Gartner Blog Network


Security No-Brainer #7: If You Have Intellectual Property Embedded in Software, Protect it.

by Neil MacDonald  |  July 7, 2009  |  5 Comments

I saw this in an article today on Bloomerberg:

July 7 (Bloomberg) — Goldman Sachs Group Inc. may lose its investment in a proprietary trading code and millions of dollars from increased competition if software allegedly stolen by a former employee gets into the wrong hands, a prosecutor said.

Full details of the theft were not disclosed, but the article indicates that the person suspected of the theft was an internal employee involved in the upgrading the trading platform:

Aleynikov worked at Goldman from 2007 until June, the government said in the complaint. He was part of a team of workers responsible for improving the computer platform. His alleged transfer of computer codes ran from June 1 to June 5, according to prosecutors.

There are multiple vendors that offer solutions for the obfuscation of source code to protect from theft and other application hardening solutions that protect the code once it is installed and running (for example, detecting tampering and debugging attempts and initiating specific responses, including destruction of the code). These solutions protect from insider and external attack. Vendors include Arxan, Cloakware, PreEmptive, V.i. Laboratories and others. We have researched and advised clients on these vendors and solutions for years.

The Goldman Sachs theft is a reminder that almost every modern organization has some of their IP embedded in software which is subject to attack and theft. Like all security decisions, there must be a discussion of the cost/risk/benefit tradeoffs. However, if your Intellectual Property is worth millions, then some amount of extra protection makes sense including additional controls on source code in the development process.

Category: application-security  

Tags: application-security  security-no-brainer  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on Security No-Brainer #7: If You Have Intellectual Property Embedded in Software, Protect it.


  1. […] Read the original here:¬† Security No-Brainer #7: If You Have Intellectual Property Embedded … […]

  2. Whit Andrews says:

    I’ll take it past code, too, Neil. For example, we’ve written research that identifies search relevancy calculations as IP — and why not? If a company like ours establishes lexicons that identify concepts, why wouldn’t that represent absolute value for our competition or would-be competition? Your point is excellent — IP is increasingly attached to code, and quasi-code. Failing to protect it is unfortunate if understandable.

  3. Neil MacDonald says:

    Excellent point, Whit. Executable code is just another container of ones and zeros much like a Word document, spreadsheet or similar – any of which may contain embedded IP.

    Conceptually, the vendors and products I mention above are not too different than DRM on a sensitive document.

    Therein lies the rub – do most organizations really have a good grasp of what containers of bits represent sensitive information and which do not? IP embedded in software is an area where many organizations probably don’t yet have a good grasp (to be fair some do, for example ISVs, software within embedded devices, etc…)

  4. A. Dhanani says:

    There are way to keep the source code safe while the person is working on it. Allowing to the programmer/developer to add, delete, compile, de-bug, create source code without being able to keep any of it. A unique way to protect Source Code IP so situations like Goldman Sachs don’t happen (ever).

  5. Neil MacDonald says:

    Yes – agree on Mr. Dhanani’s comment. I alluded to this in the original post — “including additional controls on source code in the development process.”

    There are ways to do this without allowing the developer to keep a local copy of the source code.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.