« January 2012 | Main | March 2012 »

February 2012

02/29/2012

The Hidden Truth about Application Security: There are No Shortcuts

By Tu Le

I've worked in the security industry for over 15 years and I often get requests to help developers quickly integrate security protection into their applications. There are many piracy prevention solutions to lend a helping hand, including using software licensing and protection. Another option is to use executable packers and encryptors, which are often referred to as application shelling or hardening.

What is Application Shelling
Application shelling is a technology that a few software security companies offer to highlight how easy and effective it can be to protect software application intellectual property from being reverse engineered. As the name suggests, application shelling is a process where security functions are injected into the program and then encrypted based upon some industry standard such as AES (Advanced Encryption Standard).

Typically due to time constraints or in some cases, a lack of source code, the use of this technology is attractive to software publishers because it provides the ability to quickly get the product out the door. It also prevents novice crackers from modifying a few bytes of the executable to circumvent security such as the infamous "JNZ to JMP" instruction. However, there are hidden dangers in using this type of technology that most software publishers are not aware, including.

  • When security fails, you end up with an unsatisfied, angry end user and usually a blue screen of death (BSOD)
    • Shelling involves injecting security function(s) and encrypting the program. When the security fails, the program will ultimately fail due to the program workflow getting redirected to some random memory pointer which will force the application to crash rather than gracefully exiting the program.
  • Due to the encrypting and decrypting nature of cryptography, initial loading time will be impacted which will negatively affect the end user experience.
  • Mission critical applications require a predictable outcome.
    • Since shelling technology enforces its own workflow in order to properly decrypt the program in memory, an unpredictable outcome results.
  • Maintaining, troubleshooting and debugging a deployed application will be difficult as the application is encrypted.
    • Ironically, the company offering the application shelling will require an unprotected version of the application in order to troubleshoot.
  • The application footprint will increase due to the nature of the technology as the process involves embedding additional security code to the application startup code sequence.
  • A sophisticated hacker can exploit the shelling technology by embedding malicious malware into the application to circumvent virus and other security protection by masking its signatures to maliciously spread or gain access to an unauthorized area of the system.

Application Shelling Isn't the Panacea
There are other security mechanisms available, including software licensing technology that detects and limits the functionality of the program over time. This software licensing technology utilizes secure data types and tamper resistant applications to prevent software piracy and hacking. Implementing application security to minimize risk of software piracy requires careful planning and design.

Watch InstallShield Uses Tamper Resistant Software Licensing Code to Prevent Piracy and Hacking to learn more.

 

Maureen Polte, Vice President of Product Management for InstallShield

Posted by on 02/29/2012 at 05:01 PM in Software Licensing, Software Piracy | | Comments (0) | TrackBack (0)

02/23/2012

Supercharge your Software Licensing Revenue & Digital Goods Revenue Streams

By Cris Wendt

Ever hear of "entitlement management"?

If not, you may be behind your competitors when it comes to creating maximum value from your digital goods, including software licenses.

Entitlement management is the idea behind Apple's iTunes, which is part of the reason Apple is one of the highest value companies in the world. Entitlement management is also commonly used in the hotel and travel industry. Where entitlement management is also critical but poorly understood, is in the software industry and intelligent device markets (where device functions are enabled with digital access codes or licenses).

Digital goods (including software, digital access codes to enable device functions, music, video, etc.) are sold to specific users or organizations based upon a set of usage rights that are called an entitlement. They are the cornerstone of provisioning value in the digital commerce world. These rights define value, and in some cases limits to value which can be redeemed, refreshed, or even expire over time. For example, I can download songs from iTunes on up to 5 different devices and play the songs into perpetuity. If I buy an anti-virus software license, I am entitled to receive and apply updated signature files for the duration of my subscription period. In the airline industry, I can buy an entitlement to fly between San Francisco and Boston in a coach seat. If I fly enough and accrue frequent flier miles, I receive additional entitlement rights in terms of upgrades, so that I may be entitled to fly in a business class seat (although that doesn't happen as much as I'd like).

The management of the access and redemption (or fulfillment) of these rights is called entitlement management.

Entitlement management is primarily a customer-facing activity, and should empower the customer to do business with the vendor on their time and schedule. Effective entitlement management should allow customers to buy entitlements from different sales channels, but have all entitlements accrue collectively into a customer account where they can managed by the customer through a self-serve portal. For example, I can buy songs from Apple direct from the iStore, or, I can buy a gift card and add it to entitlements in my account. I can buy airline tickets from the airline directly, or, from my travel agent. In both cases, the entitlements to fly appear in my single frequent flier account. Over time, it's this ease and fun of doing business that keep my loyalty and drives up my business value.

For software companies and device manufacturers, having an effective entitlement management system is important, but surprisingly few excel, many fail because they think what they need is ERP software, and not a more flexible entitlement management system. Symptoms of poor entitlement management include: low support renewal rates, inability to up-sell, low net promoter scores on customer satisfaction surveys, slow order processes, inability to move to new license models, incorrect customer shipments, poor compliance processes and delayed revenue recognition.

