As a software organization builds its applications, it creates intellectual property (IP) in the form of code. An organization’s licensing regarding that code and how it’s used is also a form of its IP. Software development managers, corporate executives and legal counsels have two main concerns when it comes to protecting both forms of IP: They want to protect their own IP from being stolen, and they want to ensure that their own developers aren’t inadvertently infringing on other organizations’ IP that they haven’t licensed. The question is, just how do they do both?
Discussions of IP security can cover a wide range of issues, so for the purposes of this article, we will narrow the focus. According to Garret Grajek, CTO and cofounder of SecureAuth, a maker of identity-protection software, there are two issues: “One, how you protect your IP within the enterprise, and two, how you protect your IP in distribution.” According to experts in the intellectual property field, the first step to protect your IP is data classification. In this critical step, you identify and classify the IP that should be protected.
Depending on your company, those can be items that provide a competitive advantage such as proprietary trade secrets, algorithms in your source code, or any unique characteristics of your product that you don’t want replicated. For example, if you compiled a custom database of information that allows you to do something faster or better than your competitors, this is IP that must be protected.
“As you build your software, you ask yourself, ‘What is in my code that’s intellectual property?’ ” said Vince Arneja, vice president of product management at application protection provider Arxan Technologies. “Is it the algorithms that I’m using here for the performance of this particular function? Is it this particular piece of code that is enabling some functionality that’s very unique and patented? What is the true jewel of my software?”
The next step is to assess your inherent risk. You need to decide early on the relative importance of your IP. “Some questions to ask yourself include, is this code something that is just run internally inside your company, or is this code something you’re giving out to customers and to people outside your organization? Because you might make a decision differently based on that criteria,” said Gabriel Torok, CEO and cofounder of PreEmptive Solutions. PreEmptive Solutions makes software for code obfuscation.
“If it’s an internal app only and it doesn’t have a lot of IP, there’s probably no reason to protect it. But if it’s an external app that has a lot of IP, you should protect it,” he said.
What would the business risks be if your code, your databases or your IP were to be exposed? What would the repercussions be if your IP is made public and distributed all over the Internet or into a competitor’s hands? Some of the risks could include reputational risks, such as news that you were breached or had the possible loss of a competitive advantage. What effect would it have on your business if you did something better than everyone else, and now everyone else can do it as well as you do?
Another risk to exposing source code is that it becomes much easier for hackers to attack your software products. If an attacker has your source code, finding and exploiting vulnerabilities are much easier. If your IP includes customer lists and gets out, your competitors could have a list of customers to target. If the exposed IP includes your cost information and profit margins, your competitors could underbid you on key projects.
Spread the word
Now that you know what your organization’s IP is and the risks involved if it gets out, the next step is to make sure that all the departments know what that IP is and establish policies around it. If employees don’t know what is sensitive and should be treated carefully, they won’t know to protect it. Ensure that all your department heads understand why these things are considered IP and why they are important to the company. If you have their “buy-in” that this is something critical to the organization, they will be better able to communicate this to their teams and you will ultimately be more effective in protecting it.
One way to get this buy-in is to help them understand the potential risks if the IP is lost or exposed. This is also a good time to remind them of the company’s IT policies and procedures. Software development managers not only need to make sure their developers and department heads know the company’s policies and procedures, but they also need to make sure that the executive, legal, procurement, quality assurance and other departments are kept in the loop.
Within this step, all the stakeholders should collectively decide just what it is that the company wants to accomplish strategically. Is the goal to make sure that your IP does not get out? Is your IP, in the form of trade secrets that are critical to your business, things that you don’t want others to know? How are you going to handle the licensing issues involved in protecting your IP?
“After you answer your strategic questions, you must then define the policies and implementations to support that strategy,” said Tim Yeaton, CEO of Black Duck Software. “What that does at the outset is it gives a good base framework for all the stakeholders, be it development, legal or executive management. All the stakeholders in your company need to have a clear articulation of what the parameters are around IP, particularly open-source code from outside.”
After you’ve identified your IP and what you want to do with it, you need to identify who should have access to your IP and via what methods. “The biggest problem with IP is not so much outsiders, but people on the inside taking information because you don’t have the right group policies set in place,” Grajek said. “So, the first thing to do is to centralize your ID management because hackers are just looking for where you are weakly controlling identities.”
For example, you need to decide if the data or IP is so sensitive that it should only be accessible from the headquarters’ network, or even just from the executives’ machines. Should only the developers working on a given project between specific hours of the day and only in the office have access to it? What about mobile devices where security is much weaker? What about using 2-factor authentication or digital certificates and smart cards? Should this data always be encrypted when moving across the network?
To protect your IP, the next step is to make it difficult for others to steal it. Use common hacker tools to find out your app’s current level of protection. Even better, protect your applications as you develop them. If you’re worried about someone using hacker tools or automated tools to get at your source code, you can protect it as you create it by using commercial tools as part of your build process. “The methodology that our tool provides is for them to say, ‘Now, I want to protect this IP before I roll it out, especially if I’m rolling it out to foreign nations, specifically overseas where IP laws are less respected or, in some cases, non-existent,’ ” Arneja said.
So before you ship your product out, it’s important to use solutions to make sure the code itself can’t be hacked into. “We use different terms around the industry; some people call it creating an envelope or shell around the code, and others call it obfuscating the code,” said Prakash Panjwani, general manager of the software monetization business unit at SafeNet. “This way, even if someone gets ahold of your final executable, they can’t get inside the code itself to reverse-engineer it.”
Another way to protect your IP is to decide early on about how you will detect and deal with possible IP breaches and violations. In this step, you could use data loss prevention software, or logging and auditing software. These solutions offer security vulnerability analytics that help you learn weak points in your software. If you plan to use an open-source component, or if you’ve got an open-source component already deployed in an application, this type of software will identify any known security vulnerability for you.
These particular breaches and violations have to do with your code being stolen, but it’s important to realize that IP theft also happens when other organizations do not comply with your software licenses after your software is deployed. You first develop your software, and then you create a software license model to figure out how you will monetize your product in the marketplace, according to Mark Bishof, CEO of Flexera Software. “People don’t sell software and people don’t buy software; they buy licenses and entitlements to software,” he explained.
So when it comes to protecting IP, this whole concept of license compliance is really about protecting the revenue associated with your software investments. “If you’re an ISV, for example, software license-management solutions can help you keep track of what IP your customers actually bought from you; what versions of software they bought; the features and functions to which they’re entitled; as well as the upgrade paths they’re entitled to over time,” Bishof said.