Professional-grade Application protection With PreEmptive DashO
Announcing a new release for PreEmptive DashO.
With this new release we have overhauled and enhanced support for Spring Boot and Java web applications. In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?
Version 11.3 includes:
Enhancements
DashO can now accept WAR & JAR files as DashO Output
DashO now directly inputs mobile, web and desktop applications without manual steps.
Complete obfuscation support for Spring Boot.
Bug Fixes
Validate Modifiers input fields in the config editor for Include and Exclude rules.
New option for properties with filesystem path values to open a system browse dialogue.
Added native support for WAR inputs without the need for complex scripts to extract before protection and repackage after protection. The classes are automatically treated as inputs and the libraries as support libraries inside the WARs.
Added native support for Spring Boot Jar and WAR projects. The classes are automatically treated as inputs and the libraries as support libraries inside the Spring Boot Jars and WARs based on the Manifest file.
All the protection features are working now with plain WARs and Spring Boot Jars and WARs including Obfuscation, Checks, Watermarking, Signing.
The "Entry Points – Libraries" screen is now merged with the "Input" screen where Libraries, Extensible Libraries, and Spring Boot inputs can be configured with the new Handler property.
Updated the Web project wizard to easily configure plain WARs and Spring Boot Jars and WARs.
Added a Spring Boot sample to our public samples repository to showcase how to configure a Spring Boot project.
Changes
The "Entry Points – Libraries" screen is now merged with the "Input" screen where Libraries, Extensible Libraries, and Spring Boot inputs can be configured with the new Handler property.
The ASM Java bytecode manipulation framework shipped with DashO updated to updated to version 9.2
Apache Groovy shipped with DashO updated to version 3.0.9.
Did you know JavaScript is used by 13.8 million developers worldwide? This means that 53% of developers either use or have used JavaScript at some point throughout their career. Making this the most popular coding language in web and cloud development. As programming languages are an essential tool, they are a critical security & quality priority that all developers are focused on. And since programming languages are also opportunities for attack, it is essential to implement obfuscation protection as preventative measures to protect your work from being copied, attacked or leveraged to cause further damage.
Just like in our previous 101’s for Dofuscator for .NET, in this article we explain how JSDefender for JavaScript can help secure and protect your work using obfuscation techniques with additional layered security.
What is the Product used for?
Similar to Dotfuscator for .NET, JSDefender is primarily used to protect and harden your applications that are composed of JavaScript. It encrypts your projects through a layered approach. Javascript is commonly used and as the risks of hacking continue to expand, it’s more proficient to implement code security at the early stages of development. In other words, by not using some sort of cybersecurity, it is like leaving your phone on the table and unlocked for the world to see what you’re up to. But, on this scale it is not just your data that is exposed, but the entirety of your users data and product IP.
How does JSDefender work?
JavaScript apps are typically distributed in source form, meaning your code can easily be visible to anyone with access to a browser. If a project isn’t protected, a hacker can conveniently use a debugger (that is built in their browser) along with other sophisticated tools to analyze your code for vulnerabilities – which highlights the path of hijacking your project. JSDefender uses a layered approach that is applied to the binary code using obfuscation, encryption, tamper detection, domain locks, debugger removal, function recording and more, basically scrambling the source code making this very difficult for the average hacker.
Whenshould you use JSDefender?
Anyone who is developing an IoT (internet of things), mobile/desktop application, SaaS (software as a service), or any system software program using JavaScript as your language of development, should be using JSDefender. It’s widely known that investing in DevSecOps (development security operations) is of increasing importance for not only companies, but freelancers as well. There is not an industry that has not been affected by a data breach, and any company who uses or has built a website should know the importance of investing in DevSecOps. We did a case study of GlobalMed who used JSDefender in order to protect their advanced virtual health platform and now they have become the world’s number one telemedicine company!
Where does JSDefender work?
JSDefender is injected directly into your source code. You can specify your own configuration file or use command line options to set up protection attributes. It takes minutes to set up and seconds to begin securing your source file. We have developed a demo so that you can visually see how this works in real time!
Whyshould you use PreEmptive JSDefender?
