I am the editor of the Addison-Wesley Software Security series. When Christian Collberg came to me with an idea for a book about software protection, I had a really hard time figuring out whether or not it belonged in the series. Christian is a brilliant researcher and an important guiding light in the field. But should we consider software protection part of software security? Good question! To make matters worse, half the software security people I polled said “yes” and the other half said “no.”

In the end, I held out to see what Christian and his co-authors (who eventually boiled down to one—Jasvir Nagra) came up with. The answer is the excellent book Surreptitious Software. It’s in the series.

I believe that software protection will play a larger and larger role in protecting software from certain security attacks. To name a few concrete cases, imagine these scenarios:

• you’re a game producer and you need to protect your intellectual property against pirates (at least for a month or two after your game is released so you can make some money)
• you’re charged with developing a music playback solution that protects both the player and (maybe) the content (iTunes anyone?)
• you’re a defense contractor storing important military secrets electronically in the very hardware that you fly over enemy territory on purpose. what happens when a predator drone is shot down in Pakistan? what about an American spy plane forced to land in China?
• you’re a smart card vendor making chip cards for payment systems, and the cards will be distributed to good guys and criminals alike
• you’ve built a new game console and you want to protect it from some kinds of tampering
• you’re a programmer with a hot new algorithm that you don’t want your competitors to have
• you want to crash any debuggers that attach to your code and thwart easy disassembly

These and many other problems are directly addressed in Surreptitious Software. The book covers software obfuscation, watermarking, birthmarking, tamperproofing and other aspects of software protection. And it covers them in an exhaustive, scientific, technically-thorough way.

Software protection in many ways turns software security on its head. Imagine a discipline that can be used to cloak virus code, put bugs into code on purpose (which are tripped when the code is tampered with), scramble things up so badly that they are much harder to understand than normal, slow things down (in certain cases), create vast swaths of meaningless nonsense in the middle of real code, and so on. How on earth could any of that be a good thing?

Read this book and find out.

John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue:

Question 1: What should the US government do to drive real improvements in the security level of internet use?

Question 2: What are things that you believe the US government should specifically not do in the name of increasing cybersecurity?

Click below to watch the video:

Press coverage:

• Gov’t Official: We’re Serious About Cybersecurity This Time
• Moving U.S. Cybersecurity Beyond Cyberplatitudes (InformIT)