SECURITY
Securing Data and Apps
from Unauthorized
Disclosure and Use
Joe Sewell
“Data breach.” These two words are the scariest words in software development. Software is all about the data—processing it, managing it and securing it. If an attacker can breach that data, your business could forfeit confidential information critical to your success, be subject to liability nightmares, and lose valuable brand respect and customer loyalty.
To manage this risk and comply with regulations like HIPAA and GDPR, wise developers and operations teams will implement
security controls on databases and Web services. These controls include end-to-end encryption, rigorous identity management, and network behavior anomaly detection. In the event of a secu- rity incident, many such controls will react actively by recording incident details, sending alerts and blocking suspicious requests.
While these and other best practices can secure your server components, they don’t do as much for client software. And for your data to be useful, it must be exposed in some form to priv- ileged users and software. How can you also be sure that your client software doesn’t cause a data breach?
For instance, many companies create software specifically for use by their employees, often designed to access sensitive cor- porate data. And while the Microsoft .NET Framework makes it easy to develop line-of-business (LOB) apps in languages like C# or Visual Basic .NET, those compiled apps still contain high-level metadata and intermediate code. This makes it easy for a bad actor to manipulate the app with unauthorized use of a debugger, or to reverse engineer the app and create a compromised version. Both scenarios could lead to a data breach, even if the server compo- nents are completely secure.
While there are some measures you can take to guard against these attacks—Authenticode signing and code obfuscation, to name two—most of them are passive in that they merely deter attacks, rather than detect, report and respond to them. But, recently, new features in Visual Studio allow you to inject threat detection,
This article relies on a preview version of Dotfuscator Community Edition version 5.32. All information is subject to change.
This article discusses:
• Why clients that deal with sensitive data must be secured
• How an attacker can use debugging tools to compromise
such clients
• How to use Runtime Checks to protect clients
• HowRuntimeChecksfitintoabroader,layeredapproachtosecurity
Technologies discussed:
Runtime Checks, Dotfuscator Community Edition, Visual Studio 2017
Code download available at:
bit.ly/2yiT2eY
40 msdn magazine