By using JSDefender you are taking action against any type of attacks to your JavaScript projects by obscuring and managing your vulnerabilities directly in your code within a matter of seconds. We know time is of the essence in development, but implementing security in the beginning of the SDLC saves you time, money and protects your reputation in the long-run. Waiting until the end to scan for vulnerabilities will only prolong the development cycle and you will end up running into issues that could have been avoided if security was part of the process early on. JavaScript is here to stay and as the world of tech advances, so will hackers. So if you feel that your DevSecOps isn’t up to par or stressed about being hacked, download a free trial by visiting our product page and start protecting your intellectual property today!
For more information on how to get started or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has guided you to better understand JSDefender for JavaScript. Be on the lookout for our upcoming 101’s!
As you know by now, devsecops are commonly talked about by experts across the board, now more than ever as new companies, freelancers and other entities merge into the tech space and increase their reliance on IOT solutions. With all the cyber attacks that have been increasing every 6 months, development security operations have pivoted in the forefront of company investments. That is why it is crucial to not skip out or budget in security measures for your fiscal year. But why should you invest in the first place?
#3: AutomationSpeeds up Development Process
Working on a large project can be gruesome, but not having it secured is like leaving your wallet on the table to be snatched up. We understand that time is a key factor in the development process, so it should be a no-brainer for companies or developers to seek out a devsecop tool that works in their favor without jeopardizing function. But how can this be achieved? Automation of course! Shift your security to automated testing speeds up your development process providing quicker response time to help pinpoint and solve problems. Just like DevTools, DevSecOps are very similar. They both need automation and by shifting security measures to this, ensures best practices with your IT team.
#2: Replaces the one-off Security Assessments
Usually security is probably at the last stages of your development cycle and while other companies only look at this quarterly, which only sets you up for a breach. DevSecOps changes this dynamic by securing your projects from the start. It replaces that one-time snapshot of your code by consistently looking at it. And since Devops is driven by code, your security should follow suit, security can easily be integrated in your CI/CD pipeline. Shifting your best practices by investing in DevSecOps takes your team from examining problems at the end to testing each week. If you know where the weak spots are then you easily fix and repeat this process throughout only making your project rock solid!
#1: Breaking Down Organizational Silos
Silos should be a thing of the past, but can still be found in today’s organizations. There should be no reason that security measures be isolated to only one department, because as you may know, each department is used to handling situations in their own way due to urgent matters. The common corporate “red tape” is consistently boroughed through, so in order for DevSecOps to truly work, everyone and every department need to be following the same measures. Development teams should align and agree on what type of measurements to use or have a set of objects implemented throughout, and not only isolated in one department. By having everyone on the same page your security will be one force to be reckoned with and you won’t have to worry about becoming another victim of cyber crime.
We encourage everyone to read our case studies to find out how other companies found success with PreEmptive in their DevSecOps. PreEmptive has been blazing the trail in devsecops division for quite some time. Not only do we have a long company history, but our products are used by Fortune 500 companies worldwide. We hope this blog has helped you solidify the decision to invest in your DevSecOps process, but if you’re not sold try us with a FREE Trial!
Businesses of all types rely on applications, in fact they have become the central way the majority of us live our lives. From online banking, to filing your taxes on your phone or attending a virtual doctor’s appointment. Every element of our lives is navigated by a mobile or desktop application.
It’s not just users, companies are also reliant on applications. Using them to manage central operations, production, fulfillment and marketing. Organizations use applications in a myriad of fashions, by the same token every application adds further risk.
Businesses are shifting online to meet emerging needs but are also being faced by an emerging risk landscape with expanding risk across the Internet of Things. Application protection as such is an essential component to protect every element of your organization. IP Theft, application attacks or data leakage can all have material impacts on the organization, reputation and adherence to regulations. The impact of failures in this regard can be expensive. In 2018 it was estimated that IP targeted cyber crime accounted for $50 to $60 Billion of global losses. The payment industry has established fines of up to $500K per incident for security breaches according to UCSC failure to comply for companies is clearly expensive.
