Is Software Disposal a Security Issue?

I’ve done a fair amount of work on DLP (Data Leakage Protection), a major goal of which is ensuring that data media do not contain sensitive personal and intellectual property when they are thrown out. Approaches to achieving this include wiping out (overwriting or degaussing) electromagnetic content, shredding paper, physically destroying media, and the like. Much of the work that I have done in this area is encompassed in the publication BITS Key Considerations for Securing Data in Storage and Transport. I contributed as a member of BITS Security and Risk Assessment Working Group, and much of the content in the report originated from policy and procedures that some colleagues and I had developed and implemented over the prior year or two. The document is still available online at

Recently I was comparing systems engineering and software development lifecycles and was struck by the omission of consideration of software disposal in most of the texts on the secure software system development. At first this seems odd, until you think about how software is developed, owned, used and replaced. For one thing, when you acquire commercial off-the-shelf (COTS) software, you don’t actually own it, you license it. And furthermore, in many cases the software is licensed for a specific machine (or for a limited number of machines). So when the machine is discarded, and the hard drives or flash memories have not been erased or destroyed, the acquirer of the machine (if any) has use of the software, albeit likely a non-current version.

Post a Comment

Your email is never published nor shared. Required fields are marked *