What software developers need to know about software immune systems
Metaforic software immunization technology protects virtually any software from subversion, theft, piracy, tampering or other corruption. It is proven in millions of deployed instances, from consumer software to business devices. Only software protected by Metaforic earns the Mark of Security distinction. Offices are located in the United States, Europe and Japan. Further information is available at www.metaforic.com.
Info Security PG: How do subversion, theft, tampering, and other similar corruptions impact today’s software developers?
Dan Stickel: Software security used to be the responsibility of the buyer. It was an unspoken assumption that the buyer/user had to provide a perfectly protected operating environment, and if a hacker gained access to the software, that was the buyer’s problem.
But this notion of requiring a “Software Garden of Eden” is rapidly disappearing. First, because it has proven to be impossible to provide, and second, because many of the organizations responsible for creating this software now have a greater stake in its correct operation. For example, when financial institutions create mobile banking apps, they need to enable those apps to run on consumers’ phones. Because of the risks, banks have to take active steps to ensure their software can safely operate even when the base environment cannot be trusted. Similarly, developers writing software to operate nuclear power plants, medical devices, or even cars, now need to worry about terrorism, malware, and even things like power surges, which have the potential to corrupt or subvert the software. Separately, the move towards SaaS has clearly shifted significant security responsibility from the user to the supplier/developer.
This means that already overburdened developers now have to add significant security concerns to their schedules (in addition to new features, platform ports, usability improvements, etc.). One of the nice things about Metaforic protection is that because it is automated, developers don’t need to understand security to apply it, and in fact, a developer doesn’t even need to be involved in the process at all.
About Dan Stickel
Dan Stickel is CEO of Metaforic, a security company that provides a software immune system enabling programs to defend themselves against hacking, targeted malware, and other forms of subversion. Dan was previously CEO of WebTrends, and before that ran a multi-billion $ product line for Google. Dan also ran the public $100M+ software protection division of Macrovision, got his start at Bell Labs, and has both an undergraduate and a graduate degree from Harvard University.
Info Security PG: What are the biggest security threats you are seeing today and how are you helping your customers best prepare proactively?
Dan Stickel: There are so many risks to software, so many possible avenues of attack, that rather than focus on specific attack vectors, we simply ensure that the app continues to be uncompromised. The vast majority of security initiatives are designed to try to ensure that no threats escape into the system, but experience shows us that the threats appear anyway: whether through zero-day exploits, advanced persistent threats that are already there, administration mistakes, or even turncoat employees.
Who is protecting the app when the environment is inevitably compromised? Metaforic includes a number of overlapping and complementary defense mechanisms, but at its core it primarily ensures that the software and its data have not been modified in any way … and it continuously checks this in real time so that there’s almost no opportunity for dynamic or ephemeral attacks, and it does this with almost no impact on program size or performance.
To give you one example, app repackaging is a real concern in the mobile space. Hackers download a legitimate app, modify it to initiate paid SMS messages, steal account numbers, modify transactions, and so forth, then provide this seemingly legitimate app to unsuspecting consumers. More insidiously, advanced persistent threats can lurk in the background, changing apps in real time, then restoring them after the deed is done, so that it can be very difficult to detect a problem. Metaforic protects against all these kinds of attacks, and more.
Info Security PG: How does your technology strengthen the software immune system?
Dan Stickel: Our technology enables software to defend itself. After an automated analysis of the static program, and an automated dynamic analysis that watches the program run in real life, our toolkit injects thousands of security primitives, or software antibodies, throughout the program. These security functions become an integral part of the program, very difficult to separate out, and thus as the program goes about its normal responsibilities, it’s also constantly checking itself for health. When it finds a problem, it can either try to self-repair, cry for help, shut down, or whatever is appropriate. Trying to defeat one software antibody will trigger a swarm of others, so that trying to modify a single element of the program often requires defeating the majority of antibodies in the code. We have several patents surrounding these processes.
Info Security PG: How is the Metaforic approach unique and how does it differ from all the security software on the market today?
Dan Stickel: The majority of security software on the market runs outside the program, attempting to keep the system clean. As we discussed earlier, we instead assume the system cannot be trusted, and try to ensure that the app can operate even under imperfect conditions.
However, the notion of trying to check software for subversion is not new. In fact, code-signing is a good, simple example of this concept. The problem with code-signing is that it relies on the operating system to enforce it, and as we’ve seen on Apple’s iOS and now Windows RT, this can usually be easily defeated. Moreover, code-signing only gets checked once, leaving software wide open to dynamic attacks or companion programs that modify things in real-time.
Probably the key element that makes Metaforic unique is our automated analysis and security injections, enabling our engine to insert not one or two security checks, but hundreds or thousands or even tens of thousands, all without materially impacting performance or requiring the developer to know anything about security. We do provide an extensive configuration facility so that developers can guide or specify particular security aspects and strength, but none of this is necessary. Other solutions require developers to manually identify sections of code to protect, to manually design that protection, and then manually tune performance. With Metaforic, it’s just the touch of a button to accommodate new features, code refactoring, and so forth, and you could change your security topology overnight if you wanted to, simply by using a new random seed.
560 South Winchester Blvd., San Jose, CA 95128 U.S.A.
Founded in: 2006 CEO: Dan Stickel Public or Private: Private Head Office in Country: San Jose, CA United States Products: Software immune system Company's Goals: To enable software to operate reliably even under hostile or imperfectly protected environments… in other words, the real world.
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN