August 20, 2018

Application Security Trends & Tools from Black Hat 2018

I spent the better part of last week with a few of my 3Pillar colleagues in Las Vegas at the annual Black Hat security conference. What happens in Vegas may stay in Vegas, but I’ve always been a bit of a contrarian. That being the case, I wanted to share a few observations from my first time at Black Hat that others in the application security space may find insightful.

Just Because You’re in Security Doesn’t Mean You Can Skimp on UX

An effective user experience is necessary for any security product to be successful in a market that sees the number of vendors rapidly multiply each year. This is a thread that was echoed in a number of talks, including from 3Pillar’s own CTO Jonathan Rivers.

A couple of simple examples illustrate how untreated UX failures can have negative consequences on application security.

Take the dreaded mandatory annual security training. If an employee is bored and disinterested, then they will avoid the training as long as humanly possible, and when they finally cannot avoid it anymore, they will do the absolute minimum to check the compliance box. The structure of the training is important, but so is how it is presented. User research, prototyping, and analytics are all critical to building something that people actually want to use. When they want to use it, they will engage with the content and actually get something from the experience.

Similarly, UX plays an essential part in making security operations teams effective. Operations teams are bombarded with a constant flow of information, much of it background noise. An effective UX reduces the chance of missing that critical alert. It’s not just about getting the right information, it’s about presenting it in an effective way that is usable in the moment.

2 Tools You Can Use to Build More Secure Software

In addition to the UX focus, one of my favorite parts of Black Hat was getting the opportunity to hear about tools that can be used to build solid, secure applications.

If you’re looking to add new tools to your security repertoire, here are a couple I was impressed with that you may also want to check out:

  • Veracode Static Analysis: An enterprise level static analyzer with IDE, build management and ticketing integration; broad language support; and SaaS so you don’t have to host it.
  • Checkmarx: A focus on DevSecOps, incremental scanning to provide reports quickly; great remediation guidance; self hosted options so you keep control of your code

Both tools and vendors are on Gartner’s 2018 Magic Quadrant for Application Security Testing and are good, solid choices.

Jscrambler: Best in Show Tool for Application Builds

From an application build perspective, the best product was clearly Jscrambler.

Jscrambler focuses on application security within the browser. With more and more application logic implemented within the browser, Javascript has become a rich source of information for hackers. Code obfuscation tools such as Obfuscator provide good protection, but Jscrambler provides a lot more by also signing the code and preventing code tampering by using anti-tampering and anti-debugging techniques. The tool protects against code injections such as MitB, Malicious Extensions, Client-side XSS, and Malicious/Compromised third-party code, including zero-day attacks.

Jscrambler can be added to your CI pipeline (think Jenkins) as part of your build or deployment actions. Licensing is a little strange, but persevere. It’s worth it.

Spread the Word

If you like this Black Hat recap, help us spread the word about it via the Better Click to Tweet feature or the social media icons at the bottom of the post.

[bctt tweet=”Couldn’t make it to #BlackHat? Scott Young has you covered. See why he came away recommending @Veracode and @Checkmarx to build more secure #software + why he thought @JScrambler was best in show for application build tools.” username=”3pillarglobal”]