Are You Following These Top 10 App Protection Practices?

August 20, 2018 4557 Views Gabriel Torok

Despite the rising costs and impact of application compromise — recent data found that 58 digital records are stolen every second and breaches cost companies an average of $3.6 million — many best practices and procedures for securely designing, developing, testing and protecting applications are largely ad-hoc. As noted by Tech Republic, in fact, exactly ZERO percent of organizations say their security needs are fully met by their current infosec strategy, down from just 11 percent last year.

Some respondents pointed to a lack of skilled resources while others cited budget constraints, but regardless of origin the outcome is clear: Hastily-designed app protection procedures that don’t meet current needs and can’t keep up with evolving demands.

Need a helping hand with your application protection process? We’ve compiled some of the best practices of leading-edge companies into a top-10 list. Let’s get started.

10. Educate developers on safe coding & security code reviews

First up? Educating developers on safe coding and security code review practices. Here’s why it matters: As noted by CA Technologies 2018 Insider Threat Report accidental insider threats top the list of corporate worries, and “lack of training and expertise remain the biggest barrier to better insider threat management.”

While many organizations (correctly) link accidental insider threats to staff sending secure data via plaintext emails or falling victim to phishing attacks, poorly-secured or tested app code can have the same effect: attackers are able to breach corporate defenses and access critical information. As a result, it’s essential for all security staff to receive regular training about app coding best practices. These include:

Effective error handling — How do applications handle errors? Do systems “fail closed” or open potential holes for attackers?
Continuous logging — Ensuring that all actions are logged and include tags such as date and time, initiating action and user creates both an auditable database of activity and informs ongoing code development.
Remote admin limitations — Does code permit remote admin execution? Under what circumstances? How is remote management secured (VPN, tokens, etc?)

Better training for developers means more secure apps, in turn making all other app security benchmarks easier to achieve.

9. Threat Awareness

To effectively defend apps from malicious actors, companies must develop broad threat awareness. Some threats are common knowledge, such as the use of popular open-source software in app development which may contain critical flaws.

Others remain ongoing concerns. As noted by SANS, vectors such as cross-site scripting (XSS) and buffer overflows remain popular. While defeating many XSS attacks is relatively simple, organizations must understand both the prevalence of this threat and existing application issues to effectively reduce risk. Also essential? Keeping track of emerging trends such as fileless malware and account takeover attacks which attempt to compromise applications without triggering infosec alerts.

8. Static application security testing (SAST)

Static application security testing focuses on application source code before it’s been compiled. This offers both the benefits of early use — SAST techniques are viable even in the first stages of the software development lifecycle — and the ability to quickly detect early-stage vulnerabilities. With approximately 80 percent of attacks now targeting the application layer, SAST testing is a cost-effective, simple way to save time on detection and money on costly bug fixes. It scales well and is useful for finding common security flaws such as buffer overflows and SQL Injection Flaws.

7. Dynamic application security testing (DAST)

Dynamic application security testing (DAST) is — not surprisingly — the other side of the app testing coin. Here, applications are tested while in operation to detect vulnerabilities which occur only when the app is executing. Essentially, DAST attempts to pierce the running application in various ways to determine potential vulnerabilities and it doesn’t require direct access to the binaries or source code.

Although DAST comes with limitations, since it can only find flaws in code currently being executed, it provides a more organic way to test application behavior. Why? While SAST evaluates the component parts of applications, DAST reveals flaws that only occur when critical variables — end users — are part of the equation.

6. Penetration testing (pentest) – Bring in the humans

While SAST and DAST testing can be fully automated, the pentest includes the human element creating a simulation of security outbreaks against the application. The pentest is a key component of effective application security. The challenge for most organizations? Ensuring that pen testing efforts properly address the scope of potential system issues.

What are top-tier companies doing that others aren’t? Implementing penetration testing processes that come with a clear C-suite mandate and plan of action. According to Business Computing World, this means both creating a regular testing schedule — every quarter to every six months, at most — in addition to testing all aspects of their network and applications. Why is this important? Because many businesses assume that certain portions of their infrastructure or code are “infallible” since they’ve never been breached. The hard truth? They aren’t — they’ve just had good luck. Include everything in your pen test efforts to ensure optimal results. See our blog on Mobile Pen Testing Tips.

