As a software organization builds its applications, it creates intellectual property (IP) in the form of code. An organization’s licensing regarding that code and how it’s used is also a form of its IP. Software development managers, corporate executives and legal counsels have two main concerns when it comes to protecting both forms of IP: They want to protect their own IP from being stolen, and they want to ensure that their own developers aren’t inadvertently infringing on other organizations’ IP that they haven’t licensed. The question is, just how do they do both?
Discussions of IP security can cover a wide range of issues, so for the purposes of this article, we will narrow the focus. According to Garret Grajek, CTO and cofounder of SecureAuth, a maker of identity-protection software, there are two issues: “One, how you protect your IP within the enterprise, and two, how you protect your IP in distribution.” According to experts in the intellectual property field, the first step to protect your IP is data classification. In this critical step, you identify and classify the IP that should be protected.
Depending on your company, those can be items that provide a competitive advantage such as proprietary trade secrets, algorithms in your source code, or any unique characteristics of your product that you don’t want replicated. For example, if you compiled a custom database of information that allows you to do something faster or better than your competitors, this is IP that must be protected.
“As you build your software, you ask yourself, ‘What is in my code that’s intellectual property?’ ” said Vince Arneja, vice president of product management at application protection provider Arxan Technologies. “Is it the algorithms that I’m using here for the performance of this particular function? Is it this particular piece of code that is enabling some functionality that’s very unique and patented? What is the true jewel of my software?”
The next step is to assess your inherent risk. You need to decide early on the relative importance of your IP. “Some questions to ask yourself include, is this code something that is just run internally inside your company, or is this code something you’re giving out to customers and to people outside your organization? Because you might make a decision differently based on that criteria,” said Gabriel Torok, CEO and cofounder of PreEmptive Solutions. PreEmptive Solutions makes software for code obfuscation.
“If it’s an internal app only and it doesn’t have a lot of IP, there’s probably no reason to protect it. But if it’s an external app that has a lot of IP, you should protect it,” he said.
What would the business risks be if your code, your databases or your IP were to be exposed? What would the repercussions be if your IP is made public and distributed all over the Internet or into a competitor’s hands? Some of the risks could include reputational risks, such as news that you were breached or had the possible loss of a competitive advantage. What effect would it have on your business if you did something better than everyone else, and now everyone else can do it as well as you do?
Another risk to exposing source code is that it becomes much easier for hackers to attack your software products. If an attacker has your source code, finding and exploiting vulnerabilities are much easier. If your IP includes customer lists and gets out, your competitors could have a list of customers to target. If the exposed IP includes your cost information and profit margins, your competitors could underbid you on key projects.
Spread the word
Now that you know what your organization’s IP is and the risks involved if it gets out, the next step is to make sure that all the departments know what that IP is and establish policies around it. If employees don’t know what is sensitive and should be treated carefully, they won’t know to protect it. Ensure that all your department heads understand why these things are considered IP and why they are important to the company. If you have their “buy-in” that this is something critical to the organization, they will be better able to communicate this to their teams and you will ultimately be more effective in protecting it.
One way to get this buy-in is to help them understand the potential risks if the IP is lost or exposed. This is also a good time to remind them of the company’s IT policies and procedures. Software development managers not only need to make sure their developers and department heads know the company’s policies and procedures, but they also need to make sure that the executive, legal, procurement, quality assurance and other departments are kept in the loop.
Within this step, all the stakeholders should collectively decide just what it is that the company wants to accomplish strategically. Is the goal to make sure that your IP does not get out? Is your IP, in the form of trade secrets that are critical to your business, things that you don’t want others to know? How are you going to handle the licensing issues involved in protecting your IP?