as well as encryption for .NET code as well as consistent support for managed and unmanaged code.

-Vic

.

Tanks Needing Firewalls

Interested announcement by General Dynamics and Secure Computing joining up to develop a hardware and software firewall. It underscores the sophistication of tanks as well as a new class of hacks targeted at the military. Obviously some key software on these tanks that require protection. The military already have anti-tampering initiatives to secure the software itself. Quote reinforces a trend we are tracking:

"Efforts to equip tanks with digital armor are expected to escalate, says John Pike, head of defense research firm GlobalSecurity.org. He says the U.S., Russia, China and other nations are developing ways to infiltrate the electronic networks of tanks, ships and planes."

-Vic

Differentiating Software protection from Copy protection

Laurentiu Cristofer’s blog discusses the differences between security and copy protection. I agree with his points and the eventual comparison between security and obfuscation. However, the discussion needs to differentiate between copy protection and software protection technology.

Copy protection solutions attempt to control the usage of applications and the number machines software can be installed on. Although technology in this space may share certain software protection capabilities (i.e. encryption, obfuscation) in my opinion they are closer cousin to software licensing and DRM systems.

Software protection technology is squarely focused on creating technology that makes it expensive and time consuming to reverse engineer valuable software. I would have to agree with classification that falls more under obfuscation then security, but I believe software protection is a specialized technology and has a wider applicability then copy protection. For example, software protection can be used effectively to prevent decompiling .NET applications, without it the intermediate level code is subject to variety of threats by individuals with only novice software skills using any publicly available tools. In the piracy realm, reverse engineering is used to bypass licensing and copy protection schemes at the machine code level, but again using obfuscation, run-time re-encryption, and anti-debugging and tampering techniques you can deter this by layering protection on top of licensing in per software title unique way. This can prevent a “class break” as well as require increasingly higher skill levels to crack the protection.

Again, because software has to be available unprotected for the CPU its not absolute security, but I liken the value of this technology to protecting your house. Depending on where you live and value you assign to the property you are going to install a combination of locks, tall fence, and maybe a security system. None of these are foolproof, but your property is less attractive to intruders.

Vic

Could Software Protection Have Stopped the TD Ameritrade Breach

Although the details are scarce, the reported TD Ameritrade breach indicates malware was attached to an application database. If this did occur then the attack could have come from an insider or a previous network breach which allowed software to be injected into an application component. This attack would be almost impossible to detect with most signature based intrusion prevention systems. However, anti-tampering and runtime environment checks contained in software protection solution embedded within the application itself could have prevented this threat,

It’s our predication that security breaches will become more sophisticated and based on some of the same reverse engineering techniques used today in the software piracy scene.

Vic

Application Outsource Risk Survey Data

About 125 IT/Software developers took our survey at TechEd in June 07 on the risks associated with outsourced application development. Over 60% of those survey were from enterprise organizations and 12% with software vendors (see diagram below). When asked if they believe that outsourcing software development has increased your company’s code theft, piracy, or malicious tampering risks? 30% answer yes and 38% were not sure. We attribute a large amount of the unsure votes the people being surveyed not having direct involvement with outsource partner selection and management.

USPTO and Intellectual Property (IP) theft in China

USPTO announced a seminar series to educate businesses on the IP theft risk in China. The announcement further estimates that piracy and counterfeiting costs the American economy approximately $250 billion annually. Although this estimate includes hard goods as well as software, it does underscore the challenge doing business in China.

-Vic