Wall Street & Technology: Blog: Do You Need to Obfuscate?

Do You Need to Obfuscate?

Did you know that when you create an application using Java or .net, anyone can drag and drop that executable to a free decompilation tool such as Reflector (for .net) and then be able to see all the source code behind it? Such examining of code and perhaps reverse engineering can be done for benign reasons – to debug the application, for instance, or to provide better training or support. But sneak-peeking at software code can also be done maliciously, by competitors, disgruntled employees or hackers who want to steal intellectual property or get into a computer system. Obfuscation software inserts additional code into an application to prevent a would-be IP thief or hacker from being able to reverse-engineer the code.

Microsoft bundles a lightweight obfuscator in Visual Studio that it OEMs from PreEmptive Solutions. PreEmptive also offers a heavier-weight, corporate version. The obfuscator notifies a company when its software has been tampered with. According to Sebastian Holst, senior vice-president of PreEmptive, the tamper notification service is like a smoke detector in that it’s inexpensive and easy to use yet it could potentially help you avert catastrophe. The software is priced at $5,000 per build machine; a typical enterprise license is $25,000. Next week, PreEmptive will come out with a “thermostat”: dashboards and benchmarks that keep track of software performance and vulnerabilities.

Is this a vital area that Wall Street firms should be focusing on now? Not quite, according to Joseph Feiman, vice-president and Gartner Fellow. While he feels application security, particularly for web-based applications, is a very important issue for Wall Street this year (we'll be following up on this at a later date), he sees obfuscation as a small subset of the broader application security problem. “As long as companies’ software and their intellectual property stay within the premises, they’re safe,” he says. “Where obfuscation useful is where applications leave the enterprise.” So if a Wall Street firm shares its applications with partners or customers, then it might want to consider obfuscation, as should a company that doesn’t trust its own employees who use sensitive applications.

Posted by Penny Crosman at 05:34 PM

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.