01-23-2017 12:18 PM - edited 01-23-2017 02:09 PM
we are working on distributing a SAS application. With SAS application we mean a bunch of SAS programs containing Base SAS Procedures / Datasteps / Macros) and some SAS tables. We want to make sure that nobody can steal our intellectual property. So far we have come up with the usual solution of using compiled macros to hide source code, and with encrypting and password protecting SAS datasets/tables.
Now we realize that we are using formats generously in the application, and they contain some of our key intellectual property.
We have googled around a bit: there seems to be neither encryption nor password protection for SAS catalogs (i.e. for format entries in formats.sas7bcat)
We think that a MALICIOUS_USER could copy the SAS formats while the program is running and – with some work – figure out some of our - er – secrets.
So far we are thinking along two lines:
1) We could do some aggressive setting up and deleting of formats within the SAS code
2) Is there a way to load the SAS formats into memory (RAM) for the duration of a SAS session (or even only for the duration of a Data step or Proc step and deleting the SAS macro catalog?
Any ideas and suggestions would be appreciated.
(currently not feeling like a SASMeister)
Note: We have
SAS (r) Proprietary Software 9.4 (TS1M3)
This session is executing on the X64_SRV12 platform (Windows Server 2012 R2 Standard / 64-bit Windows)
Re: my thinking line #2: I thought of a way to test if a format can be used in absence of its FORMATS catalog.
The answer is NO. Run the attached code to see for yourself...
01-23-2017 01:32 PM
In times like this, I'd supply the application as a webapp (stored processes) where users only have access to the web interface.
SAS itself is, typical for older mainframe applications (and any interpreting system) an open source and collaborative environment, where code is quite freely shared. Just look at this forum.
01-23-2017 02:20 PM
thanks for your reply - with which I agree in principle. I am posting this on behalf of one of our departments, and they have special needs.
01-23-2017 02:36 PM
If you have a department with special security needs then a full SAS security audit may be required, if you aren't in the process of doing one already. This would look at:
I'd recommed getting expert security advice from SAS or a recognised partner.
01-23-2017 02:46 PM
One option to explore would be to dictate that ALL user-written SAS formats must be created in the SAS WORK library only from SAS source code for every job. This means the FORMAT catalogs only exist for that SAS session and only the user or an administrator would have access to that WORK directory.