.NET Apps Get a Bodyguard

V.i. Labs next week will roll out software "armor" for Microsoft .NET Framework applications that hardens these applications so they can't be hacked or pirated, Dark Reading has learned.

.NET-based apps have been gaining traction in the enterprise: 36 percent of organizations recently surveyed by IDC said their mission-critical apps were built in .NET. Although v.i. Labs had mostly application developers in mind with the new CodeArmor for .NET Framework, it's also targeting enterprises such as financial institutions that build their Web services-based apps with .NET, says Victor DeMarines, vice president of products for v.i. Labs.

The company -- founded by the father of the commercial firewall, David Pensak, formerly of Raptor Systems -- is offering a new approach to shielding .NET-based apps. It uses a combination of encryption and run-time security monitoring that protects businesses from targeted attacks on their apps, such as tampering with a brokerage application, for instance. (See Startup Locks Down Apps.)

.NET Framework, like Java, uses an intermediate language that can easily be decompiled by widely available tools, which puts these apps at risk, DesMarines says. You can use obfuscation or other basic ways to try to protect the code, such as with source-code tools, but those methods don't stop an overt attack, he says: "There was nothing out there that provided active defense against reverse-engineering."

So if any malware or hackers were to get inside, CodeArmor protects the app from any modification or theft.

"It makes sure apps are protected when they go out -- for end users, etc.," says Diana Kelley, vice president and service director for the Burton Group. When an attacker reverse-engineers an application, he or she can steal data or use the app nefariously, Kelley adds.

In its "Hype Cycle for Cyberthreats, 2006" report last fall, Gartner identified reverse-engineering of enterprise apps as an emerging cyberthreat. (See Gartner Identifies Threat.) The bottom line, according to the report, is that it's all about financially driven cybercrime, and "increasingly complex and externalized IT environments can result in higher damage potential."

And .NET code and Java make it easier to reverse-engineer these applications, according to Gartner, which then enables attackers to probe for security vulnerabilities and steal intellectual property.

V.i. Labs' DeMarines says this has been a problem for some time for ISVs and it's only a matter of time before it becomes more widespread. The company has worked with some financial institutions concerned about the safety of their mission-critical apps, he says, although he can't name names.

CodeArmor for .NET Frameworks works with .NET 1.1, 2.0, and 3.0, and includes support for Windows Vista 32-bit as well as stand-alone DLL protection and ActiveX controls. It's priced at $18,500 for enterprises and on an undisclosed subscription base for ISVs and application providers. It ships next week.

— Kelly Jackson Higgins, Senior Editor, Dark Reading