Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

RSAC 2019 Roundup: NIST Gets Structural as the NSA Goes Open Source

March 8, 2019 19716 Views Gabriel Torok


The booths are gone, the lights are off and the conference halls are empty. It’s a wrap for RSAC 2019, but IT pros aren’t going home empty-handed: Here’s a roundup of this year’s key topics, critical outcomes and biggest surprises.

No “I” in Team

This year’s RSA Conference opted for a simple, one-word theme: Better.

While it’s certainly aspirational, what does it mean in practice? For RSA, it’s a recognition that security doesn’t happen in a vacuum, that infosec pros must work together to find better solutions, make better connections and make the world a better place. Given the often-fragmented nature of corporate IT security — RSA’s focus on empowering the “collective we” in cybersecurity makes sense: Evolving, adaptable threats won’t be defeated by companies operating in isolation.

So what’s on deck for infosec this year? Let’s dig in.

Biometrics Goes Big

When it comes to new technology, biometrics made significant inroads at RSAC 2019. As noted by Brian Madden, multiple vendors featured new biometric solutions designed to lower risk and — potentially — hasten the end of traditional password security.

From fingerprints to face recognition and even keystroke and mouse click recognition, leveraging inherent biological traits offers real opportunity for companies to improve application and network security. And by linking biometrics to mobile devices rather than traditional desktops, organizations can adopt new protection layers without the need for expensive hardware purchases.

NIST Teases New Framework

Risk management is critical for companies to effectively implement new IT services and evaluate the potential impact of malicious attacks. According to one RSAC 2019 main-track session, human beings are “awesome at risk management” — despite occasionally poor choices from individuals, as a species we’re excellent at avoiding obvious risks and doing what it takes to survive.

When it comes to infosec, however, this natural risk avoidance often seems lacking — apps are released without effective security controls or deployed with known, open-source vulnerabilities. Employees often ignore the risks associated with social media apps and document sharing tools, even as C-suite executives chafe at the suggestion of bigger budgets for infosec initiatives. The disconnect? Structure. Without clear connections between action and consequence, human beings make risky choices.

NIST is looking to improve corporate risk management with its new Privacy Framework, featured at RSAC 2019 and due for completion in October. The modular, volunteer tool is designed “to help companies protect consumer privacy while protecting business imperatives.” Unlike other privacy frameworks — such as GDPR — NIST’s new offering is outcome-based and non-prescriptive to help companies reduce risk through five key functions: Identify, protect, control, inform and respond. Feedback is welcome on the new project until its release later this year.

NSA Gifts Ghidra

A big announcement this year: the public release by NSA of the software reverse engineering (SRE) framework known as Ghidra. Developed by the agency’s Research Directorate to analyze malicious code and malware, it was first uncovered by Wikileaks in 2017. The tool is entirely open source, using the Apache 2.0 license and will be publicly available on GitHub. NSA cybersecurity adviser Rob Joyce says the Ghidra release is a “contribution to the nation’s cybersecurity community,” and promised on the record that the tool contains no NSA backdoors to collect corporate usage data.

The Java-based executable is 270MB in size and allows organizations to quickly decompile potential malware attacks for actionable information or check in-house code for vulnerabilities. As noted by Wired, the tool is often compared to proprietary software like IDA which performs the same basic function but comes with a substantial price tag. Ghidra also includes unique features such as an undo/redo mechanism that lets infosec pros test potential theories and reverse course if things don’t pan out.

The App Security Impact

NIST’s new framework should help streamline application defense, and while there’s a need to lock down biometric access for this security method to offer real value, there’s no question that 2019 will see a significant rise in bio-based 2FA.

The release of Ghidra, meanwhile, is more of a question mark. There’s a big benefit here: teams creating new open source iterations of the tool and posting them to GitHub will improve the ability of companies worldwide to analyze malicious code and improve network defense. The downside? Malicious actors using Ghidra to reverse-engineer business applications and discover potential avenues for tampering, compromise or IP theft. With access to app source code — even if it’s reasonably well-designed — hackers can take their time crafting targeted, agile attacks that evade detection.

Just like the advent of AI-driven security and automation tools that streamline application testing, Ghidra has a double edge: even as infosec pros ramp up defense, attackers find new ways under, around and through. Companies must take steps to ensure their applications are obfuscated outside the purview of new tools or frameworks. From obfuscation to application hardening techniques such tamper-proofing, debug, hooking, emulator root detection and response, organizations must stay one step ahead of both malicious actors and well-meaning tools.

Put simply? “Better” security isn’t a new technology, emerging framework or NSA tool — it’s a layered, methodical approach to application, network and source code protection.


Start a Free Trial

Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.