Web application security: The piece you’re probably missing

While most organizations recognize the need to protect their web apps, their efforts tend to focus on the server side, leaving a critical attack vector exposed: the client side. The fact of the matter is the entire web application ecosystem must be protected, end to end, and that includes mobile, JavaScript, desktop, server and API.

Are you only protecting your backend?
Web applications are client-server apps, performing operations on clients (front end) as well as servers (back end). Since servers reside on your corporate network, conducting transactions and maintaining high-value information such as usernames, passwords and usage data collected by the application, they are enticing targets for attackers.

To protect your business, data and customers, you probably have already implemented traditional application security tools for your server. A common solution is a web application firewall (WAF) to stop network-based attacks. However, even a WAF that claims to be at the application level sees only what’s coming on the network – it cannot see what’s happening on, or through, the browser (client side).

Why network security alone is insufficient
If an attacker analyzes the browser to see how client apps behave, the WAF will be none the wiser. Furthermore, the attacker can use this knowledge about the application’s behavior to more effectively outsmart the WAF in a client-based network attack.

Attackers know they can compromise a server via a client-side exploit or vulnerability, and that risk only grows as more and more application logic is executed in the browser. As more applications move to the cloud, more application logic will be executed in the browser. In addition, JavaScript is becoming more functional. New development frameworks like ReactJS and AngularJS are being used to build single-page application user interfaces with more functionality and back-end integration capabilities than ever before.  

The more we rely on browsers to perform complex tasks, the bigger the attack surface grow. Unprotected JavaScript is a particularly compelling target since it’s delivered in clear text and can be easily interpreted. Attackers can leverage this vulnerability to reverse engineer a web application to understand its logic and how it communicates with the server. Additionally, if your API keys are not adequately protected, you could be providing direct access to your backend. The more easily an attacker can understand web app code, the faster they can attack your server in a more intelligent manner. As reported by CSO Online, the average cost of such a breach is $3.5M.

How to protect the client side
Web apps can be protected by inserting protective code during development that obfuscates and deters reverse engineering. JavaScript can be protected with obfuscation, encryption and additional techniques designed to frustrate attackers, and runtime application self-protection (RASP) can detect whether the JavaScript has been modified. These security precautions can help protect client-side web applications – and provide additional layers of server protection – helping to prevent a breach and subsequent brand damage, financial loss, intellectual property (IP) theft and government penalties.

Secure both client and server to protect your business
When starting any web app project, you need to consider protecting the entire application ecosystem. Unfortunately, web app frontends have been notoriously ignored while organizations focus on securing the backend. Without proper protections, web-based apps can serve as a useful tool to help attackers more effectively target server assets. By taking a comprehensive server and web app approach to application security, organizations can ensure they aren’t locking one door only to leave another one open.

The post Web application security: The piece you’re probably missing appeared first on SD Times.

via Click on the link for the full article

Samsung Galaxy Watch review

The industry is forever chasing the Apple Watch. After all, the smartwatch has been a rare bright spot in a plateauing wearables category. Even Fitbit recently found itself heading in that direction, finding a fair bit of success with the Versa.

Samsung’s approach, on the other hand, has always been very, well, Samsung. The company’s watches are big, hulking things, covering chrome with a kind of Swiss Army knife approach customary of its various other products.

Announced alongside the Note 9, the Galaxy Watch wasn’t the departure many expected. While the name implied a potential shift toward Android Wear, the company is intent on sticking with Tizen. And why not? Samsung’s spent a lot of time making Tizen its own — multiple generations have been devoted to tweaking the operating system to its specifications.

It’s the result of a pretty clear cost-benefit analysis. The biggest drawback of not embracing Wear OS is the relative lack of third-party app support on Tizen. The biggest advantage: support for Samsung’s unique bezel-based navigation. To this day, it’s the best of the bunch, beating the more finicky crown control most of the competition relies on. It was an early choice for the company and continues to be one of the best elements of Samsung’s watches.

