Question: True or False, Seat belts are to Driver Safety as Obfuscation is to Application Risk Management
The correct answer is FALSE!
The equivalence fails because a seat belt is a device and obfuscation is a control. Why might you (or the application stakeholders) be in danger? First, read through the key descriptors of these two controls.
I recently got a question from a client asking why .NET Native (the process of transforming a .NET assembly into a native app to improve performance) did not also make products like Dotfuscator irrelevant. Here's my response (with personal details removed of course).
First, the .NET Native process is only applicable to Universal Apps distributed through a Microsoft marketplace. If you are developing .NET (using VS2015 or anything else) BUT are targeting anything other than a Universal App architecture - .NET Native does not apply – also, if you’re developing in F# - even if Universal - .NET Native does not apply.
Instrumentation Injection – the process of embedding (inserting) instructions into a binary post-compile with no programming whatsoever – offers a powerful means of improving application monitoring, application security, and application lifecycle management. There are a number of scenarios where code injection makes a lot of sense - for this post, I'm really focusing only on the injection of application analytics instrumentation.
Earlier today, the Safe Harbor system was just overturned (see Europe-U.S. data transfer deal used by thousands of firms is ruled invalid).
The legal, operational, and risk implications are huge for companies that have, up until today, relied on this legal system (either directly or through third parties that relied on Safe Harbor) to meet EU's privacy obligations.
Writing data to disk is easy – developing a database is not.
Posting data to a URL is easy – developing an application analytics ingestion pipeline is not.
If you’ve written even a single line of code (in any language), I probably don’t have to explain why writing data to disk is easy – but developing a database is not (for those that have never written any code – it’s the extra database “machinery” required to handle scale, concurrency, resilience, security, etc. that demands a horde of PhD's and rock-star developers).
I’m often asked to estimate how many developers are required to obfuscate and harden their applications against reverse engineering and tampering – and when they say “required,” what they usually mean is what is the bare minimum number of developers that need to be licensed to use our software.
Of course it's important to get the number of licensed users just right;
We are often asked if Dotfuscator supports protecting Xamarin applications. Given that Xamarin applications are based on Mono, a .NET compatible runtime, the answer is yes! However, applying obfuscation transformations to Mono assemblies is only one half of an effective obfuscation solution; the other half is making sure that the configuration and automation of the obfuscation process itself is straightforward and stable. We've been working hard to make Dotfuscator more Mono friendly lately, specifically with an eye towards improving Xamarin compatibility.
Live technical support from PreEmptive’s (world class) product support team plus an application protection white paper
The fine print… Visual Studio 2015 users who register Dotfuscator CE (it's inside Visual Studio 2015 already) will receive immediate access to the recent white paper, Application Protection. Why bother? AND receive a credit to open one (1) support ticket with PreEmptive's product support team any time in (you guessed it) 2015.