Application Hardening and Shielding - Revision history

Gtorok: Added NIST publications to regulations list

2018-07-31T17:11:49Z

Added NIST publications to regulations list

Gtorok: Combined definitions for app hardening and app sheilding

2018-03-21T19:43:31Z

Combined definitions for app hardening and app sheilding

Gtorok: Added an article on App Hardening and App Shielding

2018-03-15T15:03:03Z

Added an article on App Hardening and App Shielding

Gtorok: Initial creation

2018-03-08T21:44:55Z

Initial creation

New page

Application Hardening and Shielding
== Application Hardening ==
Application hardening: a means of reducing risks stemming from reverse-engineering, tampering, and invasive monitoring.
== Application Shielding ==
Application shielding: a means to help prevent, detect and/or respond to potential or actual application-level intrusions.
== Risks ==
For applications that process or give access to sensitive data or functionality, the potential risks of NOT applying some form of hardening and/or shielding may include:
*Intellectual Property theft
*Piracy
*Vulnerability discovery
*Malware-based exploits
*Unauthorized data access and breaches.
== Regulations ==
The growing emphasis on application hardening and shielding as a required application security layer is fueling regulatory and statutory changes including (but not limited to)
*2016: Defend Trade Secret Act and EU Directive 943: These coordinated updates to trade secret theft protection are notable in that reverse engineering is explicitly excluded from the definition of misappropriation (theft) – meaning that courts will not consider IP made accessible via reverse-engineering to be treated as a “secret” – and, as such, that IP could not be protected under these laws. This legislation created an entire new set of obfuscation use cases.
*2017: DFARS and PCI Mobile: In each of these two very different control frameworks, Least Privilege risk mitigation controls were updated to require active anti-debug & anti-root/jailbreak controls.
*2017: 2018 PCI PIN Entry and GDPR: Both transactional security and personal privacy standards declare code security and data protection to be inseparable – security by design and by default.
== Industry Consensus ==
One hundred percent industry consensus around application protection and security is impossible to achieve. However, OWASP is trying to create quality go-to guidelines. It recently released new protection guidelines around how mobile apps handle, store and protect sensitive information. For example, the
[https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard] under section V8: Resiliency Against Reverse Engineering Requirements among other things recommends that apps:
* Detect and respond to the presence of a jailbroken device
* Prevent or detect debugging attempts
* Include multiple defense mechanisms
* Leverage obfuscation and encryption
== Conclusion ==
Application hardening along with layered security measures are recognized as a critical component of overall IT compliance. Be familiar with applicable standards and regulations; and implement app development best practices to enhance security for all your apps that process or give access to sensitive data or functionality.
And, perhaps an obvious confirmation, but application hardening is meant to complement, not replace other security controls. See the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Security Testing Guide] for an comprehensive information on mobile application security.
== Further Reading ==
* [https://www.pcisecuritystandards.org/documents/PCI_Mobile_Payment_Acceptance_Security_Guidelines_for_Developers_v2_0.pdf PCI Mobile Payment Acceptance Security Guidelines for Developers]
* [https://gdpr-info.eu/art-25-gdpr/ GDPR - Data protection by design and by default]
* [https://www.congress.gov/bill/114th-congress/senate-bill/1890/text Defend Trade Secrets Act of 2016]
* [https://www.gartner.com/smarterwithgartner/five-mobile-app-security-techniques-hackers-dont-want-you-to-use/ Five Mobile App Security Techniques Hackers Don’t Want You to Use]

← Older revision		Revision as of 15:03, 15 March 2018
Line 31:		Line 31:
	* [https://www.congress.gov/bill/114th-congress/senate-bill/1890/text Defend Trade Secrets Act of 2016]		* [https://www.congress.gov/bill/114th-congress/senate-bill/1890/text Defend Trade Secrets Act of 2016]
	* [https://www.gartner.com/smarterwithgartner/five-mobile-app-security-techniques-hackers-dont-want-you-to-use/ Five Mobile App Security Techniques Hackers Don’t Want You to Use]		* [https://www.gartner.com/smarterwithgartner/five-mobile-app-security-techniques-hackers-dont-want-you-to-use/ Five Mobile App Security Techniques Hackers Don’t Want You to Use]
		+	* [https://dzone.com/articles/what-approach-to-application-hardening-is-right-fo Article:What Approach to Application Hardening is Right For You?]
		+	* [https://www.preemptive.com/blog/article/986-technology-trust-issues-when-running-in-untrusted-environments-try-application-shielding/102-mobile-protection Article:Technology Trust Issues When Running in UNTRUSTED Environments? Try Application Shielding]

