Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security No-Brainer #7: If You Have Intellectual Property Embedded in Software, Protect it.

by Neil MacDonald  |  July 7, 2009  |  5 Comments

I saw this in an article today on Bloomerberg:

July 7 (Bloomberg) — Goldman Sachs Group Inc. may lose its investment in a proprietary trading code and millions of dollars from increased competition if software allegedly stolen by a former employee gets into the wrong hands, a prosecutor said.

Full details of the theft were not disclosed, but the article indicates that the person suspected of the theft was an internal employee involved in the upgrading the trading platform:

Aleynikov worked at Goldman from 2007 until June, the government said in the complaint. He was part of a team of workers responsible for improving the computer platform. His alleged transfer of computer codes ran from June 1 to June 5, according to prosecutors.

There are multiple vendors that offer solutions for the obfuscation of source code to protect from theft and other application hardening solutions that protect the code once it is installed and running (for example, detecting tampering and debugging attempts and initiating specific responses, including destruction of the code). These solutions protect from insider and external attack. Vendors include Arxan, Cloakware, PreEmptive, V.i. Laboratories and others. We have researched and advised clients on these vendors and solutions for years.

The Goldman Sachs theft is a reminder that almost every modern organization has some of their IP embedded in software which is subject to attack and theft. Like all security decisions, there must be a discussion of the cost/risk/benefit tradeoffs. However, if your Intellectual Property is worth millions, then some amount of extra protection makes sense including additional controls on source code in the development process.

5 Comments »

Category: Application Security     Tags: ,

5 responses so far ↓

  • 1 Security No-Brainer #7: If You Have Intellectual Property Embedded …   July 7, 2009 at 8:27 pm

    [...] Read the original here:¬† Security No-Brainer #7: If You Have Intellectual Property Embedded … [...]

  • 2 Whit Andrews   July 7, 2009 at 10:18 pm

    I’ll take it past code, too, Neil. For example, we’ve written research that identifies search relevancy calculations as IP — and why not? If a company like ours establishes lexicons that identify concepts, why wouldn’t that represent absolute value for our competition or would-be competition? Your point is excellent — IP is increasingly attached to code, and quasi-code. Failing to protect it is unfortunate if understandable.

  • 3 Neil MacDonald   July 8, 2009 at 8:43 am

    Excellent point, Whit. Executable code is just another container of ones and zeros much like a Word document, spreadsheet or similar – any of which may contain embedded IP.

    Conceptually, the vendors and products I mention above are not too different than DRM on a sensitive document.

    Therein lies the rub – do most organizations really have a good grasp of what containers of bits represent sensitive information and which do not? IP embedded in software is an area where many organizations probably don’t yet have a good grasp (to be fair some do, for example ISVs, software within embedded devices, etc…)

  • 4 A. Dhanani   July 8, 2009 at 1:09 pm

    There are way to keep the source code safe while the person is working on it. Allowing to the programmer/developer to add, delete, compile, de-bug, create source code without being able to keep any of it. A unique way to protect Source Code IP so situations like Goldman Sachs don’t happen (ever).

  • 5 Neil MacDonald   July 8, 2009 at 1:44 pm

    Yes – agree on Mr. Dhanani’s comment. I alluded to this in the original post — “including additional controls on source code in the development process.”

    There are ways to do this without allowing the developer to keep a local copy of the source code.