I had a discussion with a client today looking to protect sensitive intellectual property in their source code. I discussed two primary areas of risk: 1) that the developers (some of which were offshored) might take the code and 2) once the code was distributed to customers, it might be reverse engineered or copied
Addressing the first set of risks should start with policy – for example a non-disclosure agreement. Technical controls such as running developer sessions from a hosted virtual desktop session are also possible.
To address the second risk, an entire ecosystem of vendors offers solutions for the obfuscation of source code, tamper-resistance and tamper detection. These are covered in the latest Gartner hype cycle for application security which we just published for clients under a dot labeled “code obfuscation”
The latter is especially true with the shift to managed code and platforms such as Java and .NET which are much more easily reverse engineered.