“After you answer your strategic questions, you must then define the policies and implementations to support that strategy,” said Tim Yeaton, CEO of Black Duck Software. “What that does at the outset is it gives a good base framework for all the stakeholders, be it development, legal or executive management. All the stakeholders in your company need to have a clear articulation of what the parameters are around IP, particularly open-source code from outside.”
After you’ve identified your IP and what you want to do with it, you need to identify who should have access to your IP and via what methods. “The biggest problem with IP is not so much outsiders, but people on the inside taking information because you don’t have the right group policies set in place,” Grajek said. “So, the first thing to do is to centralize your ID management because hackers are just looking for where you are weakly controlling identities.”
For example, you need to decide if the data or IP is so sensitive that it should only be accessible from the headquarters’ network, or even just from the executives’ machines. Should only the developers working on a given project between specific hours of the day and only in the office have access to it? What about mobile devices where security is much weaker? What about using 2-factor authentication or digital certificates and smart cards? Should this data always be encrypted when moving across the network?
To protect your IP, the next step is to make it difficult for others to steal it. Use common hacker tools to find out your app’s current level of protection. Even better, protect your applications as you develop them. If you’re worried about someone using hacker tools or automated tools to get at your source code, you can protect it as you create it by using commercial tools as part of your build process. “The methodology that our tool provides is for them to say, ‘Now, I want to protect this IP before I roll it out, especially if I’m rolling it out to foreign nations, specifically overseas where IP laws are less respected or, in some cases, non-existent,’ ” Arneja said.
So before you ship your product out, it’s important to use solutions to make sure the code itself can’t be hacked into. “We use different terms around the industry; some people call it creating an envelope or shell around the code, and others call it obfuscating the code,” said Prakash Panjwani, general manager of the software monetization business unit at SafeNet. “This way, even if someone gets ahold of your final executable, they can’t get inside the code itself to reverse-engineer it.”
Another way to protect your IP is to decide early on about how you will detect and deal with possible IP breaches and violations. In this step, you could use data loss prevention software, or logging and auditing software. These solutions offer security vulnerability analytics that help you learn weak points in your software. If you plan to use an open-source component, or if you’ve got an open-source component already deployed in an application, this type of software will identify any known security vulnerability for you.
These particular breaches and violations have to do with your code being stolen, but it’s important to realize that IP theft also happens when other organizations do not comply with your software licenses after your software is deployed. You first develop your software, and then you create a software license model to figure out how you will monetize your product in the marketplace, according to Mark Bishof, CEO of Flexera Software. “People don’t sell software and people don’t buy software; they buy licenses and entitlements to software,” he explained.
So when it comes to protecting IP, this whole concept of license compliance is really about protecting the revenue associated with your software investments. “If you’re an ISV, for example, software license-management solutions can help you keep track of what IP your customers actually bought from you; what versions of software they bought; the features and functions to which they’re entitled; as well as the upgrade paths they’re entitled to over time,” Bishof said.