Automating and Scaling App Protection with Azure Devops

September 10, 2018 4931 Views Gabriel Torok

Prevention, detection, and response

Today, Microsoft announced Azure DevOps – Loosely, it is TFS and VSTS, with its services broken out into distinct components that can be used together or separately. The Azure DevOps services are Azure Boards, Azure Repos, Azure Pipelines, Azure Test Plans and Azure Artifacts. When Azure DevOps was VSTS and TFS, we supported integration with PreEmptive’s Dotfuscator. Today, none of that changes. As Azure DevOps evolves, we will continue to improve our integration, so that you can easily add multi-layered protection to your valuable apps.

In Mindset shift to a DevSecOps culture, Buck Hodges, Director of Engineering for Visual Studio Team Services, stressed the importance of both preventing breaches and “assuming breaches. ”In essence, prevention only gets you part of the way there. “Assuming a breach” allows for effective incident detection, response and recovery process planning.

PreEmptive’s protection tools (Dotfuscator and DashO) easily integrate with your Azure DevOps process, hardening your applications by injecting controls such as:

Anti-Reverse Engineering
Anti-Tampering
Anti-Inspection
Anti-Compromised Device

Hardened applications can respond to attacks by executing standard or customized behaviors. For example, an application could simply exit, or it could send security related messages to an Azure analytics platform such as Visual Studio App Center. In addition to helping satisfy PCI, NIST, and other guidelines, this strategy also lines up with the OWASP mobile recommendation to shut down an app running on a rooted device, to prevent compromise.

For sensitive or high value applications, organizations in virtually every industry are incorporating application hardening and obfuscation into their DevOps process. Along with using other application security practices this can create a DevSecOps process. I will have a future blog with more information on DevSecOps.

What now?

Learn more about securing and protecting your mobile, service, and desktop components with PreEmptive Protection and Azure DevOps, and get a free evaluation of application protection here.

In addition, a free tool called Dotfuscator Community is included in Visual Studio. It is easy to add to your Azure DevOps process via a free extension available here: https://marketplace.visualstudio.com/items?itemName=PreEmptiveSolutions.dotfuscator-ce-vsts

PreEmptive Solutions is committed to deepening and broadening its integration into Azure DevOps alongside other Azure DevOps partners such as Mobilize and Progress.

To learn more about #AzureDevOps see https://aka.ms/azurevsts.

Latest Blog Posts

Announcing the DashO v10.2 Release with Resource Encryption for Android

The DashO 10.2 release introduces a major new feature: Resource Encryption for Android. It's currently in beta, but is fully supported for production use. It allows you to encrypt the resources embedded in your APK, better protecting your Android application against static attacks.

This functionality integrates directly with your existing Gradle build, encrypting the resources during the standard build process. DashO then injects code into your protected application that will decrypt those resources at runtime.

Resource Encryption is off by default, but can be easily enabled in the DashO UI. The UI makes it easy to enable, or disable, the encryption of specific resources via drag and drop. It currently supports encrypting both assets and raw resources.

Once you install DashO 10.2, using this feature is easy.

Today we're announcing the first new major-version release of Dotfuscator in thirteen years: Dotfuscator Professional 6.0 Beta. It's an exciting new release with major new capabilities, but before we get into that, let's take a look at why it's been so long since we had a major release and why we're choosing to do one now.

For development teams, adding Dotfuscator to a build pipeline can often seem like a challenge; the value it adds is mostly gained by the surrounding business, and the cost of adding it is mostly borne by the development team. We understand that constraint, which is why we focus on making Dotfuscator as easy to integrate and maintain as possible. If you're a long-time user of Dotfuscator, you've probably experienced that - release after release of painless upgrades. That's our "first do no harm" philosophy in action.

The dynamic type in C# provides flexibility that is not available in other statically-typed languages. Since its introduction in C# 4.0 (.NET 4.5), we have worked with customers who wanted to know more about how dynamic types are impacted by the obfuscation process.

Malicious actors — like any thieves — live by a simple rule: If the front door is locked, break the window.

It’s why threats like fileless malware and crypto-jacking have seen substantial gains over last few years. It’s why — despite increasing employee education and IT training — hackers are still hooking phish by developing more sophisticated and authentic-looking email spoofs. Cybercriminal communities, meanwhile, continue to grow on the dark web, allowing attackers to share info, purchase exploit kits and identify potential targets.

What does this mean for CISOs? That typical defense efforts are being outpaced as familiar attack vectors are replaced with non-traditional threats. But it’s not all bad news; here are three questions every CISO needs to ask to help close the doors, bolt the windows and leave hackers out in the cold.

Gabriel, you have been in the security industry for over 2 decades. You have seen many different tools and services. Why create a company around something as specific as obfuscation and in-app protection?

Our customers build a lot of really innovative apps that enable their users and customers to do new and cool things. These apps frequently run on untrusted client computers/devices and they control access to customer’s sensitive data or critical devices.

And after all the effort of designing, building, debugging, and deploying their applications, the last thing they want is for an attacker to steal their work or use it to look for vulnerabilities to break into their system.

Long ago, we built a Java code optimizer, but it became clear to us that our customer cared more about the obfuscation effects of the optimization than the actual performance improvement. That is when we really began to focus on app protection. First with Java, then .NET, Android, iOS, Xamarin, JavaScript, etc.

Automating and Scaling App Protection with Azure Devops

Prevention, detection, and response

Announcing the DashO v10.2 Release with Resource Encryption for Android

Dotfuscator 6.0 Beta: Entering the Next Era of Dotfuscator

Protecting C# Applications That Use Dynamic Types

Non-Traditional Attack Vectors: Three Questions Every CISO Needs to Ask

Q&A With PreEmptive CEO Gabriel Torok

Gabriel, you have been in the security industry for over 2 decades. You have seen many different tools and services. Why create a company around something as specific as obfuscation and in-app protection?

Latest Blog Posts

Announcing the DashO v10.2 Release with Resource Encryption for Android

Dotfuscator 6.0 Beta: Entering the Next Era of Dotfuscator

Introducing JSDefender: PreEmptive Protection now includes JavaScript

Protecting C# Applications That Use Dynamic Types

Non-Traditional Attack Vectors: Three Questions Every CISO Needs to Ask

Twitter