Software code can be a company’s most critical Intellectual Property…and stealing it is easier than you think.
The Background
These were his last few days of work at his current job. The programmer, a Russian born American dual citizen, hired by a major financial institution for $400,000 per year to develop a high speed stock trading program, had decided to go on to greener pastures. What was one of the last things he did before resigning? He accessed his firm’s development database and downloaded the crown jewels…the software code for the trading algorithms. With just a few clicks of the mouse, millions of dollars worth of code and years of development work were in the palm of his hand. The drama begins.
Sound like a spy novel? Nope. This scenario really happened. Sergey Aleynicov, a Goldman Sachs programmer, was charged with Economic Espionage in Federal Court and sentenced to eight years on prison in 2011. Prosecutors claimed he had intended to use the code to build a similar trading technology platform at his new job. After serving a year of his sentence, he was acquitted under appeal, but has now been recently charged for essentially the same crimes in state court. [1] In a recent twist, he has sued Goldman Sachs for $2.4 million in legal fees which he believes he is entitled to based on his previous acquittal. [2]
Regardless of what the court ultimately rules in this case, one thing is abundantly clear; software code is a form of intellectual property that often lies at the center of a company’s most valuable assets. And the misappropriation of this digital asset can be as easy as hitting a keystroke on a computer. The Aleynicov drama provides a convenient reminder for companies to take stock in their own software code security practices.
The Take-Aways
While software code for a complex application can occupy thousands of printed pages, in digital form it can easily fit on to a small and inexpensive USB drive. Code is as portable as it is valuable, and that is the challenge; keeping the code accessible so programmers can do their work, but at the same time protecting it from dishonest employees and outside hackers. Here are some tips for protecting code…
- Use Software Version Control. Version control software like Mercurial or CVS helps manage code, and has logging features and security controls that enable access to the code by only those with a legitimate need. Make sure you activate all of the appropriate security features of the software, including sophisticated passwords, partitions only allowing developer access to specific code branches, and event logs.
- Security Administration. A senior employee must be responsible for administering access to the code server, including disabling remote access by terminated employees, periodically changing user passwords, updating internet security and anti-virus software.
- Lock the Box! While it sounds like a no-brainer, a company’s code server must be well secured with physical security measures like device locks, and maintained in an access-controlled room. We are currently working with a client that recently had a file server stolen by a disgruntled former employee. Ouch.
- Encryption. Servers and computers containing code should be encrypted with SSL technology, as should code transmitted over the internet.
- Back it up. Code should be securely backed-up at an off-site location. There is no substitute for redundancy. There is no substitute for redundancy.
- Obfuscation can be a good thing. Software code obfuscation tools help protect code from reverse engineering, cracking, and modification. Consider obfuscation software for your most critical code data sets.
- Restrict Mass-Storage Devices in Software Labs. In addition, ideally the computers used to work on code should NOT have internet access.
- Policy. Have a solid information protection policy that specifically covers code and that is endorsed at the highest levels of the organization. Employees should sign NDA’s. Review your policy with terminated employees during an exit interview, and remind them of their IP protection legal responsibilities, especially if you learn the employee is going to a competitor.
- Background Checks and a robust pre-employment screening program should be in place for all employees.
- Monitor. Code servers should be monitored regularly for suspicious activity. (unsuccessful attempts to log-in, an employee attempting to access code branches that are not within his responsibilities, etc…).
- How’s Your Environment? Not even the best security measures can take the place of a good employment culture. Competitive pay, benefits, and financial incentives, good working conditions, and a positive environment will keep programmers happy and they are less likely to be tempted to mishandle your code.
- Outsourcing Off-Shore? Be careful. The benefits of developing software code off-shore are well-documented and obvious. The economics can be compelling. Be mindful of the fact that certain regions have nasty reputations for stealing an American company’s code. Indeed, in some countries, there is a near 100% likelihood of this. Factor that into your business plans.
[2] “Former Programmer Accused of Stealing Source Code Wants Goldman Sachs to Pay $2.4M Legal Fees. By Martha Neil. September 26, 2012. The ABA Journal.