You know you need to make your products as secure as possible – but how will you do it? Read below to review key software security concepts to help protect your intellectual property.
Software security is a hot topic in the news, and my conversations with both software producers and intelligent device manufacturers (producers) echoes this reality. They want to ensure their software is secure so they don’t jeopardize their customers, products, revenues and reputation.
The reality is that the word security in software security is used to encapsulate everything from privacy prevention to software compliance and software licensing controls. Moreover, there are a lot of opinions on security from experts in the area, which can leave producers confused and trying to chase too many objectives.
Concepts and Core Principles
While the range of information and their sources vary, there are some standard security concepts you can follow that are universally accepted:
- The strongest security is layered security, an analogy is security on a commercial building: there’s a lock on a doorknob, deadbolt on the same door, alarm system when the door is opened, a security guard to stop the intruder once they’re in. There are multiple layers of security.
- Security protocols should be open for public scrutiny (e.g., RSA, ECDSA, SHA-2)
- Between people, process and technology – people are the weakest link in security.
- Security and usability tend to be inversely related, meaning that the more secure a product is, the harder it is to use. Finding the middle ground is one of the “secret sauces” to success.
Core security principles have been established. One principle, CIA is widely recognized in the security world. It is defined as:
- Confidentiality – preventing the disclosure of information
- Integrity – preventing the alteration of information
- Availability – preventing the destruction of information. The “A” shifts to Authenticity when we talk about encryption — information being available only to known and trusted sources.
With an understanding of the basic concepts and core principles it follows that many producers want best-in-breed security; however, in reality there is no single solution that provides a complete and comprehensive software security portfolio.
With such a huge opportunity why isn’t there a security company handling all aspects of security, end-to-end? The reason is because security threats are so diverse in nature, including these security threat areas:
- Target of security: devices, applications, network or communication, data in transit, data at rest
- Platform/operating system support: application code runs differently between Windows (PE32 or .NET) vs. Unix (ELF-32 or ELF-64)
- Compiler support: High-level languages compiled to assemble (C/C++) vs. interpreted byte code (Java)
- Application target point of attack: DLL/Shared Object or direct binary
Further, application security is critical to ensuring that the code inside the application isn’t viewed, replaced or modified since hackers can sell or publicize the proprietary algorithms if they can get to the code.
Now let’s focus on the “target for security” being an application – your intellectual property. While some security companies may have solutions for some of the above, it should again be emphasized that no single solution can totally guarantee complete or impenetrable software security – it’s simply not possible.
With the exception of the human element in regards to security maxims, most software attacks are directed at the weakest link of the software, which is typically the binary application itself and embedded security controls. Attacks are typically not directed at the enforcement product or license key associated with it unless those are found to use weak algorithms.
Commonly known attacks involve either reverse engineering how license keys are generated or reverse engineering the application binary with a debugger and/or disassembler. Some producers look to bolster security with software protection including additional security hardware such as tokens, but these do not change the discussion because they are simply another component. While layered security is good, even hardware requires software to talk to it, which could be bad since that’s another potential weak link.
Stay tuned for our next installment in the series where we’ll talk about an oft-overlooked topic – license key cryptography.