That’s as solid a foundation as any, really. Several different models have helped the company fine-tune its watch offerings, including last year’s Gear Sport, which finally found Samsung introducing a much more manageable 42mm model. It was the first such device from the company that recognized not every user is looking to place a massive device on their wrist.

The fact that there’s been a name change here owes much more to branding than it does any sort of radical departure on the hardware side. Instead, the watch is more of a fine-tuning for the line. Multi-day life aside, there’s not enough here to justify an upgrade for those who own a recent generation, but over the course of several years, Samsung has slowly been fine-tuning one of the better smartwatches in the game.

I wore the Galaxy Watch around for a few days, and used every opportunity I could to quiz others on their thoughts about the aesthetics. The results were largely positive. I don’t know that any onlookers were particularly wowed, but in most cases folks said they would consider wearing the watch. That’s certainly something.

Samsung’s among the companies that have subscribed to the notion that smartwatches ought to look like watches — an entirely different school than the Apple Watches and Fitbit Versas of the world. If I’ve had one complaint about the company’s design choices, it’s the push toward over-detailing — all of the numbers and notches. The design language clearly draws inspiration from sport watches.

For me, the pinnacle of the line was the hyper minimalist S2. It was subtle, modern and went pretty well with just about anything else you had on, from work to work out. Samsung, clearly, has gone in an altogether different direction here, targeting those who have a fondness for the classic outdoor style from companies like Casio. That said, the design is thankfully more subtle than past versions (see: the Gear S3 Frontier).

More importantly, in terms of appealing to a wider audience, the watch finally gets two distinct sizes — 42 and 46mm. The groundwork for the decision was laid with the last year’s Gear Sport, which brought a smaller size into the mix. The addition of the 42mm case makes the Sport somewhat redundant, though the company tells me it’s keeping it around for the time being.

It’s a smart move on Samsung’s part. By just going large with the watch, the company was ceding a large potential user base to Apple, including a big portion of female smartwatch wearers. Now that Fitbit is serious about smartwatches, the company clearly needs to do more to appeal to a larger segment of Android users.

The company’s watches have always felt large on me, and I’m around six feet tall. When I asked smaller colleagues to try them out, they looked downright cartoonish. The 42mm version fits much more comfortably on my wrist — though if you have a smaller stature, I’d strongly encourage finding a store and trying one on first. Even the smaller version is by no means compact.

The spinning bezel is back, because of course it is. It’s long been the best part of Samsung’s watches. It’s also the best smartwatch control mechanism in the industry, including Apple’s crown. It’s swift, it’s smooth and it’s much easier to use when exercising. That said, I still find myself using the side buttons with more frequency — they’re a much easier way to get where you’re going quickly.

The bezel is apparently the main reason for keeping Tizen around — Wear doesn’t support that sort of input method. And honestly, it’s a pretty good justification. Besides, Samsung’s done a lot to tweak the operating system to its specifications, and we’ve got a pretty good and well-rounded wearable operating system as a result.

There are a number of good reasons to go with Google’s OS, including better Android integration and a more robust app store, but Samsung’s always been interested in developing its own ecosystem — and besides, Tizen isn’t broken, so Samsung ain’t fixing it, as the saying goes.

Exercise tracking is another bit that’s benefited from several generations of tweaks. Fitness is pretty widely understood as the primary driver of smartwatches’ purposes, in spite of the existence of fitness trackers, and as such, all the major players are constantly attempting to one-up one another.

There’s nothing exceptional here on the exercise side, but the Galaxy watch is a workhorse. There’s autotracking on board and 40 trackable exercises. I’m a runner, and found the tracking to work pretty well, along with plenty of reminders to get off my lazy ass. Not great for my self-esteem, but good for my waistline, I suppose.

There’s sleep tracking on board, as well, though that’s become a pretty standard feature across all of these devices. More compelling is the addition of stress tracking. The feature reads the wearer’s vital signs to paint an overall picture of their mood. I’m sure the science behind all of this is lacking, and it generally read me as “neutral” (which, as anyone who has ever met me will tell you isn’t the best word).