5. Data encryption / masking

As noted by Forbes, “data encryption is among the most effective strategies for mitigating the damage caused by data loss.” Many emerging federal regulations and industry standards now require the use of data encryption to demonstrate due care in protecting user data and safeguarding critical application processes.

Companies that excel at data protection share a common practice: They encrypt everything. Files at rest. Files in transit. Session tokens. Mobile data. Connection information. The caveat? Companies tend to trust encrypted data, leading to a rise in SSL and TLS attacks — malicious actors are often able to bypass common security measures by encrypting infected code using commonly-accepted methods. For organizations, encryption is a two-way street: outgoing data and data-at-rest should always be encrypted, while incoming data must always be inspected.

In addition to data encryption, it’s also critical to build in processes which help mask and obfuscate critical data. According to Tech Target, this starts with discovery: companies need to find the data they need to protect within their application. Ideally, this occurs during the design process rather than after the fact. Either way, the Tech Target piece suggests such identification takes between 10 and 20 percent of total project efforts.

4. Application hardening / shielding

Attackers are looking for the fastest, easiest route to data breach and application compromise. If an application is easy to reverse engineer, it is easy to steal IP and find vulnerabilities. The result? Employing app hardening and shielding techniques can help convince hackers that your app is more trouble than it’s worth and instead move on to more vulnerable targets.

OWASP speaks to the industry consensus for application hardening, which includes:

Layer multiple defenses — OWASP notes that “app hardening and shielding along with layered security measures are recognized as a critical component of overall IT compliance.” Wherever possible, companies should implement more security than they believe they need to reduce total risk.
Leverage obfuscation and encryption — As noted above, both of these techniques are critical to protect apps from hackers and encourage them to find other targets.

For code running in an unprotected environment, find and deploy a reliable code obfuscation tool which modifies files so they’re no longer useful to hackers but remain fully functional in your application.

3. Application integrity protection or RASP (runtime application self-protection)

Gartner defines Runtime application self-protection (RASP) as a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.

Examples of client-side steps an app can take to try to prevent attacks include:

Keep an app from running on a compromised (or rooted) device where its underlying data and communications may be easily compromised.
Prevent a production application from being inspected in a debugger or an emulator. Hackers probe applications with debuggers to discover critical flaws and vulnerabilities that they can exploit.
Stop a tampered version of an application from running or reduce its functionality. Tampered versions of applications can include malware and the end user is unaware.

Examples of server-side steps an app can take to try to prevent attacks include:

Stop the execution of instructions to a database that appear to be a SQL injection attack.
Detect misconfigurations that might create vulnerabilities to attack.
Detect possible fraud and terminate the user session.

2. Web application firewall (WAF)

Traditional firewalls rely on perimeter defenses to detect incoming threats and block suspicious actions. The problem? These firewalls have limited efficacy for Web applications located outside the typical network DMZ.

Web application firewalls (WAFs), meanwhile, are network-, host- or cloud-based solutions placed in front of web and mobile applications to actively scan incoming data packets. Their positioning and scanning process allows them to reliably detect potentially malicious behavior and deal with high-risk threats such as zero-day attacks. These attacks are often devastating for organizations because they emerge after applications go live. WAF tools are designed to identify strange app requests, prevent them from executing and then notify infosec teams. In addition, these next-gen tools can be configured to inspect for other threats such as XSS attacks, SQL injections and buffer overflows.

1. Compliance Research

Last but (absolutely) not least? Ongoing compliance research and revision.

Compliance expectations such as those from PCI DSS and HIPAA are a good starting point, along with any data that’s company-specific or critical to basic app functioning. Also, consider the EU’s new General Data Protection Regulation (GDPR). Not only does it stipulate that users have the right to request their personal data from companies at any time, but it mandates that any organizations handling or storing the data of an EU citizen — even if the business isn’t located the European Union — must securely store that data and respond to breaches within 72 hours or face significant monetary fines. Meanwhile, new credit data regulations from PCI DSS mandate ongoing protection — with the potential for random audits and compliance checks — rather than once-a-year demonstrations of application security.

The result? It’s critical for companies to regularly review their application security protocols, compare them to existing legislation and make necessary changes.

