Software developers make common and avoidable mistakes that create vulnerabilities and expose their software to ever-present security threats, according to field observations by Vic DeMarines.
Yesterday I spoke with Vic, VP of products at V.i. Laboratories Inc. (V.i. Labs) in Waltham, Mass. V.i. Labs’ products help software providers protect themselves against piracy and associated revenue losses. The company also provides antitampering solutions and products that prevent intellectual property theft. For example, its CodeArmor Intelligence antipiracy product enables software publishers to identify organizations that are using their software illegally. V.i. Labs’ customers include financial services software companies and online gaming providers.
I asked Vic to name some of the most common security mistakes he sees. He said there are three major security threats: piracy, code theft and tampering. “You can’t stop piracy, but you can be more resistant to it,” Vic said. “When developers integrate licensing into an application, they rarely consider making it resistant to reverse engineering or the threat of piracy.” There are basic tools and techniques to help vendors resist that — namely antitamper technologies, obfuscation, or tamper detection and reporting — and not using them is a common mistake. Vic said some of these can be accomplished in-house and others are available on the market.
Developers also frequently make security mistakes when coding new applications in Microsoft .NET. “Developers need to understand the risk in .NET,” Vic said. The “bad news” with this practice, according to Vic, is that when you compile, people who know where to look can view your source code using freeware tools. This mistake could be avoided without abandoning .NET — developers can put sensitive code in a different format. They can use obfuscation techniques or protection tools to prevent people from seeing sensitive code.
I also asked Vic for tips on producing high-quality, secure software in a down economy — how do you “do more with less” when it comes to software security? Vic advised developers to think ahead — if you’re about to design an app, “make security a priority and define how you’re going to test it,” he said. Enlisting an outside security testing team is expensive, so instead have someone in your group who is strong in security “think like a cracker” to determine vulnerabilities.