Next week – Attributes of a Good Entitlement Management System

Posted by on 02/23/2012 at 12:34 PM in Entitlement Management, Intelligent Device Management, License Models, Software Licensing | | Comments (0) | TrackBack (0)

02/22/2012

Virtualization is the Biggest Game Changer in Software Licensing in Many Years

By Mathieu Baissac

Some virtualization data points:

  • In 2010, more software was run on virtual environments than on plain physical hosts (IDC)
  • 65% of Enterprises want to virtualize their entire data center (Information Week, 2011)
  • InstallShield saw a 132% growth in VMware use in 2011
  • 11% of Enterprises said they did not track software in virtual machine (VM) environments (vs. 2.1% for non-VM software) (IDC 2011 survey)

In my years of talking to Publishers, this is the first time I've seen real fear when I start talking about VMs. They know (because they do this themselves) how easy it is to stand up a VM. As Los Alamos Lab IT proudly reports, in a self-service environment, their users can stand up a fully configured server in 30 minutes. Imagine that this VM image contains a license server pre-loaded with all the license files. It sure would be convenient, wouldn't it? So tempting, so easy, so … disastrous… from a licensing and compliance point of view.

If Publishers think they have 6-8% accidental software license over-use on plain old physical hosts, imagine the percentage change in the next 3-5 years as all those data centers get VMed.

What can Publishers and Enterprises do?  Here are some of the tactics that I've seen:

  1. Get the VM vendors to come up with a standard, guaranteed to be unique, non-mutable and durable identifier – so licenses can be tied to these
  2. Move to floating licenses and ensure that license servers aren't installed on VMs
  3. Move to new licensing metrics (usage-based instead of per seat/device/user meters)
  4. Move to hosted solutions where the Publisher has control over the license servers
  5. Move back to dongles

Whatever the answer ultimately is, it's not "duck you head in the sand" – which seems to be the approach of many Publishers and Enterprises.

VMs are IT's best friend and License Manager's worse enemy.

What tactics are you using to protect against accidental software license over-use?

Posted by on 02/22/2012 at 10:13 AM in Dongles, License Models, Software Compliance, Software Licensing, Software Piracy, Virtualization | | Comments (2) | TrackBack (0)

02/16/2012

How Device Manufacturers Can Thrive in a Software-Centric World

By John Lipsey

Jim Ryan, Flexera Software's chief operating officer, spends significant time talking with Intelligent Device Manufacturers to understand the challenges they're facing as their margins increasingly are being squeezed by competition and commoditization.

In this video, Jim discusses the changes occurring in the intelligent device space, where manufacturers increasingly are having to think like software vendors, where embedded software on devices is the norm and where key technology to help manufacturers reduce supply chain costs, differentiate and develop products in a more agile environment are key to maintaining profitability.

  

Jim shares how manufacturers can transform their businesses with software licensing, entitlement and device lifecycle management technologies.

Posted by on 02/16/2012 at 12:59 PM in Embedded Software, Entitlement Management, Intelligent Device Management, Software Licensing | | Comments (0) | TrackBack (0)

02/08/2012

Flexera Software to Participate in Cloud Ecosystem Panel at the Cloud Industry Summit

By Ann Reist

Jeanne Morain, director of strategic alliances at Flexera Software, will be participating in a panel discussion on the Cloud Ecosystem at the upcoming Cloud Industry Summit in Santa Clara, CA. This panel of suppliers relying on ecosystem partnerships will discuss the salient issues and unique attributes that cloud implies.

The early market for Cloud-based services is demonstrating that one key to potential success is an appropriate, effective ecosystem of partners. Data centers, networks and go-to-market channels are all inherently heterogeneous affairs further complicated by Cloud delivery, and the service offerings themselves are increasingly multi-supplier aggregations.

When:
The Cloud Ecosystem
February 13, 2012
4:20-5:00pm

Where:
Santa Clara Convention Center
Grand Ballroom F
Santa Clara, CA

We hope to see you there!

Posted by on 02/08/2012 at 11:30 AM in Cloud, Software Licensing | | Comments (0) | TrackBack (0)

02/07/2012

The Cloud is Here: Are Software Vendors and Intelligent Device Manufacturers Prepared?

By John Lipsey

Cloud-based computing has transformed the way people think about purchasing and consuming business software. Like ala carte dining rather than all you can eat, the Cloud has opened up entirely new revenue streams for providers to enable value based on new delivery models such as burst-of-use and pay-per-use, to name a couple. There are many software licensing implications tied to Cloud computing. And they all assume that application producers can track their customers' software usage and enforce it according to the relevant licensing arrangement.

But can they?

According to our 2011 Key Trends in Software Pricing & Licensing Survey, software vendors and intelligent device manufacturers have a ways to go. According to the survey, 47% of application producers say they either do not have technology in place that enables them to know what product, product version or platforms their customers are using – or they simply do not know.

 

Producers increasingly are recognizing the need to upgrade their licensing and entitlement management strategies to accommodate Cloud-based technologies. For instance, 42% see the need to change their licensing strategies to deploy technologies that better track licensing; 40% want to upgrade so they can better enforce their licenses; 26% will change their licensing schemes to support pay-as-you-go models – and 19% – to accommodate short bursts of use.

Given the fluidity in technology and the need to accommodate new and evolving ways customers will be consuming software in the Cloud – one thing is certain. Flexible, consistent licensing will be essential – across all product lines – licensing that is capable of accommodating the range of anticipated usage models – from on premises, to SaaS, Virtualized and the Cloud.

Posted by on 02/07/2012 at 01:19 PM in Cloud, Entitlement Management, License Models, Software Licensing | | Comments (0) | TrackBack (0)

Entitlement and Compliance Management: Talking Successful Software is a resource for software producers and high-tech device manufacturers in licensing and entitlement management.

Follow Us
 Flexera Software
 InstallShield

Recent Posts

Categories

Archives

White Papers

Flexera Software