Unspoken Security Challenge with Microsoft .NET

When I was reading John Water's RedmondDeveloper article on Sandboxing and .NET it reminded me of the lack of attention to the reverse engineering challenges around using .NET. In the article, the ability to security sandboxing untrusted code within Java and .NET Frameworks was focused on and promoted as something for application provider’s leverage more. However, as vendors and application developers increase their.NET adoption they need to consider the additional risks to their software – piracy, theft, and tampering. In my experience many organizations that have or are in the process of migrating their applications from unmanaged to managed frameworks realize late in the development cycle that their sensitive code can be decompiled easily using .NET.

This is not a Microsoft only issue. The challenges for protecting .NET code from reverse engineering needs to be articulated at the same level as other code security vulnerabilities.

- Vic

Secure Offshore Development

Diana Kelley from Burton Group recently published a great article on what you should consider when outsourcing. She mentions application outsourcing. Normally organizations use NDA and threat of sudits to secure their code when outsourcing. From a security perspective there are ways to enhance protection of your organization’s IP resident within software when using off shore development resources. Rather then just providing source code, you could distribute the really sensitive components in complied form and still allow development around these. Of course if the risk of piracy or competitor access to code is high then software protection technology can be utilized to reduce these risks.

Vic