Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

Shift Left: The Case for “Time-Traveling” App Security

December 5, 2018 2920 Views Gabriel Torok
Clocks

Time is of the essence for application security — the sooner IT teams can detect potential attacks and the longer it takes cybercriminals to crack app code, the better your business outcomes.

But with hackers adapting to overcome infosec efforts and new software vulnerabilities constantly emerging, how do companies gain more time — and give hackers less time — across their application stack?

It all starts with a change in direction: Security needs to shift left.

Shifting Priorities

Shift left has gained popularity along with DevOps — combined development/operations teams needed a way to improve application quality and detect errors earlier in the development cycle. The name stems from the notion that in typical development cycles, as the X-axis (time) progresses to the right testing ramps up but is more expensive, especially after an application goes live.

By shifting this testing left — back in time to design and development phases — companies can find and remediate issues when code is easier to change. Successfully deploying a shift left DevOps effort demands a unified test strategy that leverages static testing and automation technologies to reduce human errors and increase test coverage.

Security, meanwhile, has historically been a right-side problem — only addressed after applications go live and potential vulnerabilities are in the wild. The rise of exploiting known software vulnerabilities, sophisticated attempts to gather sensitive data, and using applications as an attack vector, however, have changed the game. Now, organizations need a way to secure applications before they leave test environments.

Preemptive Protection

As noted by IT Governance USA, it takes companies (on average) 206 days to detect a breach to networks or applications. That’s more than enough time for hackers to conduct reconnaissance, discover more vulnerabilities and exploit application weaknesses for their own gain. Shifting security left means prioritizing vulnerability discovery and prevention during the initial stages of app development, effectively allowing organizations to short-cut the typical detection cycle — instead of waiting for hackers to make their move, companies preemptively discover critical flaws.

But what does this look like in practice? How do businesses know where attackers will strike or what methods they’ll use to breach app defenses? According to research firm Gartner, companies must now employ a “risk-based” approach to vulnerability management that prioritizes critical avenues of compromise and takes steps to harden application code.

By implementing app hardening tools as early as possible in the development process, it’s possible for organizations to identify high-value assets and resources used by apps and then intelligently harden and shield applications against common attack avenues.

The result? Preemptive protection that makes it possible to deploy app defenses before hackers get their hands on applications.

Buying Time

Organizations also need to extend the time between attacker efforts and successful code circumvention — the longer IT pros have to analyze and quarantine attacks, the better.

But as noted by Computer Weekly, most threat remediation strategies are no better than chance. For example, simple (and popular) rule-based strategies have only a 23 percent efficiency rate, making them a poor choice for defending critical, high-use applications.

Here, shifting left means creating more time for infosec pros to do their job when attacks inevitably arise. By implementing tools such as security code scanning and code obfuscation, companies can stop hackers in their tracks by fixing discovered vulnerabilities and making it harder for them to reverse-engineer code and find undiscovered vulnerabilities. Layering in runtime application self-protection, meanwhile, empowers applications to detect strange behavior or attempts at inspection as it is executed allowing the app to react, respond and generate threat reports for IT depending on customized behavior thresholds.

Embracing Secure DevOps

So how do companies get from current 206-day detection times and random-chance remediation to shift-left security success?

Two answers: Responsibility and resources. As noted by IT Business Edge, while pushing security into the continuous app development pipeline “supports a proactive response to emerging threats,” responsibility is often tied to infosec pros alone. Just as DevOps success demands complete team buy-in, left-leaning security requires shared responsibility across organizational lines. This means deploying simple, self-service security technologies that make it possible for IT teams to preemptively address infosec concerns and embrace security as a critical aspect of long-term application success.

In addition, teams need the right resources to effectively protect applications against threats that aren’t addressed during development or may emerge as applications leave testing environments and are deployed across mobile and desktop devices. Here app hardening, obfuscation, anti-debug and anti-tamper tools are critical to create time and give organizations more room to respond.

Let’s Do the Time Warp Again

Companies need less time (and more time) to effectively defend applications and reduce attacker impact. Shifting left — bringing security into the DevOps fold — empowers this type of “time-travelling” defense but demands new solutions capable of assessing risk, hardening applications and detecting attacks in real time.




Start a Free Trial

Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.