Better Protection, Better Outcomes

Bottom line? Applications are now critical to the success of your business — but without the right security procedures in place these apps may pose the biggest risk to your organization. For many companies, the sheer complexity of their app environment makes the development and adoption of new infosec processes a daunting task.

Start with our top 10 app protection checklist to discover where your security hits the mark, where it needs improvement and where existing process need a complete overhaul.

Latest Blog Posts

Post Covid-19: 4 Application Trends You Need to Know

In an already digital world, the Covid-19 pandemic forced society and businesses to adopt additional modes of technology and press on for more advanced application development. Business’ focus shifted to increased remote work collaboration, streamlined contact tracing work, and enhanced consumer e-commerce connections. With little knowledge on how much longer social distancing measures will be in place, more on-demand application development options are needed to successfully maintain workplace functionality.

Gabriel Torok, Founder and CEO of PreEmptive, recently authored an article as part of the Forbes Technology Council. In it, he describes four application trends that help predict emerging expectations for the future of enterprise.

Customers occasionally ask us about adding DashO, Dotfuscator, or JSDefender to their Docker-based build processes. We do not provide pre-built Docker containers for our products, but it is relatively straightforward to create your own containers with the distributions we do provide. Historically, setting up licensing for these containers could be a challenge, but with the recent addition of Floating license support to DashO, Dotfuscator, and JSDefender, even the licensing part is straightforward.

This blog provides example Dockerfiles for each product, as a starting point for building your own containers. You will need to replace {x.y[.z]} with the appropriate major.minor[.patch] version.

Read more

Navigating the Choice Between Security and Customer Experience

Navigating the Choice Between Security and Customer Experience

Chances are, if you’ve used a mobile banking app, or bought something online, your purchase was facilitated in part by a Fiserv product. Fiserv is a global provider of financial services technology. Clients include banks, credit unions, financial companies and retailers. As a Fintech company, Fiserv provides payment and commerce enabling technology to clients in more than 100 countries, serving as an “industry standard” across the world.

In a recent article “2020 Trends in Fraud and Financial Crime Risk Management” Andrew Davies – Fiserv’s VP of Global Market Strategy writes “Criminals are even more on the offensive, constantly researching new vulnerabilities and developing fresh attack vectors. For financial institutions, that's spurred growth in both process and technology investments to keep pace.” The question that Fiserv and many other financial institutions are asking: “How do you accurately manage detecting financial crime without inhibiting the customer experience?”

“Better licensing means more flexibility,” said CTO Bill Leach during a recent presentation on the release of DashO 11 - PreEmptive’s Android and Java Protection Product. “The new floating license and product activation features allow users to provision DashO on the fly – for example, on cloud hosted build agents that don’t already have DashO preinstalled. By specifying the license key at run time, development teams can more easily automate their builds, no matter where they run.”

Revamped licensing and activation are not the only updates in this latest version—other highlights include:

Cyber-attacks have increased in quantity and sophistication in 2020, but we may not have heard about them in the news. Covid-19 updates have dominated headlines, and our physical health and safety has taken the spotlight over our technology’s health and safety. While news of vaccines and outbreak hotspots will continue to be the most important “news of the day” – it is important to be aware of security breaches that threaten the safety of our data and privacy.

Are You Following These Top 10 App Protection Practices?

10. Educate developers on safe coding & security code reviews

9. Threat Awareness

8. Static application security testing (SAST)

7. Dynamic application security testing (DAST)

6. Penetration testing (pentest) – Bring in the humans

5. Data encryption / masking

4. Application hardening / shielding

3. Application integrity protection or RASP (runtime application self-protection)

2. Web application firewall (WAF)

1. Compliance Research

Post Covid-19: 4 Application Trends You Need to Know

Dockerize PreEmptive's Products using Floating License

Navigating the Choice Between Security and Customer Experience

DashO 11 Release: Licensing, Bug Fixes, and Improved Functionality

Top 3 Cyber Attack Vectors During the Pandemic

Latest Blog Posts

Post Covid-19: 4 Application Trends You Need to Know

Dockerize PreEmptive's Products using Floating License

Navigating the Choice Between Security and Customer Experience

JSDefender Version 2 Release

DashO 11 Release: Licensing, Bug Fixes, and Improved Functionality

Twitter