Tag Archives: agile development

Weekly security lessons learned

We specialize in security and compliance for the health care and bio-med space, helping clients build  security into their products, instead of bolting it on later. There are plenty of challenges to go around and it often seems like you’re trying to drink from a fire-hose.  Lots of water,  a few drops into your mouth, getting thoroughly wet and having lots of fun!

This week, we had oodles of interesting problems to solve but the 64K question is:

How many of the solutions will we remember next week this time?

I decided to start writing a weekly lessons_learned file. I’m maintaining it in my own git repository. If I go anywhere with some of these daily lessons, I’ll move it to github. Here are a few lessons I learned this week.

  1. A little bit of introspection can go a long way – or how not to make changes in a complex Web application and reduce the probability of introducing new bugs and new vulnerabilities.
  2. Do not take Unicode for granted
  3. Making MVC frameworks more secure with stored procedures and views
  4. Denormalization is not a bad thing especially if it keeps the code simple
  5. Data validation: replacing declarative statements with Javascript code

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

What is the value of a trade secret?

My guess is that the value of software patents is on the decline, taking value as the net of the economic upside of the software patent less the cost of  patent development, application and enforcement.

The dynamic is that the benefit from patent protection in the software industry is less than the cost of the patent development, application and enforcement.   (See Bessen and Maurer – “Patent Failure”). The key area today where IP protection has a positive ROI is chemical formulations, i.e. the bio-pharma industry,    Since most of the patents applied for/issued in the past 10 years have been related to software / algorithms it follows that the adage ‘ You can fool some of the people some of the time but not all the people all the time ” is taking effect.

Protecting software-related intellectual property  is extremely difficult – the boundaries are unclear, the algorithms are similar and people are mobile.

The patent application and registered patents are publicly available for perusal by anyone.  So it is not a privacy/compliance/data security issue at all.  The information is out there.

What is not out there – is the implementation. In the bio-pharma industry, that means the recipe for making the vaccine and in the software industry, it’s writing the software that will be secure, reliable and scalable and friendly to users.

Writing secure, reliable, scalable and maintainable software is a non-trivial exercise.

There is a huge gap between a software  patent and the software implementation.   On one hand, from the perspective of a patent as a digital asset –  the vulnerability of patent disclosure is zero  (since it’s disclosed already by the patent offices) but on the other hand, a company’s actual implementation source code and techniques may be worth a lot of money – the value of the time, know-how and software management invested and the potential downside if a competitor got a copy of the source and implementation technique and jump-started his development process.

My first recommendation to a technology company doing cutting edge software development is to   use DLP to protect your source code  since  this is one of the easiest DLP implementations to do. The prices of DLP  products are going down and $150k of DLP implementation and operations/year is cost-effective when you have a few million invested in the implementation.

There are other security countermeasures against leakage of source code and implementation – methods such as – false flags and changing your source code very quickly through agile implementation. Source code that was stolen 6 months ago is not worth much when a company cycles every day and builds a new release every morning at 830.

Tell your friends and colleagues about us. Thanks!
Share this