With that noted, it is important to examine the tacit consequences and long term impacts of not using in app protection:
Risk of Unauthorized Access
Unauthorized Access is a critical risk for the majority of industries that handle private information, specifically personally identifiable information. If a person who is not allowed to make use of your application starts making use of it then there are more chances that the individual will commit fraud. It is hard to predict the behavior or intentions of anyone but it is essential to take every proactive step to avoid unauthorized access.
Vulnerabilities like Broken Authentication expose your applications to hackers gaining access and then committing fraud. Session management or credential management issues can easily enable hackers to gain access and commit fraud against your application. The worst part… these attacks often go unnoticed without in app protection or runtime checks. As we know the cost of breaches only goes up over time: A breach identified in 100 days costs approximately $5.99 Million, while a breach that takes longer can cost upwards of $8.7 Million.
Hackers can also use access to your application to expose sensitive datam putting end users at risk of losing their personal data or facing the downstream risks of identity theft, data leaking and doxing. All of which present a tangible threat and will likely result in financial obligations for the organization, due to negligence and failure to protect their customers. It can also be as simple as privilege escalation, a user enabling additional privileges allowing them to control aspects of the application that should not be externally leveraged. A recent example is the 2017 Accenture attack.
Risk Of Fines & Financial loss
There is a reason that the top software companies like 1Password, Google & Adobe pay over $100,000 for researchers that identify vulnerabilities within their toolsets. The bug bounty is in fact a rapidly growing industry and entire organizations exist around identifying these vulnerabilities. A recent research report from IBM identified that finance security professionals detect just 56% of incoming attacks, managing 53% of these attacks and only preventing 31% of attacks completely. Organizations don’t have a comprehensive ability to mitigate risk, even if you are using SAST / DAST / IAST and penetration testing risks can still slip through the gaps.
The average cost of vulnerabilities for all industries is approximately $13 Million. This combines the cost of paying for fines corresponding to regulation violations, the cost of remediating the risky vulnerabilities, the expense to prevent data from being leaked and the potential cost of IP being leaked. Then let’s lay on the cost of reputation damage, Security Magazine reports that 80% of customers will not continue to leverage a bank’s services if their information is compromised… this is probably justified. Organizations are equally skeptical of services following attacks and they will follow the example of customers. But, reputation isn’t singular, organizations can also face the impact of loss of goodwill. It will impact your brand image and can prevent customers from even acknowledging the validity of your organization.
Risk of IP Loss
Intellectual property loss is likely the most pernicious risk of not using In App protection. It is often the case that applications include some form of intellectual property which could encourage competitors to copy, steal or leverage in their own applications.
Reverse engineering is a significant issue for organizations, by enabling capabilities on the client side, users and hackers can gain access to and expose more functionality through the server siege of the application. Not obfuscating code enables these users to easily interpret the intended functionality of the application and identify how to replicate this operability. One recent example is American Superconductor, a U.S based provider of clean energy solutions. In 2011 their largest customer Sinovel ignored their contract and refused to pay millions of dollars owed. The company then obtained the source code for all of the electronic components and were able to install a pirated version into their wind turbines. The violation of the IP rights and loss of revenue can incur as much as $200 Million a year in losses. Without possibility for legal resources or ability to prevent continued leverage.
IP trade theft costs organizations as much as 3% of Annual U.S. GDP.
But, what can be done to prevent these risks?
Obfuscation, PreEmptive provides a layered approach that clings to the deployed application and helps to ensure any unidentified vulnerabilities that are hidden. Reducing the likelihood of hackers identifying and leveraging them. Obfuscation also protects your IP concealing the framework and structure of your application from corporate spying and ensuring your competitors can’t repurpose your sweat equity.
For more information about in-app security, visit our products page and start protecting your apps today!
Did you know that your company’s finances, reputation and intellectual property is at stake when you’re not protected even during the development phase? Desktop (client) applications perform many critical business functions and when not protected, they are susceptible to piracy, tampering, vulnerability probing, data, and IP breaches.
We cannot stress enough on the importance of investing in desktop application protection. Research shows that the average application received over 13,000 attacks monthly even after deployment! The same goes for app development, all of those endless nights of debugging, troubleshooting can be hacked within seconds and your sweat equity is sold to the highest bidder. Hackers have no remorse and can readily run a few lines of code to probe or gain access to your project(s). While these criminal activities are not news, cyber hacking has evolved and will continue to do so as DevSecOps also progresses.
