Revulytics Blog

Goldman Sachs Code Theft - Mitigating the Risks

July 9, 2009

Subscribe

Software Protection is not the panacea for code theft issues like the one that occurred with Goldman Sachs. In fact, this case is very similar to the 2004 insider code theft of Cisco’s IOS code. However, outside of just stronger access control and perimeter security measures, these threats do suggest a closer look at how to securely share valuable IP contained within code in a distributed and rapid software development process.

Although there are few details in terms of the development platform of the application and the exact access the alleged thief had, organizations should consider a few options to mitigate the risk of theft of sensitive IP within code:

  • If managed code is involved, protect it - If the development language is managed (Microsoft .NET or Java), code obfuscation and encryption most be used. Even once the applications are compiled, it is only partially compiled into an intermediate language which is easily decompiled into source code representation. Another alternative is to place the sensitive IP into an unmanaged component to minimize exposure.
  • Create protected APIs - If the software development process requires the use of outsourced development partners or contractors, create an application programming interface that contains the sensitive IP within compiled application components versus sharing the source. Although this would obviously require additional work by the organization, an API option that uses compiled binaries allow more options to use software protection and harden the API against reverse engineering.
  • Embed threat detection and reporting – Add threat detection and reporting mechanisms (sometimes referred to as phone home systems) to the application itself. This approach can be used to continuously test for tampering or installation in unauthorized networks, and if a threat exists, notifies the owning organization in real-time. This presumes that the enterprise application (or in the context of this discussion a protected API) is designed to be deployed within specific networks, data centers or hosting partner networks.

Gartner's Neil MacDonald blogged about this news ("Security No-Brainer #7: If You Have Intellectual Property Embedded in Software, Protect it") and Gartner's "Hype Cycle for Cyberthreats (2006) coined a term for the emergence of software IP threats as enterprise code reverse engineering (“Definition: Enterprise code reverse engineering is reverse engineering of enterprise application
code for the purposes of targeting vulnerabilities or stealing intellectual property.”
).

We believe as general perimeter, application, and physical security improves, hackers, foreign governments and competitors will increasingly turn to reverse engineering tactics to access valuable software IP or alter it for malicious purposes. In these threat scenarios software protection and threat detection reporting can play an important role in mitigating these risks.

Activate Your Data-Driven Compliance Program

Add new license revenue by detecting, identifying and converting unpaid users into paying customers.

Michael Goff

Post written by Michael Goff

Marketing Director at Revulytics
Michael is Marketing Director at Revulytics where he is responsible for corporate marketing, content, and social media. He has helped to educate the industry on the benefits of software usage analytics for compliance and product management through the company's blog and contributed articles in trade publications. Michael was previously a marketing programs manager at The MathWorks and principal at Goff Communications. Michael earned a J.D. from Boston University School of Law and a B.A. from Colgate University.