Pyramid of Protection

Business development has evolved to such a point that applications are no longer just a loosely-organized set of program code, they represent the know-how and understanding of how you deliver to your customers. Every piece of software costs time and money to develop and in one way or another has strong value. Whether it's value you get from distributing your web API to your customers so they can better use your services, or the value you get from your proprietary algorithms performing calculations far beyond anything your competitors can do. Without question, software is always an asset.

Depending on the nature of the application, that value should be protected in different ways. It is possible to categorize applications into broad sets where general protection guidelines can be drawn. For example, open source software clearly is not interested in hiding its intellectual property, but it does protect it through licenses that incur restrictions upon users. In effect, licensing protection gives the developers a return on their investment while still accommodating their customers.

On the other end of the spectrum, military applications are critically interested in protecting the technology with their applications. In essence, no cost is too great to keep certain portions of technology out of enemy hands. This protection is on several levels including military-grade encryption which can incur significant performance degradation of applications and extremely complex debugging scenarios. However again, exposure of the technology is not an option.

The pyramid above shows an increasing need to protect the contents of software. As you travel up the pyramid, the costs (in terms of money and performance) geometrically increase. Surely licensing is of little use in military grade protection, however the return on investment of obfuscation at this level is excellent. The cost is low and the protection garnered (on top of a running a special Virtual Machine with unique encryption) is significant.

In general business environments, you may not require military grade protection, however every application contains IP unique to its owner. In addition, applications house not only technical secrets but given their scope within the enterprise, can often encompass proprietary business process. The complexity of today's business applications contain fingerprints on how your business operates.

It's rare for businesses to truly have applications that reside at the bottom of the pyramid. As yourself, would you care if a competitor or open-source project completely duplicated what you've already built? Applications at the bottom of the pyramid are numerous and it's often easier to find existing open source software to fill those needs. Consequently, if you spent time and money developing software, it's worth protecting.

With applications, obfuscation technology has evolved to provide strong protection against your competition divulging process or technology from your software. Obfuscation used to mean identifier renaming - now advanced algorithms inspired by an active academic create one-way application transformation. Simply put, advanced control flow obfuscation is far beyond the ability of reverse engineering tools to reproduce your source code. Interestingly, with advanced tracking tools, debugging is only marginally more difficult.

. Once you have that, determine where you fit on the pyramid. The simplest and highest ROI solution is to start with obfuscation. From there, depending on your situation, more costly solutions can be explored.