You know you need to make your products as secure as possible – but how will you do it?
In addition to the security overview covered in the first blog in this series and license key cryptography covered in the second blog, this final installment focuses on a fundamental question that many software producers are asking themselves: how are we going to ensure that our customers are in compliance with our software license agreements while also protecting our software from piracy?
Note that there is a fundamental difference between compliance and anti-piracy – they’re not the same thing. Protecting IP is about implementing anti-piracy measures (e.g. defending against application tampering), while compliance is about monetization strategies. First we’ll take a look at compliance.
As a software producer, maximizing software revenues and minimizing revenue loss is a function of ensuring customers are compliant with your license agreements and that you have mechanisms to capture revenues throughout the software lifecycle. This is a growing challenge as new technologies and customer preferences increase the demand for new license models.
In my experience I’ve seen more and more software vendors ensuring compliance by putting software license enforcement into their products. They want to do this because they know their license meters and license models best. They also want to insure that there is no ambiguity in those meters and models while providing a great user experience. As technology evolves over time, they want to be able to adopt and provide additional flexibility for their market and customers. Contractual agreements can never provide that level of flexibility and customer satisfaction.
When software vendors request software security, most are actually looking for the appropriate compliance controls to keep the majority of their users honest. Those users that are determined to circumvent the rules may still find ways to thwart an application’s security through reverse-engineering and will eventually pirate the software product – this is where the anti-piracy approach comes into play.
In an attempt to further bolster security, many producers also incorporate anti-piracy in addition to compliance mentioned above. Anti-piracy is a security approach that assumes that products are going to be under assault by hackers and thus takes proactive measures to combat piracy.
One popular anti-piracy measure is tamper resistance which does things like hardening the application by making it harder for hackers to remove security controls built into the software application. For instance, an attack on an application will typically look for a decision check point such as checking for a software license key, which tamper resistance can help defend against.
Note that anti-piracy security measures are best accomplished by applying security in layers. Below are best practices in several key areas:
When deciding which anti-piracy measures to implement, it is important to factor the threat model and the trade-off of usability. In my opinion, security always have an inverse effect on usability; so trying to implement a highly-secure bullet-proof licensing approach may have a negative impact on usability which can lead to inflexible licensing models that hinder your monetization strategies.
Software licensing security is about taking a holistic approach: understanding core security principles, encryption methods and then taking the best approach to secure your products. Not one approach will work for all products and all industries.
I hope this security series has been helpful – please reply below with any other security topics that are on your mind.
More info on software licensing security: