Are You Following These Top 10 App Protection Practices?

August 20, 2018 4240 Views Gabriel Torok

Despite the rising costs and impact of application compromise — recent data found that 58 digital records are stolen every second and breaches cost companies an average of $3.6 million — many best practices and procedures for securely designing, developing, testing and protecting applications are largely ad-hoc. As noted by Tech Republic, in fact, exactly ZERO percent of organizations say their security needs are fully met by their current infosec strategy, down from just 11 percent last year.

Some respondents pointed to a lack of skilled resources while others cited budget constraints, but regardless of origin the outcome is clear: Hastily-designed app protection procedures that don’t meet current needs and can’t keep up with evolving demands.

Need a helping hand with your application protection process? We’ve compiled some of the best practices of leading-edge companies into a top-10 list. Let’s get started.

10. Educate developers on safe coding & security code reviews

First up? Educating developers on safe coding and security code review practices. Here’s why it matters: As noted by CA Technologies 2018 Insider Threat Report accidental insider threats top the list of corporate worries, and “lack of training and expertise remain the biggest barrier to better insider threat management.”

While many organizations (correctly) link accidental insider threats to staff sending secure data via plaintext emails or falling victim to phishing attacks, poorly-secured or tested app code can have the same effect: attackers are able to breach corporate defenses and access critical information. As a result, it’s essential for all security staff to receive regular training about app coding best practices. These include:

Effective error handling — How do applications handle errors? Do systems “fail closed” or open potential holes for attackers?
Continuous logging — Ensuring that all actions are logged and include tags such as date and time, initiating action and user creates both an auditable database of activity and informs ongoing code development.
Remote admin limitations — Does code permit remote admin execution? Under what circumstances? How is remote management secured (VPN, tokens, etc?)

Better training for developers means more secure apps, in turn making all other app security benchmarks easier to achieve.

9. Threat Awareness

To effectively defend apps from malicious actors, companies must develop broad threat awareness. Some threats are common knowledge, such as the use of popular open-source software in app development which may contain critical flaws.

Others remain ongoing concerns. As noted by SANS, vectors such as cross-site scripting (XSS) and buffer overflows remain popular. While defeating many XSS attacks is relatively simple, organizations must understand both the prevalence of this threat and existing application issues to effectively reduce risk. Also essential? Keeping track of emerging trends such as fileless malware and account takeover attacks which attempt to compromise applications without triggering infosec alerts.

8. Static application security testing (SAST)

Static application security testing focuses on application source code before it’s been compiled. This offers both the benefits of early use — SAST techniques are viable even in the first stages of the software development lifecycle — and the ability to quickly detect early-stage vulnerabilities. With approximately 80 percent of attacks now targeting the application layer, SAST testing is a cost-effective, simple way to save time on detection and money on costly bug fixes. It scales well and is useful for finding common security flaws such as buffer overflows and SQL Injection Flaws.

7. Dynamic application security testing (DAST)

Dynamic application security testing (DAST) is — not surprisingly — the other side of the app testing coin. Here, applications are tested while in operation to detect vulnerabilities which occur only when the app is executing. Essentially, DAST attempts to pierce the running application in various ways to determine potential vulnerabilities and it doesn’t require direct access to the binaries or source code.

Although DAST comes with limitations, since it can only find flaws in code currently being executed, it provides a more organic way to test application behavior. Why? While SAST evaluates the component parts of applications, DAST reveals flaws that only occur when critical variables — end users — are part of the equation.

6. Penetration testing (pentest) – Bring in the humans

While SAST and DAST testing can be fully automated, the pentest includes the human element creating a simulation of security outbreaks against the application. The pentest is a key component of effective application security. The challenge for most organizations? Ensuring that pen testing efforts properly address the scope of potential system issues.

What are top-tier companies doing that others aren’t? Implementing penetration testing processes that come with a clear C-suite mandate and plan of action. According to Business Computing World, this means both creating a regular testing schedule — every quarter to every six months, at most — in addition to testing all aspects of their network and applications. Why is this important? Because many businesses assume that certain portions of their infrastructure or code are “infallible” since they’ve never been breached. The hard truth? They aren’t — they’ve just had good luck. Include everything in your pen test efforts to ensure optimal results. See our blog on Mobile Pen Testing Tips.

5. Data encryption / masking

As noted by Forbes, “data encryption is among the most effective strategies for mitigating the damage caused by data loss.” Many emerging federal regulations and industry standards now require the use of data encryption to demonstrate due care in protecting user data and safeguarding critical application processes.

Companies that excel at data protection share a common practice: They encrypt everything. Files at rest. Files in transit. Session tokens. Mobile data. Connection information. The caveat? Companies tend to trust encrypted data, leading to a rise in SSL and TLS attacks — malicious actors are often able to bypass common security measures by encrypting infected code using commonly-accepted methods. For organizations, encryption is a two-way street: outgoing data and data-at-rest should always be encrypted, while incoming data must always be inspected.

In addition to data encryption, it’s also critical to build in processes which help mask and obfuscate critical data. According to Tech Target, this starts with discovery: companies need to find the data they need to protect within their application. Ideally, this occurs during the design process rather than after the fact. Either way, the Tech Target piece suggests such identification takes between 10 and 20 percent of total project efforts.

4. Application hardening / shielding

Attackers are looking for the fastest, easiest route to data breach and application compromise. If an application is easy to reverse engineer, it is easy to steal IP and find vulnerabilities. The result? Employing app hardening and shielding techniques can help convince hackers that your app is more trouble than it’s worth and instead move on to more vulnerable targets.

OWASP speaks to the industry consensus for application hardening, which includes:

Layer multiple defenses — OWASP notes that “app hardening and shielding along with layered security measures are recognized as a critical component of overall IT compliance.” Wherever possible, companies should implement more security than they believe they need to reduce total risk.
Leverage obfuscation and encryption — As noted above, both of these techniques are critical to protect apps from hackers and encourage them to find other targets.

For code running in an unprotected environment, find and deploy a reliable code obfuscation tool which modifies files so they’re no longer useful to hackers but remain fully functional in your application.

3. Application integrity protection or RASP (runtime application self-protection)

Gartner defines Runtime application self-protection (RASP) as a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.

Examples of client-side steps an app can take to try to prevent attacks include:

Keep an app from running on a compromised (or rooted) device where its underlying data and communications may be easily compromised.
Prevent a production application from being inspected in a debugger or an emulator. Hackers probe applications with debuggers to discover critical flaws and vulnerabilities that they can exploit.
Stop a tampered version of an application from running or reduce its functionality. Tampered versions of applications can include malware and the end user is unaware.

Examples of server-side steps an app can take to try to prevent attacks include:

Stop the execution of instructions to a database that appear to be a SQL injection attack.
Detect misconfigurations that might create vulnerabilities to attack.
Detect possible fraud and terminate the user session.

2. Web application firewall (WAF)

Traditional firewalls rely on perimeter defenses to detect incoming threats and block suspicious actions. The problem? These firewalls have limited efficacy for Web applications located outside the typical network DMZ.

Web application firewalls (WAFs), meanwhile, are network-, host- or cloud-based solutions placed in front of web and mobile applications to actively scan incoming data packets. Their positioning and scanning process allows them to reliably detect potentially malicious behavior and deal with high-risk threats such as zero-day attacks. These attacks are often devastating for organizations because they emerge after applications go live. WAF tools are designed to identify strange app requests, prevent them from executing and then notify infosec teams. In addition, these next-gen tools can be configured to inspect for other threats such as XSS attacks, SQL injections and buffer overflows.

1. Compliance Research

Last but (absolutely) not least? Ongoing compliance research and revision.

Compliance expectations such as those from PCI DSS and HIPAA are a good starting point, along with any data that’s company-specific or critical to basic app functioning. Also, consider the EU’s new General Data Protection Regulation (GDPR). Not only does it stipulate that users have the right to request their personal data from companies at any time, but it mandates that any organizations handling or storing the data of an EU citizen — even if the business isn’t located the European Union — must securely store that data and respond to breaches within 72 hours or face significant monetary fines. Meanwhile, new credit data regulations from PCI DSS mandate ongoing protection — with the potential for random audits and compliance checks — rather than once-a-year demonstrations of application security.

The result? It’s critical for companies to regularly review their application security protocols, compare them to existing legislation and make necessary changes.

Better Protection, Better Outcomes

Bottom line? Applications are now critical to the success of your business — but without the right security procedures in place these apps may pose the biggest risk to your organization. For many companies, the sheer complexity of their app environment makes the development and adoption of new infosec processes a daunting task.

Start with our top 10 app protection checklist to discover where your security hits the mark, where it needs improvement and where existing process need a complete overhaul.

Latest Blog Posts

No Contact Normal: Solving the Payment Security Gap

The coronavirus crisis is changing human behavior. From the persistent need for social distancing to the potentially permanent adoption of work-from-home mandates, the “new normal” is uncharted territory.

But the growing priority of public health also has knock-on effects in other fields, such as credit and debit payments. While the United Stated has historically lagged behind other countries such as Canada, the United Kingdom and Australia when it comes to the adoption of contactless card transactions, the demand for physical distance now trumps the functional familiarity of swipe-and-signature or chip-and-PIN interactions.

Facilitating “no contact normalcy”, the PCI Security Standards Council (PCI SSC) includes guidance for both commercial deployments and software applications to help solve potential payment security gaps. Here’s what you need to know.

Localization is often a key ingredient when building Xamarin Forms applications with a global audience. There are different ways to approach app localization, but most of these leverage the built-in tools provided by the .NET Framework. These include RESX files to configure localized strings and an auto-generated resource class which provides strongly-typed access to the string translation at runtime. This mechanism has been available since .NET 1.1, and is used for localization of WinForm, WPF, ASP.NET, and Xamarin applications.

In the months since we released the Dotfuscator 6 beta, we’ve been hard at work finishing the feature set, fixing issues, and putting on the final touches in preparation for the full release. Now, we are happy to announce the full availability of Dotfuscator 6!

It’s official. COVID-19, more commonly known as the Coronavirus, has been declared a global pandemic by the World Health Organization (WHO) with hundreds of thousands of cases worldwide. In the United States, restrictions are ramping up as case numbers soar — New York governor Andrew Cuomo has ordered all nonessential workers to stay home, and my own state’s governor Mike DeWine has issued a statewide shelter-in-place order.

Along with disruptions to daily life, the expanding impact of COVID-19 has forced businesses to rapidly pivot and adopt remote-work models — even if they have no experience with mobile connections and on-demand collaboration. The result is a surge in remote everything, from team chats to primary school education to project management and even healthcare delivery. See my previous blog on our customer commitment during the age of Coronavirus.

And while efforts to bridge the digital divide are having a positive impact for both workplace productivity and the mental health of those in isolation, there’s a potential pitfall: Cybersecurity. As noted by CNBC, there’s already been a significant uptick in scam and phishing emails — but what happens if malicious actors breach critical apps and services?

At PreEmptive, we’re closely following the evolving Coronavirus (COVID-19) public health emergency, and our thoughts are with those affected and their families during this difficult time.

We are taking precautionary steps to continue normal operations without affecting our customers. At the same time, ensuring the health and safety of our customers, partners, and employees is our highest priority.

We have provided application protection software to the world's top organizations for more than 20 years. Although, this case is somewhat unique, it is not the first time we have been confronted with economic disruptions and uncertainties. Prior critical lessons have helped shape us into the company we are today: a robust organization with layers of contingency plans in place, a strong balance sheet, and an experienced team that values long-term relationships with our customers and partners above all else.

Are You Following These Top 10 App Protection Practices?

10. Educate developers on safe coding & security code reviews

9. Threat Awareness

8. Static application security testing (SAST)

7. Dynamic application security testing (DAST)

6. Penetration testing (pentest) – Bring in the humans

5. Data encryption / masking

4. Application hardening / shielding

3. Application integrity protection or RASP (runtime application self-protection)

2. Web application firewall (WAF)

1. Compliance Research

No Contact Normal: Solving the Payment Security Gap

Protecting Localized Xamarin Forms Applications

Dotfuscator 6: The Next Era of Dotfuscator

Going the Distance — Remote Work and Effective Cybersecurity in the Age of Coronavirus

Our Commitment to Customers During the COVID-19 Outbreak

Latest Blog Posts

No Contact Normal: Solving the Payment Security Gap

Protecting JavaScript Code: The Making of JSDefender

Protecting Localized Xamarin Forms Applications

Dotfuscator 6: The Next Era of Dotfuscator

Going the Distance — Remote Work and Effective Cybersecurity in the Age of Coronavirus

Twitter