In order to get ahead, you must know the facts about a hacker’s business model, industry risks and the proactive measures in order to prevent breaches.
What is the Hacker’s Business Model?
If you guessed “money” as the ultimate goal of the hackers business model – then you’re right! What else would be the motivation?
In terms of “increasing revenue,” data is equivalent to currency, the more data they obtain, the more money they can get, but this is a small portion of a much larger scheme. One large attack won’t suffice, they tend to automate their tactics or use additional help. For example, a master hacker can create a clever downloadable kit for other hackers to use on a specific site, these are called “proxy” hackers, which technically multiplies the solo hacker’s work. But let’s not underestimate the master hacker, these clever kits have barriers – they allow and grant access to a single proxy hacker to store data on a database in the cloud, all while having adjacent blocking mechanisms to other proxy hackers. Even those proxy hackers cannot see each other’s data, the master hacker has the ultimate backdoor key to the cloud database.
Time is money, and in the world of hacking “cutting cost” is essential. Let’s not be naive, there are kits for just about every kind of attack. Instead of inventing the wheel or doubling up on the work, hackers will use what others have already built. Another cost-cutting example is to utilize proxy servers. This allows attackers to temporarily store the data that is being retrieved. Last but not least, hackers love to use Remote Desktop Services (RDP) sessions or isolate a central processing unit (CPU) to maximize their attack.
To stay on top of your security game, the best thing to do is educate yourself and your team about the behavior of hackers. Study their business model, understanding this will allow your IT department to focus their controls on the problem, rather than on the symptom. Educate your teams on how they attack. If you understand their methods, you can be proactive, applying security throughout the SDLC to give your team the power to prevent risk.
Knowing Industry Risks
Each industry has specific risks. For example; software vendors, financial service providers, telecommunications companies, industrial manufacturers and other businesses rely on applications to generate revenue, assure business continuity and contain unique intellectual property. Businesses of all types have risks associated with their divisions and recognizing all of them is a full time job. But, we can’t all afford to hire security researchers, proactive approaches are based on recognizing the key challenges and building security around them.
If your company’s security systems aren’t up to par, then the risks of a breach are far greater, not discovering a breach costs you money, for every week a risk is in a deployed app your customer data is accessible, IP available and runtime performance at risk.
The average annualized cost for cybercrime in the financial services industry is approximately $20 Million with the average for all industries being $13 Million. Each year technology changes and with that so do unforeseen challenges, for instance, prior to pandemic industry risks were far less than they are today with remote working. Now that sensitive data can be accessed anywhere at any given time, attacks have tripled in the past three years thus shifting each industry’s security standards. If you know your industry’s risk, you know what to look out for.
Investing in In-App Security
Allocations for security tools are crucial for all types of business when developing for their fiscal budget. According to Cisco, 50% of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000. Larger corporations have the budgets, but it is the smaller businesses that tend to overlook or not invest in security. By not investing in any type of cyber security, this exposes each business to the core. Reputation, loss of finance and sensitive data are just a few examples of what a company will face during a breach. It is better to be safe than sorry.
PreEmptive layered approach using obfuscation, encryption, shielding, and tamper proofing, makes it very difficult for a hacker to read your source code. Our products require no changes to your source code, easily integrate with your build process, and provide passive and active protection customized to your business’ needs. For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar.
In this blog we will dive into Dotfuscator as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects.
For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:
What is Dotfuscator for .NET?
Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft.
How does Dotfuscator work?
PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.
First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code.
Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming.
Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese!
Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found.
For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich!
When should you use Dotfuscator?
Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.
Where does Dotfuscator work?
Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.
Why should you use PreEmptive Dotfuscator?
PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here!
For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!
Professional-grade Application protection With PreEmptive DashO
You asked, we delivered: Announcing a new minor release for PreEmptive DashO
Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.
In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?
Version 11.2.1 includes:
Enhancements
Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
New option for Properties with filesystem path values that opens a system browse dialog
A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
Changes
The Config Editor now opens the last project on startup by default
Bug Fixes
Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.
Ready to learn more about DashO? Request a quote: Request A Qoute