PreEmptive Thoughts from Build 2017

May 22, 2017 3586 Views Gabriel Torok

Like so many of us returning from Build 2017, we at PreEmptive are feeling both energized and highly motivated. Energized because of the truly impressive innovation coming out of both Microsoft and our larger ecosystem – and motivated because we can all see the expanding concern around application risk management and data security in this rapidly evolving world – and of course, that is where PreEmptive Solutions comes in.

Microsoft announced (and released) a broad range of software at Build: Improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies. You don’t have to hear about these from us – Microsoft published a nice Build wrap up here. I’m proud to say that PreEmptive Solutions were able to continue our 15+ year tradition of keeping pace with Microsoft’s remarkable cadence with a few announcements of our own.

At Build 2017, we announced

An update of our debug defense capabilities inside Dotfuscator to defend against native debuggers in addition to managed,
Enhancements of our Xamarin integration to significantly simplify and automate our protection there, and
Support for .NET Standard and Dotfuscator CE support for VSTS.

In other words, we also “announced (and released) a broad range software at Build improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies.”

I think my lasting impression of Build 2017 (and I’ve attended every Build so far) will be that the general awareness – even sophistication – around application risk management concepts and practices has never been higher. In fact, in the keynote (see image below) Microsoft noted that a specific key concern developers have is in making sure “their stuff” does not get hacked.

I see this jump in awareness as a direct consequence of the increasing importance of applications in all that we do. The higher the value of an application (and applications in general), the more it is worth protecting. And application developers attending Build certainly demonstrated the high value and impact of the work they’re doing. This is going to be an exciting year.

Latest NIST publication reinforces Developer Obligations (and liability)

On June 11, NIST released Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework. While a solid piece of work in its own right, this document is noteworthy because it stands as one more proof point - in an already long list of proof points, that development processes, the developers themselves, and the organizations they belong to, ALL share some degree of responsibility (liability) for:

Untrusted Environments, Valuable Apps? Put the Protection in the App.

IT environments are evolving. Disappearing are the days of in-house, fixed-endpoint, limited access server stacks — replaced instead by a combination of private and public cloud solutions, mobile applications and IoT devices.

As noted by research firm IDC, public cloud spending now outpaces all other IT infrastructure with a growth rate topping 10 percent year-over-year, while Statista reports that users downloaded more than 178 billion apps in 2017 alone — and are on track to break 250 billion over the next few years.

What does this mean for organizations? That application environments are quickly moving beyond the purview of in-house IT, exposing both apps and network services to steadily growing risk. It creates a paradox: Companies can’t deny the benefits of third-party environments and application partnerships, but also can’t ignore the threat of app and data compromise or reverse-engineering and tampering.

In a recent developer survey, Xamarin.Android developers were 50% less likely to have included rooted device detection or anti-tamper prevention as their Java Android peers were. Yet, both sets of apps are being deployed through the same marketplaces onto the same devices and are governed by the same regulations (PCI, GDPR, HIPAA to name just a few that expect these kinds of controls).

Why are more Xamarin.Android apps going unprotected?

I recently had the opportunity to sit down with Sebastian Holst, PreEmptive’s Chief Strategy Officer, to talk about his most recent trip to Capitol Hill where the topic of the day was copyright protection for small businesses – and for development shops in particular.

The life of a security architect is rarely simple. Assessing, defending and improving corporate networks requires thorough knowledge of industry best practices designed to secure critical data, combined with real-world understanding of hacker tricks and tactics meant to undermine this purpose.

As noted by the InfoSec Institute, this is an in-demand job that often comes with high expectations, odd hours and the need for constant professional evolution to stay ahead of cybercriminal threats. Complicating matters is the breakneck pace of technological advancement. The rapid rise of cloud deployments, mobile applications and IoT devices can make even best-laid security strategies seem like flies in amber — hopelessly out-of-date and effectively immobile.

Here’s a look at what’s really bugging security architects — and how they can break the mold of static security to combat emerging threats.

PreEmptive Thoughts from Build 2017

Latest NIST publication reinforces Developer Obligations (and liability)

Put the Protection in the App

Untrusted Environments, Valuable Apps? Put the Protection in the App.

Are Xamarin.Android app users at risk?

Changes are coming for US Copyright – Should Developers Even Care?

Fly in Amber: What’s Bugging Infosec Architects?

Latest Blog Posts

Latest NIST publication reinforces Developer Obligations (and liability)

Put the Protection in the App

Are Xamarin.Android app users at risk?

Changes are coming for US Copyright – Should Developers Even Care?

Fly in Amber: What’s Bugging Infosec Architects?

Twitter