PreEmptive Thoughts from Build 2017

May 22, 2017 2278 Views Gabriel Torok

Like so many of us returning from Build 2017, we at PreEmptive are feeling both energized and highly motivated. Energized because of the truly impressive innovation coming out of both Microsoft and our larger ecosystem – and motivated because we can all see the expanding concern around application risk management and data security in this rapidly evolving world – and of course, that is where PreEmptive Solutions comes in.

Microsoft announced (and released) a broad range of software at Build: Improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies. You don’t have to hear about these from us – Microsoft published a nice Build wrap up here. I’m proud to say that PreEmptive Solutions were able to continue our 15+ year tradition of keeping pace with Microsoft’s remarkable cadence with a few announcements of our own.

At Build 2017, we announced

An update of our debug defense capabilities inside Dotfuscator to defend against native debuggers in addition to managed,
Enhancements of our Xamarin integration to significantly simplify and automate our protection there, and
Support for .NET Standard and Dotfuscator CE support for VSTS.

In other words, we also “announced (and released) a broad range software at Build improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies.” And you can see our Build 2017 announcement here.

I think my lasting impression of Build 2017 (and I’ve attended every Build so far) will be that the general awareness – even sophistication – around application risk management concepts and practices has never been higher. In fact, in the keynote (see image below) Microsoft noted that a specific key concern developers have is in making sure “their stuff” does not get hacked.

I see this jump in awareness as a direct consequence of the increasing importance of applications in all that we do. The higher the value of an application (and applications in general), the more it is worth protecting. And application developers attending Build certainly demonstrated the high value and impact of the work they’re doing. This is going to be an exciting year.

Free Trial

Request Quote

Request Demo

Mobile App Security and Best Practices: Leveraging the OWASP 3-Layer Model

Mobile App Security and Best Practices: Leveraging the OWASP 3-Layer Model

The mobile attack surface is expanding. As of January 2018 there were 3.7 billion unique mobile users worldwide choosing from more than 10 million verified applications across popular online stores. So it’s no surprise that security firms now detect millions of malicious install packages each quarter as hackers look for ways to compromise both existing mobile devices and their newest iteration, IoT.

In an effort to address the changing nature of mobile security the Open Web Application Security Project (OWASP) — well-known for its “top 10” vulnerability lists — has released version 1.0 of its Mobile AppSec Verification Standard (MASVS), which includes a three-layer model for application defense designed to “offer a baseline for mobile application security (MASVS-L1), while also allowing for the inclusion of defense-in-depth measures (MASVS-L2) and protections against client-side threats (MASVS-R). Here’s how your organization can leverage these layers to improve overall mobile app security.

Welcome to the Support Corner, where we’ll occasionally talk about topics that we’re seeing while working with our customers. If you’d like to see more like this, please click the Support Corner Category.

Recently, we’ve worked with a handful of customers who are using the Spring Boot framework. Spring Boot provides a simple way to create Spring-based applications. This blog explains how to protect jars created with the framework.

Spring Boot jars use an embedded class file structure which DashO does not directly recognize. DashO processes the regular class and package hierarchy. However, it does not embed the class files from the BOOT-INF/classes directory when writing the obfuscated jar.

How important is root detection?

Rooted devices can be extremely dangerous: When running on a rooted device, an otherwise harmless App can unmount file systems, kill processes, or run any arbitrary command.
Rooted devices are plentiful: In the annual Android Security 2017 Year in Review, Google reported that its SafetyNet service identifies over 14 million rooted devices DAILY.
Sensitive applications must include controls to mitigate these risks: Recent PCI Security Council guidelines and NIST controls are just two notable examples where rooted device detection and response obligations are explicitly assigned to development organizations. More generally, rooted access is synonomous with unauthorized privilege escalation and is, therefore, incorporated by reference in virtually every privacy obligation developers face, e.g. GDPR, HIPAA...

2018’s RSA Conference is in the books; IT professionals and C-suite executives are heading back to work, ready to leverage what they’ve learned and put it into practice. This year’s stand-out? The changing role of data privacy and protection regulations. Attendees made it clear that these topics were top-of-mind — hackers are finding new ways to compromise app security, even as emerging legislation puts more pressure on companies to keep data safe.

The result? A sea-change for application security. Here’s what it means for your organization.

Development’s Journey to Effectively Implementing App Protection

Because data is created, accessed, and changed through applications, hardening and shielding your applications is a key component to protecting your data. Adding application protection to your secure software development lifecycle will make it more difficult for people and machines to exploit them. But, what are the factors to consider when thinking about application risk? Effective application risk management is a sustained, consistent practice and technology selection and implementation is a specialized discipline within that practice. The initial steps below offer a roadmap to selecting and implementing application hardening and shielding as a part of a broader application risk management program.

The full Infographic in pdf form is available here.

Does app have intellectual property?

Does app gate access to value?

Does app access private information?

Is the app subject to regulation?

Does app run in an untrusted environment?

PreEmptive Thoughts from Build 2017

Mobile App Security and Best Practices: Leveraging the OWASP 3-Layer Model

Obfuscating jars created with the Spring Boot framework

Root detection: Xamarin apps stop hackers before they can begin

How important is root detection?

RSA Conference 2018: Data Privacy and Regulations Take Center Stage

Effectively Implementing App Protection

Development’s Journey to Effectively Implementing App Protection

Latest Blog Posts

Mobile App Security and Best Practices: Leveraging the OWASP 3-Layer Model

Obfuscating jars created with the Spring Boot framework

Root detection: Xamarin apps stop hackers before they can begin

RSA Conference 2018: Data Privacy and Regulations Take Center Stage

Effectively Implementing App Protection

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

PreEmptive Thoughts from Build 2017

How important is root detection?

Development’s Journey to Effectively Implementing App Protection

Latest Blog Posts

Latest News

Twitter