“That's the Cost that Comes with an Obfuscated Application; the Immediately Accessible Ways of Attacking it Are Taken off the Table”
Silo Busing 67: Andrew Whaley and Sam Rehman on App Security
Going mobile: It’s going to create vulnerabilities. That’s the way things work with apps. They aren’t just friendly pieces of software that help you beat traffic or bring your favorite tunes into your eardrums… they are opportunities, rich ones, for the bad guys.
Andrew Whaley, the Senior Technical Director (UK) at Promon and our guest on Silo Busting, says that with an app, “You have to be able to trust the security model that you've got around it.”
Whaley talks with Sam Rehman, our Chief Information Security Officer and SVP, about how apps operate on a client-server model, but “all the client code is distributed outside of your enterprise.” Some of these users could well be criminals who, once gaining access to that code, could "reverse engineer it and come up with ways to attack that.”
And the code in those apps can be a bit suspect. Whaley says that most apps are made up of 80% open-source software. “You know how many of those app developers go and build that source themselves from source and read over it before they compile?” he asks and then answers: “Probably close to zero.”
Speaking of putting the work in… Rehman talks about calibrating “the level of effort that the attacker would have to go through versus the yield.” The trick is, he says, layering on cybersecurity techniques “so that the yield is not worth it for them.”
Whaley replies that “once you layer obfuscation on, you then have this impenetrable forest” and that the “immediately accessible ways of attacking [an application] are taken off the table.”
Together they chat about supply chain attacks, nonlinear programming, and more. Tune in and be safe(r)!
Host: Glenn Gruber
Editor: Kyp Pilalas
Producer: Ken Gordon