Managing Application Vulnerabilities (an early peek into improved controls for your code and data)

October 4, 2016 3203 Views Sebastian Holst

I’m working on an application risk management study/survey focusing on the importance of one vulnerability exploit in particular: debugger hacks against production apps. Our initial data set already includes responses from 100+ developers targeting cloud, mobile and desktop platforms from 15+ countries.

A Clear Material Application Risk for a Majority of Development Teams

58% report ongoing, sustained risk management development investments dedicated to mitigate the following material risks:

Financial theft
Intellectual property theft through application use
Intellectual property theft through application tampering and reverse engineering
Operational disruption
Regulatory and other compliance obligations
Unauthorized access to user and business data

Within the development teams that have taken affirmative action to mitigate these risks, 64% have identified unauthorized use of a debugger in production as a material vulnerability.

If you’re interested in getting the final numbers (and a deeper dive into both the risks and controls to effectively mitigate these risks), I expect to be publishing results in the next 1-2 weeks HERE (there's already a link to a related white paper on this page for download too).

Artificial Intelligence, Real Threats: Can Attackers Flip the AI Script?

There’s big money in artificial intelligence (AI) — reaching almost $12 billion over the next six years. As noted by research firm McKinsey & Company, companies are now in the process of building out the technology foundation they need for AI deployment, with 45 percent of executives already worried about not investing enough in AI to keep up with the competition. It’s not a baseless fear: The McKinsey research also suggests that AI adoption is following a standard “S-Curve” model, which starts with slow adoption by a limited number of businesses followed by rapid mass adoption as market opportunities increase and then slows again as stragglers are left behind.

Given the wide range of potential applications for AI and the evolution of core intelligence technologies, increased business interest is no surprise. What companies may not be prepared for, however, is the uptick in hacker usage of AI tools and solutions — what happens when attackers flip the AI script?

That was the title of yesterday's congressional briefing organized by ACT | The App Association (in cooperation with the Congressional IP Caucus which is co-chaired by Rep. George Holding, Rep. Adam Smith, & Rep. Hakeem Jeffries).

As is often the case when presenting to different kind of audience (not software-centric), you’re forced to reorganize your thoughts – here are few that might be worth sharing.

Attendees were promised the following agenda:

Learn how rogue apps steal content;
Understand what access devices are enabling the piracy of content;
Learn about a range of app piracy methods used to exploit U.S. companies;
Gain insight into existing industry best practices and enforcement methods for combating IP piracy.

App development now happens at breakneck speeds as companies recognize the need for first-to-market applications that exceed consumer expectations for usability and performance. The root of this rapid release cycle? DevOps — the combination of development and operations teams to deliver best-in-class applications ASAP.

But more apps on the market more quickly means more chances for security issues — as noted by Bank Info Security, 60 percent of all breaches over the last two years started with known software vulnerabilities. Bottom line? DevOps is getting apps out of development, but lack of security is putting them in harm’s way. There are no second chances when it comes to first impressions; users won’t come back if applications expose personal data or become malware distribution drones.

The solution? DevSecOps: Security as a fundamental aspect of application development. Here’s what you need to know.

Model–View–ViewModel (MVVM) is a common pattern used in WPF, Xamarin, and other types of .NET applications. There are different ways to apply the MVVM pattern, but they all share a few underlying concepts. I’d like to discuss these concepts, and how to successfully configure protection with Dotfuscator for MVVM-based apps.

Credentials are a problem for your app. Why? Because they’re a critical access gateway: If attackers get their hands on working usernames and passwords they can cause havoc — everything from stealing user accounts to compromising high-level application functions.

It’s big business; Sensor Tech Forum notes that 85 malicious apps on Google Play were stealing login credentials, while Verizon’s 2018 Data Breach Investigation Report found that 81 percent of hacking incidents used weak or stolen passwords.

And while part of the problem rests with users choosing username and password combinations that are easy to remember and easy for attackers to guess, applications have their own issue: Hard coding. From smart city software to stock trading applications, the use of hard-coded credentials saves time upfront but significantly impacts security.

Don’t become an easy mark for hackers: Here are six ways to boost credential control and reduce total risk.

Managing Application Vulnerabilities (an early peek into improved controls for your code and data)

A Clear Material Application Risk for a Majority of Development Teams

Artificial Intelligence, Real Threats: Can Attackers Flip the AI Script?

Rogue Apps: Facilitating Theft from Developers and Consumers

No Second Chances: App Shielding and the Emerging Need for DevSecOps

Protecting .NET applications that use the MVVM pattern

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

Latest Blog Posts

Artificial Intelligence, Real Threats: Can Attackers Flip the AI Script?

Rogue Apps: Facilitating Theft from Developers and Consumers

No Second Chances: App Shielding and the Emerging Need for DevSecOps

Protecting .NET applications that use the MVVM pattern

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

Managing Application Vulnerabilities (an early peek into improved controls for your code and data)

A Clear Material Application Risk for a Majority of Development Teams

Latest Blog Posts

Latest News

Twitter