The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost.
Microsoft provides a very comprehensive and well-designed SDL model.
By shipping a version of our .NET app protection in Visual Studio since 2003 and by participating in the SDL PRO Network as a Tools Vendor, PreEmptive Solutions is proud to contribute to secure development practices, particularly in protecting intellectual property and ensuring application integrity.
Intellectual Property Protection
Whether you’re building applications for sale, as a key part of a larger financial or manufacturing business, or as part of a line of business apps for internal use, there is likely to be IP (trade secrets) within your software. And possession of functioning source code provides transparent access to any IP that is coded within the application. So, a hacker that works for a competitor might be able to steal your technological advances by reviewing your source code.
From a Legal perspective there are three common ways to protect the IP embedded in your code:
- Copyright Protection
- Trade Secrets
Although patents offer the strongest protection, patenting software requires a massive certification process that is slow, expensive, and difficult. For the vast majority of software builders, a patent just isn’t a workable IP protection solution. In contrast, copyright protection is automatic. You don’t need to mark up your code and copyright law is the basis of most software licenses. However, it comes with its own big issues; it’s limited to copying and distributing content. You can’t copyright algorithms, innovations, or inventions, so if someone else’s code looks nothing like yours or that organization can demonstrate they developed their code in isolation from yours, they’re in the clear. And with managed code, where someone else can generate the same algorithms as yours in multiple languages, copyrighting an application offers little real protection. That leaves trade secrets, which have a lot going for them. There’s no certification, they last forever, and they include concepts, innovations, etc. that give your business financial and competitive advantage. That’s why trade secret protection under the law is increasingly the regulatory strategy of choice for many development organizations.
Sounds perfect, right? Well, trade secret protection has two significant limitations. First, some major jurisdictions – like India, for example – simply don’t recognize the legal concept of a trade secret. The other limitation of trade secret protection is even more fundamental: unlike copyrights and patents, it only covers things that are actually secret. Once something becomes public, it can no longer be protected under trade secret law. More specifically, the definition of trade secret theft requires that possession of a trade secret be achieved through improper means, such as bribery, blackmail, or espionage. Recently enacted trade secret laws, both in the United States (the DTSA) and the European Union, specifically permit reverse-engineering of any legally acquired product. If reverse-engineering your application yields your source code, and therefore, your algorithms, such algorithms may no longer be secrets and no longer covered by trade secret protection.
Application Integrity Protection
Whether a hacker is trying to pirate your app, steal your data, or alter the behavior of a critical piece of infrastructure software as part of a larger crime – inspecting and/or modifying an application can play an essential role. As part of a layered protection strategy, companies should have mechanisms in place that add anti-debug and anti-tamper functionality directly into an application to protect, detect, and respond to attacks on the application's integrity.
Consider how the following exploits that stem directly from debugger hacks cross data, operational, and IP risk boundaries:
|Debugger Hack||Resulting vulnerability and risk|
|Bypassing encryption and other techniques used during data transmission and/or storage exposes otherwise secured data.||Unauthorized data access leads to data loss, loss of revenue, privacy breaches, regulatory non-compliance, and trade secret theft.|
|Insert and modify data within your application||Interrupt application flow circumventing controls and governance and voiding authorization and access controls.|
|Trace logic and the flow of your application||Expose intellectual property for reuse and exploitation|
|View encryption functions, the values of dynamic keys and when and how sensitive information is saved to your file systems and databases||Security and operational breach exposes data and systems beyond any one application.|
PreEmptive Protection for .NET, Java, Xamarin, Android and iOS Apps
PreEmptive Protection provides control to manage material risks stemming from unauthorized application decompilation, tampering, debugging and data access that:
- Does not require coding to secure and harden applications or the deployment of runtime agents to capture and respond to production attacks
- Fits seamlessly into your preferred DevOps and Application Lifecycle Management toolchain(s) and process(es)
- Combines real-time, cross-platform defenses with world-class monitoring and analytic solutions – integrates with preferred monitoring and analytics solutions from Microsoft, Google, New Relic and even Twitter
- Has a lightweight version included by default in every copy of Visual Studio (Dotfuscator Community Edition)