@@ Line 10: / Line 10: @@
 *Malware-based exploits
 *Unauthorized data access and breaches
 == Regulations ==
 The growing emphasis on application hardening and shielding as a required application security layer is fueling regulatory and statutory changes including (but not limited to)
@@ Line 15: / Line 16: @@
 *<b>2017: DFARS and PCI Mobile:</b><br>In each of these two very different control frameworks, Least Privilege risk mitigation controls were updated to require active anti-debug & anti-root/jailbreak controls.
 *<b>2017: 2018 PCI PIN Entry and GDPR:</b><br> Both transactional security and personal privacy standards declare code security and data protection to be inseparable – security by design and by default.
 == Industry Consensus ==
 One hundred percent industry consensus around application protection and security is impossible to achieve. However, OWASP is trying to create quality go-to guidelines.  It recently released new protection guidelines around how mobile apps handle, store and protect sensitive information. For example, the
@@ Line 22: / Line 25: @@
 * Include multiple defense mechanisms
 * Leverage obfuscation and encryption
 == Conclusion ==
 App hardening and shielding along with layered security measures are recognized as a critical component of overall IT compliance. Be familiar with applicable standards and regulations; and implement app development best practices to enhance security for all your apps that process or give access to sensitive data or functionality.
 And, perhaps an obvious confirmation, but application hardening is meant to complement, not replace other security controls. See the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Security Testing Guide] for an comprehensive information on mobile application security.
 == Further Reading ==
 * [https://www.pcisecuritystandards.org/documents/PCI_Mobile_Payment_Acceptance_Security_Guidelines_for_Developers_v2_0.pdf PCI Mobile Payment Acceptance Security Guidelines for Developers]
@@ Line 30: / Line 35: @@
 * [https://www.congress.gov/bill/114th-congress/senate-bill/1890/text Defend Trade Secrets Act of 2016]
 * [https://www.gartner.com/smarterwithgartner/five-mobile-app-security-techniques-hackers-dont-want-you-to-use/ Five Mobile App Security Techniques Hackers Don’t Want You to Use]
 * [https://dzone.com/articles/what-approach-to-application-hardening-is-right-fo Article:What Approach to Application Hardening is Right For You?]
-* [https://www.preemptive.com/blog/article/986-technology-trust-issues-when-running-in-untrusted-environments-try-application-shielding/102-mobile-protection Article:Technology Trust Issues When Running in UNTRUSTED Environments? Try Application Shielding]
+* [https://www.preemptive.com/blog/article/1046-latest-nist-publications-reinforce-development-obligations-in-securing-data/106-risk-management Article:NIST Publications reinforce the importance of application hardening in securing data]

@@ Line 1: / Line 1: @@
 Application Hardening and Shielding
-== Application Hardening ==
-Application hardening: a means of reducing risks stemming from reverse-engineering, tampering, and invasive monitoring.
+== App Hardening and Shielding ==
-== Application Shielding ==
+A set of technologies that typically modify an application’s binary code to make it more resistant to reverse-engineering, tampering, invasive monitoring and intrusion. Enterprises harden their applications to protect their software assets and the data touched by the application.
 == Risks ==
-For applications that process or give access to sensitive data or functionality, the potential risks of NOT applying some form of hardening and/or shielding may include:
+For applications that contain unique IP or process sensitive data or functionality, the potential risks of NOT applying some form of hardening and/or shielding may include:
 *Intellectual Property theft
 *Piracy
 *Vulnerability discovery
 *Malware-based exploits
-*Unauthorized data access and breaches.
+*Unauthorized data access and breaches
 == Regulations ==
 The growing emphasis on application hardening and shielding as a required application security layer is fueling regulatory and statutory changes including (but not limited to)
@@ Line 24: / Line 23: @@
 * Leverage obfuscation and encryption
 == Conclusion ==
-Application hardening along with layered security measures are recognized as a critical component of overall IT compliance. Be familiar with applicable standards and regulations; and implement app development best practices to enhance security for all your apps that process or give access to sensitive data or functionality.
+App hardening and shielding along with layered security measures are recognized as a critical component of overall IT compliance. Be familiar with applicable standards and regulations; and implement app development best practices to enhance security for all your apps that process or give access to sensitive data or functionality.
 And, perhaps an obvious confirmation, but application hardening is meant to complement, not replace other security controls. See the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Security Testing Guide] for an comprehensive information on mobile application security.
 == Further Reading ==