You’re the owner of a multi-million dollar software development company. You’re creating the most cutting edge widgets in the industry and leaving your competition in the dust. Your customers are lining up to get their hands on your latest widget, the one that promises to be the next best thing since sliced bread. The money’s rolling in; your competition is struggling to keep up and before you know it you’ll be on the cover of Forbes™ magazine. So what’s the downside you ask? Well, for every widget you sell you’re giving away your trade secrets, you’re handing you source code over to the competition or to people who will end up becoming your competition. This is the importance of code obfuscation.
Obfuscation by definition means “to make obscure or unclear”. Code obfuscation means taking the application source code your developers write and obscuring it, so prying eyes can’t view it in its native format. Older programming languages such as C or C++ didn’t really have the need to be obfuscated, since the compilation process did most of the obscuring automatically. There was no single way to decompile or reverse engineer a dll or exe file, since different compilers handled the compilation process differently.
However, with the introduction of programming languages such as Microsoft .NET that compile down to a common MSIL (Microsoft Intermediate Language), it is very easy to decompile these files. There are several known .NET decompilation programs available, the most well known being Lutz Roeder’s .NET Reflector (http://www.aisto.com/roeder/dotnet/). Without a proper code obfuscation process in place, this tool in the hands of you competition is like giving them the keys to your kingdom. This tool would allow you competition to decompile your widget and view the source code of every class and procedure in your application.
So how do you protect yourself? First, you need to educate yourself and your development team. You and your development team must understand the importance of security in the development lifecycle. You must strive to make security as important as the functionality. After all what good is an application that does everything it’s supposed to do functionally, if its security is so weak that customer information can be compromised or even stolen. Weak functionality can lead to disappointed customers, but weak security can lead to lawsuits. Don’t believe me? Google “TJX Security Breach” and discover for yourself.
Second, you need to educate yourself on your code obfuscation options. There are several companies out there that provide source code obfuscation tools. Invest some time researching them, comparing their functionality and limitations, as well as your expected COO (Cost of Ownership) and ROI (Return on Investment). At the end of the day you’ll find that you’ll sleep better at night knowing that the bad guys out there aren’t stealing the code you and your team have worked so hard to create.
In the end you need to plan, train and implement the steps necessary to ensure your development team is using the tool you chose properly and to its fullest potential. Some obfuscation tools come as add-ins for the Microsoft .NET programming IDE, while others may be stand-alone applications that run on the files after compilation. Regardless which type you choose you’ve taken an important step in the security of your application. So, what is the importance of code obfuscation? It’s taking the steps necessary to ensure the prying eyes of the world can’t peek through the window of your application and see what’s going on inside.
|