Organizations are becoming increasingly aware of the importance of making security part of the entire application development life cycle. In step with this trend, PreEmptive Solutions now wants to make a security technique -- obfuscation -- part of the entire life cycle as well.
Obfuscation can help address security vulnerabilities in Java and .NET environments -- the ease of extracting source code from binaries in intermediate-compiled languages. The process is applied to compiled assemblies, not source code. For example, a common obfuscation technique is to rename meaningful names with nonmeaningful ones. Obfuscation is used by many software vendors today, but it is also relevant for corporate developers who need to protect intellectual property, said Sebastian Holst, senior vice president of sales and marketing at PreEmptive Solutions in Mayfield Village, Ohio. "The goal is to make binary materially more difficult for a human or machine to get compilable source code."
But Holst stressed that obfuscation "should be treated as a process, not just a function you run while building final executables." Throughout the life cycle, a variety of roles need to work on binaries, from development to testing and support to patch management, he said. The company's recently announced Enterprise Obfuscation Solution for Microsoft .NET and Java is intended for use throughout the development life cycle. "What this release is doing is bringing every relevant role in the life cycle of the application, allowing them to continue to do their work efficiently, and where appropriate, to influence how and when obfuscation occurs," Holst said.
The Enterprise Obfuscation Solution bundles PreEmptive's Lucidator tool for debugging obfuscated code with the firm's obfuscator tools, Dotfuscator Pro for .NET or DashO for Java. "We're giving unlimited access to all those communities to Lucidator when people use the obfuscation products," Holst said. "It's a simple and lightweight way companies can integrate all the stakeholders in the development life cycle who need to look at obfuscated binary."
Features include developer control over obfuscation transformations at any level of granularity, simplified support for patch management and distribution, distributed tools, and deep integration with Microsoft Visual Studio 2005.
Microsoft has been shipping PreEmptive's Dotfuscator with Visual Studio 2005. That, coupled with the integration of PreEmptive's other solutions, "enables organizations using Visual Studio 2005 to make code-level security part of their overall software development life cycle," said Rick Samona, product manager in the .NET Developer Product Marketing Group at Microsoft Corp. "Many EULAs [end-user license agreements] legally protect organizations from reverse engineering of code, but as we all know, criminals don't abide by the laws. Uncontrolled source code distribution is often more of an issue with applications shipped by ISVs as opposed to internal line-of-business applications, but based on the solution created, both types of applications can certainly benefit from obfuscation," he said.
In addition to PreEmptive, Samona said there are several other obfuscation tools available with Microsoft technologies, so customers have choices.
Both Samona and Holst stress that obfuscation is one part of a layered approach to security. "Every major technology vendor understands and selectively obfuscates code as part of a layered approach," Holst said. "It's a low level of effort and cost to mitigate a calamitous risk. Obfuscation by itself doesn't guarantee [your code is secure], nor are you doomed without it, but it's silly not to take every step necessary."
Samona added, "We feel any individual security solution, such as obfuscation, is more powerful when used as part of a larger life cycle approach to the general problem of writing secure code."
Obfuscation can have some potential drawbacks, such as issues with debugging and portability, as well as defective obfuscators.
"It can be more difficult to diagnose a bug in the field when obfuscation is in use," Samona said. "To address this, Microsoft is innovating its developer tools and working with partners such as PreEmptive to enhance the experience around serviceability. However, in most cases, obfuscation can provide upside in protection with little to no downside."
But even with effective obfuscation, Samona said a life cycle approach to security is key. "With the software development life cycle, Microsoft has made its own internal security practices -- which involve people, processes and tools -- available to developers outside of Microsoft," he said. "By partnering with companies such as PreEmptive, Microsoft has continued looking to expand the security options available to its customers. Inherently insecure code that is obfuscated still suffers from the same security vulnerabilities as unobfuscated code."