Painless Piracy Prevention

By Kevin Morgan
Software Test & Performance™
April 23, 2008

Over the next four years, an estimated US $200 billion in software revenues will be lost due to piracy. According to the Business Software Alliance’s latest global piracy study conducted by IDC, piracy impacts not just the bottom line, but extends beyond revenue loss. Counterfeit software, sold by professional pirates on so-called “cheap OEM software” sites, is buggy and often carries malware pay- loads. Customers who unknowingly buy such counterfeits can account for as much as 20 percent of your technical sup- port costs.

Like most software vendors, you may be considering an anti-piracy solution to combat this problem. There are two prongs to any solution: usage metering measures such as license management and node locking, and software security measures against hacking and tampering with the application and the usage metering measures themselves.

Durably protecting software against an attacker with administrative privilege is challenging. Solutions that apply conventional strategies such as obfuscation give rise to new problems and can impact every aspect of soft- ware development, quality assurance and end-user experience. And most software packages get hacked anyway, often within hours or days of release.

Faced with these challenges, which directly impact success metrics for the software development team, many companies elect to lower their security bars and therefore knowingly incur piracy. Fortunately, recent advances in application hardening technology pro- vide a viable alternative that success- fully secures software applications while being nondisruptive to the SDLC and to end users.

Application hardening solutions comprehensively protect software against reverse engineering, tampering and hacking. Provided by companies whose core competency is preventing attack by professional hackers, they’re nondisruptive in nature and offer rugged protection.

Application hardening ensures that software metering measures can run untampered and protects software applications from sophisticated attack vectors such as disassemblers and debuggers. It also goes far beyond simplistic and one-dimensional security techniques. The goal is to not only protect the license management functionality against attack, but also to protect all of the software-based IP—including algorithms, APIs and data—against tampering and piracy. By making application hardening the cornerstone of your software protection strategy, you can ensure that you get maximum revenues from software usage. In considering which application hardening solution to adopt, consider these seven key properties to ensure that your solution is seamless, effective and efficient:

Transparent to end user. The best soft-ware protection tools shouldn’t impact you application’s runtime performance. They should be self-contained within your application and should not affect the user experience.

Works on the compiled binary. There should be no impact on the source code development process for you, or for any partners who embed or build plugins for your system. Binary-based solutions also can protect legacy code and exist- ing builds.

Does not disrupt development. The hardening solution should seamlessly integrate into your build environment. It should be fully automated and run in real time. Configuring (and reconfiguring) the protection should be easy, and should not disrupt your software structure or development.

Is easy to customize. One-size-fits-all security is attractive in theory, but impractical in reality. Choose a solution that can be easily tuned to your specific threat profile and application structure, and can be quickly yet securely blended across your software logic. This provides maximum security without a large integration effort.

Doesn’t disrupt QA or field maintenance. Quality assurance always occurs on a compressed schedule and there- fore has the least tolerance for risk and overhead. Leading application hardening solutions are transparent to the functional testing process, assist the security testing process, and interoperate with field debugging and crash analysis tools.

Has a proven track record. Cut through the hype and choose a solution that’s tested by independent organizations and proven with real- world successes. Recognize that any protection can eventually be broken, and consider solutions that offer breach management.

A winning anti-piracy strategy tightly binds application hardening with license management, protecting revenue and the development process and timetable. The value for your customers is their confidence that the software they’re purchasing is legitimate and untainted with malware or other Trojan horses.

There should be no performance impact for protected software. Protection should exist seamlessly in the background and without disruption to any application function. Realizing the fullest return on your R&D means maximizing investments in new features and capturing new markets without fear that the software is being compromised or that your IP investment will be plundered.