Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

Source Code, Please? Don’t Hand Hackers Your Vulnerabilities on a Silver Platter

September 25, 2017 9203 Views Gabriel Torok


Applications are under siege. As demonstrated by the recent Equifax breach and many others, hackers leveraged everything from compromised mobile apps to cloud-based vulnerabilities. The result? Enterprise IT teams are recognizing that they’re being targeted – particularly their critical apps.

The challenge? Since more enterprises are increasing their app development, and since these are being targeted more aggressively by hackers, this creates a new vulnerability many companies haven’t dealt with at an enterprise level yet. If the code is open-source or if the source code is easy to reverse engineer with free tools, hackers can review, debug and disassemble your application at their leisure and look for security vulnerabilities. It’s tantamount to handing over network security on a silver platter. Instead, here’s how you can make it harder for them, and easier for enterprise-level IT and code security staff.

Root Causes

While there’s no single explanation for the rise of application compromise, it’s possible to identify key trends shifting the hacker market and making business apps top priority. Key drivers include:

  • Endpoint Explosion — As noted by Tech Target, estimates suggest that 30 billion connected devices will exist across public and corporate networks by 2020. The problem? Eighty-five percent of IT and networking professionals aren’t confident about the number of devices on their networks. As a result, hacked devices or endpoints may go unnoticed until hackers have penetrated deeply enough that removal is impossible and remediation is extremely difficult.
  • IoT Security — Internet of Things (IoT) devices are everywhere. From “smart” homes and cars to fitness trackers, connected watches and Web-enabled printers and point-of-sale machines, the sheer number of devices provide opportunities for motivated hackers. More worrisome? Poor security. According to Network World product developers have underestimated the need for IoT security, with many devices running vulnerable services, or protected by default credentials — or none at all.
  • Copycat Code — There’s no reason for app developers to create all-new code from the ground up every time they write a new application. In fact, it’s long been considered a best practice *not* to do so. The problem? Using common code can lead to widespread and easily exploited vulnerabilities such as HeartBleed or WannaCry. And as the IEEE points out, there’s often a significant delay in patching multiple apps which contain the same flaw — in fact, the median number of vulnerable hosts patched after exploit discovery is no more than 14 percent.

Application Hacks are on the Rise

Think hacking is overblown?

Hackers recently exploited a flaw in open-source Java server software in the Equifax site (which is discoverable by looking at the code) to steal records containing personal information on up to 143 million American consumers. For open-source code, a hacker can simply monitor releases, and look at differences, to see what code was patched and then exploit the vulnerability.

And consider a recent ZDNet piece, which reports an “unpatchable” flaw that attackers could exploit to take control of airbags, ABS brakes and power-steering, or remotely shut down any of the vehicle’s computerized components.

Or take a look at something really worrisome: The recent FDA recall of 465,000 pacemakers because they contained vulnerabilities which let hackers gain complete control. While previous attempts at hacking pacemakers showed that it was possible and the FDA began issuing warnings against potential backdoors in 2012, it’s clear the message didn’t quite hit the mark.

According to ICS-CERT, pacemakers manufactured by Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI prior to August 28th, 2017 are vulnerable. Fortunately, a three-minute firmware fix will solve the problem but until that happens hackers could “gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of a pacemaker.” Three types of vulnerabilities were identified: Improper authentication, improper restriction of power consumption and missing encryption of sensitive data.

A Vulnerability Example

An important step every organization should take is to first find and fix all potential vulnerabilities, but it might be literally impossible to find them all. As an example, improper authentication happens when application code doesn’t prove or insufficiently proves that users are who they claim to be. If this flaw is missed then hackers could compromise admin functions. The flaw might take the form:

if (GetCookie("loggedin") != "true") {
   if ( !AuthenticateUser(username, password) ) {
      throw new NotAuthenticatedException("You need to log in first.")
   } else {
      SetCookie( "loggedin", "true" )
   }
}

If a hacker has access to the code above, they would quickly discover that the server is improperly trusting a client provided cookie and they could easily bypass the authentication check.

Target Hardening

So how do companies handle the triple threat of increasingly quick app development, an unknown number of holes to plug, and the availability of common code for hackers to examine and exploit? Think about it like this: Just as every home is potentially vulnerable to burglary, so is every app vulnerable to compromise. If criminals are determined enough, they’ll find a way to break in and grab anything valuable.

As a result, companies need to adopt the practice of “target hardening.” Recommended to homeowners by many police agencies, it’s the process of limiting obvious vulnerabilities to convince bad actors they should pick another target. For houses this means installing security cameras, using automatic lights and ensuring valuables such as jewelry, wallets and keys are kept out of sight. For applications this means leveraging security solutions that can find and fix vulnerabilities, detect unwanted intrusion and removing access to source code. Could hackers still find it if they look hard enough? Absolutely. But moving code out of plain sight and eliminating common security issues — such as not quickly patching known vulnerabilities, fixing easily-manipulated SQL queries, etc. — can frustrate attackers. And if hackers can’t find easy ways to compromise apps, they may look elsewhere.

For the enterprise-level CIO, this means they need to take control of app development throughout their entire organizations, and not rely on development teams to take the necessary “target hardening” steps on their own. Uniform code security policies and practices must be mandated and standardized for complete and proper protection.

Bottom Line

Software is more and more critical to every aspect of business, and limited development time pushes IT to use common code and get code out quickly — and no matter how much you try, some critical vulnerabilities might slip through. Reduce the risk a bit more and make hackers work harder for smaller gains by keeping your proprietary source code under wraps and better understanding the risks if you use open-source.

Get a Free Trial

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.