PreEmptive Thoughts from Build 2017

May 22, 2017 3978 Views Gabriel Torok

Like so many of us returning from Build 2017, we at PreEmptive are feeling both energized and highly motivated. Energized because of the truly impressive innovation coming out of both Microsoft and our larger ecosystem – and motivated because we can all see the expanding concern around application risk management and data security in this rapidly evolving world – and of course, that is where PreEmptive Solutions comes in.

Microsoft announced (and released) a broad range of software at Build: Improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies. You don’t have to hear about these from us – Microsoft published a nice Build wrap up here. I’m proud to say that PreEmptive Solutions were able to continue our 15+ year tradition of keeping pace with Microsoft’s remarkable cadence with a few announcements of our own.

At Build 2017, we announced

An update of our debug defense capabilities inside Dotfuscator to defend against native debuggers in addition to managed,
Enhancements of our Xamarin integration to significantly simplify and automate our protection there, and
Support for .NET Standard and Dotfuscator CE support for VSTS.

In other words, we also “announced (and released) a broad range software at Build improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies.”

I think my lasting impression of Build 2017 (and I’ve attended every Build so far) will be that the general awareness – even sophistication – around application risk management concepts and practices has never been higher. In fact, in the keynote (see image below) Microsoft noted that a specific key concern developers have is in making sure “their stuff” does not get hacked.

I see this jump in awareness as a direct consequence of the increasing importance of applications in all that we do. The higher the value of an application (and applications in general), the more it is worth protecting. And application developers attending Build certainly demonstrated the high value and impact of the work they’re doing. This is going to be an exciting year.

Latest Blog Posts

Protecting C# Applications That Use Dynamic Types

The dynamic type in C# provides flexibility that is not available in other statically-typed languages. Since its introduction in C# 4.0 (.NET 4.5), we have worked with customers who wanted to know more about how dynamic types are impacted by the obfuscation process.

Malicious actors — like any thieves — live by a simple rule: If the front door is locked, break the window.

It’s why threats like fileless malware and crypto-jacking have seen substantial gains over last few years. It’s why — despite increasing employee education and IT training — hackers are still hooking phish by developing more sophisticated and authentic-looking email spoofs. Cybercriminal communities, meanwhile, continue to grow on the dark web, allowing attackers to share info, purchase exploit kits and identify potential targets.

What does this mean for CISOs? That typical defense efforts are being outpaced as familiar attack vectors are replaced with non-traditional threats. But it’s not all bad news; here are three questions every CISO needs to ask to help close the doors, bolt the windows and leave hackers out in the cold.

Gabriel, you have been in the security industry for over 2 decades. You have seen many different tools and services. Why create a company around something as specific as obfuscation and in-app protection?

Our customers build a lot of really innovative apps that enable their users and customers to do new and cool things. These apps frequently run on untrusted client computers/devices and they control access to customer’s sensitive data or critical devices.

And after all the effort of designing, building, debugging, and deploying their applications, the last thing they want is for an attacker to steal their work or use it to look for vulnerabilities to break into their system.

Long ago, we built a Java code optimizer, but it became clear to us that our customer cared more about the obfuscation effects of the optimization than the actual performance improvement. That is when we really began to focus on app protection. First with Java, then .NET, Android, iOS, Xamarin, JavaScript, etc.

Gartner calls In-App Protection “crucial” in their July 2019 Market Guide for In-App Protection In-App Protection. The guide’s summary advises security and risk management leaders to “take due care in protecting their application clients” in order to avoid “security failure.”

This raises the question – what constitutes “due care?” Obviously, no development organization looks to recklessly expose their applications or sensitive data to attack or compromise. On the other hand, over-engineered (or poorly engineered) security controls can quickly lead to excessive development costs, performance and quality issues, and, ultimately, unacceptable user experiences. While terms and terminology may vary, there is broad consensus on how to best define “due care” for any given application/user scenario.

If you don’t follow application security closely, you might think of application obfuscation and symbol renaming as being synonymous – and with good reason. Many platforms and languages, like .NET, Java, and JavaScript have popular obfuscators that do little else--our own Dotfuscator Community Edition for .NET and ProGuard for Java are good examples. However, obfuscation is far more than symbol renaming – and in-app protection is far more than obfuscation. Much of this expansion has been driven by new security requirements, shifting attack vectors, the rise of mobile and IoT computing and, lastly, the growing recognition inside regulations and legislation of the exposure that can result from inadequately protected software.

PreEmptive Thoughts from Build 2017

Protecting C# Applications That Use Dynamic Types

Non-Traditional Attack Vectors: Three Questions Every CISO Needs to Ask

Q&A With PreEmptive CEO Gabriel Torok

Gabriel, you have been in the security industry for over 2 decades. You have seen many different tools and services. Why create a company around something as specific as obfuscation and in-app protection?

The Secret to Effective In-App Protection

Symbol Renaming: App Security’s Maginot Line?

Latest Blog Posts

Protecting C# Applications That Use Dynamic Types

Non-Traditional Attack Vectors: Three Questions Every CISO Needs to Ask

Q&A With PreEmptive CEO Gabriel Torok

The Secret to Effective In-App Protection

Symbol Renaming: App Security’s Maginot Line?

Twitter