Application Security Trends & Tools from Black Hat 2018

Scott Young

BY Scott Young

Solutions Architect

I spent the better part of last week with a few of my 3Pillar colleagues in Las Vegas at the annual Black Hat security conference. What happens in Vegas may stay in Vegas, but I’ve always been a bit of a contrarian. That being the case, I wanted to share a few observations from my first time at Black Hat that others in the application security space may find insightful.

Just Because You’re in Security Doesn’t Mean You Can Skimp on UX

An effective user experience is necessary for any security product to be successful in a market that sees the number of vendors rapidly multiply each year. This is a thread that was echoed in a number of talks, including from 3Pillar’s own CTO Jonathan Rivers.

A couple of simple examples illustrate how untreated UX failures can have negative consequences on application security.

Take the dreaded mandatory annual security training. If an employee is bored and disinterested, then they will avoid the training as long as humanly possible, and when they finally cannot avoid it anymore, they will do the absolute minimum to check the compliance box. The structure of the training is important, but so is how it is presented. User research, prototyping, and analytics are all critical to building something that people actually want to use. When they want to use it, they will engage with the content and actually get something from the experience.

Similarly, UX plays an essential part in making security operations teams effective. Operations teams are bombarded with a constant flow of information, much of it background noise. An effective UX reduces the chance of missing that critical alert. It’s not just about getting the right information, it’s about presenting it in an effective way that is usable in the moment.

2 Tools You Can Use to Build More Secure Software

In addition to the UX focus, one of my favorite parts of Black Hat was getting the opportunity to hear about tools that can be used to build solid, secure applications.

If you’re looking to add new tools to your security repertoire, here are a couple I was impressed with that you may also want to check out:

  • Veracode Static Analysis: An enterprise level static analyzer with IDE, build management and ticketing integration; broad language support; and SaaS so you don’t have to host it.
  • Checkmarx: A focus on DevSecOps, incremental scanning to provide reports quickly; great remediation guidance; self hosted options so you keep control of your code

Both tools and vendors are on Gartner’s 2018 Magic Quadrant for Application Security Testing and are good, solid choices.

Jscrambler: Best in Show Tool for Application Builds

From an application build perspective, the best product was clearly Jscrambler.

Jscrambler focuses on application security within the browser. With more and more application logic implemented within the browser, Javascript has become a rich source of information for hackers. Code obfuscation tools such as Obfuscator provide good protection, but Jscrambler provides a lot more by also signing the code and preventing code tampering by using anti-tampering and anti-debugging techniques. The tool protects against code injections such as MitB, Malicious Extensions, Client-side XSS, and Malicious/Compromised third-party code, including zero-day attacks.

Jscrambler can be added to your CI pipeline (think Jenkins) as part of your build or deployment actions. Licensing is a little strange, but persevere. It’s worth it.

Spread the Word

If you like this Black Hat recap, help us spread the word about it via the Better Click to Tweet feature or the social media icons at the bottom of the post.

Couldn't make it to #BlackHat? Scott Young has you covered. See why he came away recommending @Veracode and @Checkmarx to build more secure #software + why he thought @JScrambler was best in show for application build tools. Click To Tweet

About The Author

Scott Young is a Solutions Architect for 3Pillar Global, specializing in AWS cloud architecture and optimization. Scott has over 25 years of experience in software development, with expertise in full stack and agile development and certifications for both AWS and TOGAF.

Leave a Reply

Related Posts

4 Reasons Everyone is Wrong About Blockchain: Your Guide to ... You know a technology has officially jumped the shark when iced tea companies decide they want in on the action. In case you missed that one, Long Isl...
Credit Card Fraud Detection – An Insight Into Machine ... The importance of Machine Learning and Data Science cannot be overstated. If you are interested in studying past trends and training machines to learn...
Go Native (App) or Go Home, and Other Key Takeaways from App... I just returned from my first WWDC. I feel like I learned more in a week at Apple’s annual developer’s conference than I have in years of actually dev...
AWS re:Invent Day 3 Recap The highlight of my third day at AWS re:Invent in Las Vegas was starting the day with the first keynote speech. I’m always amazed at the amount of inn...
Ideas Don’t Fail – But the Products Generated Fr... The real art (and challenge) of creating a product that is going to succeed in digital health is creating something that is usable, useful, and desira...