I just read the Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2018.
Forrester reminds us all that “Risk and compliance management is more important than ever, thanks to the increasingly intangible nature of business value and the growing risk of violating customer trust.”
IT security is a hot topic, and no wonder — major healthcare, finance and government breaches have all made headlines in recent months prompting both federal agencies and compliance organizations to draft new security standards. As noted by Tech Target, regulations under Sarbanes-Oxley, PCI-DSS and HIPAA all lay out clear expectations for companies when it comes to protecting network assets, personal data and critical infrastructure.
Software, meanwhile, has historically escaped the reach of these regulations, largely thanks to the rapid uptake of mobile and web-based applications: The sheer number and type of cloud-enabled offerings and now IoT-connected software made it difficult for governing bodies and compliance agencies to define meaningful standards that improved overall security. But, just as cloud computing went through a “wild west” period of rapid expansion followed by increasing scrutiny and regulation, software and application development is now on the receiving end of emerging security regulations.
Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)
Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”
It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.
When perimeters are breached, identities stolen and malware launched, encryption stands as information’s last line of defense. Without effective encryption policies, you will first be victimized and then held liable (punished) by every information stakeholder (customers, partners, investors, regulators, the courts, etc.).
Just this week, Wired led with the headline Tinder’s Lack of Encryption Lets Strangers Spy on your Swipes where they wrote in part:
“In 2018, You'd be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, … But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken.”
Java 9 is an unusually-complex Java release. It comes with deep changes to some long-held norms, compatibility-breaking changes at build time and run time, and a new release cadence. There's a lot of great stuff, but development teams face tough decisions about what to migrate, how to migrate it, and when to do so.
Here at PreEmptive, we have an especially-complex problem because our flagship Java application, DashO, runs on the Java platform, integrates deeply with the Java platform, and supports apps developed with nearly all versions and implementations of the Java platform. DashO's migration to Java 9 requires deep understanding and extensive care to ensure that DashO continues to be able to inspect, obfuscate, and inject code into apps across all those platforms, while preserving behavior, performance, stability, and portability.
So we've been hard at work on our own migration plans, and we want to share what we've learned. Hopefully this article will make your Java 9 migration planning a little easier.
First, thanks to PreEmptive for inviting me to do a guest post.
Since you're reading this on preemptive.com, you are already aware and probably concerned with the importance of planning for security in application development. And in this guest blog post, I want to address specifically the security vulnerabilities that legacy applications present to your entire organization.
If the Equifax hack wasn't a wakeup call for your entire appsec team, you're probably headed for an earlier retirement than you might otherwise have planned for.
Applications are under siege. As demonstrated by the recent Equifax breach and many others, hackers leveraged everything from compromised mobile apps to cloud-based vulnerabilities. The result? Enterprise IT teams are recognizing that they’re being targeted – particularly their critical apps.
We have just released Dotfuscator Professional 4.31 and it’s available for immediate download (both for clients and as a free evaluation).
Dotfuscator Professional 4.31
- Extends its application protection to new development communities for the very first time.