That said, I’m sure there’s something in the psychology of it all. Like Fitbit and Apple’s reminders to breathe, there’s something to be said in the simple act of taking a moment to recognize your mood. Like a meditation body scan that reminds you that you’re constantly clenching your jaw, focusing on your mood and breathing goes a surprisingly long way toward de-stressing.

The Galaxy Watch isn’t the revolution Samsung suggested (but marketers are gonna market). That the company spent so little time on the product during the recent Note 9 event was at least partially a product of the fact that it’s more fine-tuning than anything else. There is, however, one piece that really stands out — and it’s perhaps the largest quibble with the smartwatch category of all.

Samsung says the 42mm’s 270 mAh battery will get you up to three days of life and the 46’s 472 mAh will get you up to four. That’s a bit of wishful thinking in my experience, but it’s not far off. Wearing the watch straight both day and night, I was able to squeeze just over two and a half days — pretty impressive, so far as smartwatches go. It’s also a bit of a necessity for something designed to be worn to bed.

It’s the best addition to the watch this time out. It’s not enough to help the device truly stand out from an overcrowded and underselling category — especially one where a single player is utterly dominating the sales charts. But Samsung’s still got one of the better devices in the game.

The pricing remains, well, pricey. The 42mm runs $329 and the 46mm is $349. It’s an additional $50 to upgrade either one to LTE. That puts the product roughly on par with the Apple Watch. From an Android user’s perspective, however, the real competition is the far cheaper ($200) Versa. Things have shifted a bit since Samsung’s last major watch release, with Fitbit becoming the major player in the Android-compatible smartwatch field. Samsung’s at a bit of a crossroads.

For now, the company seems content to go directly after Apple. Competing on that field is going to take some serious innovating. The Galaxy Watch isn’t that, but it’s a perfectly solid choice for Android users.

via Click on the link for the full article

BlackRock pushes for separation of powers at Tesla

The world’s largest investor is joining the chorus of voices pushing for a separation of powers at the electric vehicle, solar panel and battery manufacturer, Tesla.

Funds managed by BlackRock, a top 10 shareholder in the electric vehicle company run by Elon Musk (and the manager of roughly $6.3 trillion in global assets), joined calls for the creation of an independent chairman position at Tesla.

The shareholder initiative, which was solidly defeated, would not have affected Musk’s standing as chief executive.

News of BlackRock’s push comes as a new article in The Wall Street Journal further underscores the autocratic ways in which Musk manages his electric vehicle startup, and highlights the singular grip Musk has on his companies and the public’s perception of them.

While the technology industry is famously known for catering to the whims of authoritarian executives, Musk’s recent behavior on social media, with the press, and in private has damaged the company’s stock price and caused some concern even within his own boardroom.

Warren Buffett has even weighed in on Musk’s social media use.

In an emailed statement to Reuters, which first noticed the filing, a BlackRock spokesperson said:

“BlackRock’s approach to investment stewardship is driven by our fiduciary duties to our clients, the asset owners. Our approach to engaging with companies and proxy voting activities is consistent with our commitment to drive long term shareholder value for our clients.”

Musk has had a particularly rough August since he first floated on Twitter, and then rescinded, a plan to take Tesla private.

Tesla shares are down roughly 1% in midday trading on the Nasdaq.

via Click on the link for the full article

The mass exodus at Social Capital continues

Something is going on at Social Capital.

A series of departures continued this morning at former Facebook executive Chamath Palihapitiya‘s venture capital firm, with Mike Ghaffary, a partner since August 2017, announcing he was moving on to focus on angel investing.

That’s just a day after Ashley Mayer, a partner and VP of marketing since 2015, said she was departing the firm to pursue “new adventures.”

The pair of exits is just the latest in a line of high-profile departures for the firm. We’ve reached out to Palihapitiya for some explanation.

The mass exodus began when Mamoon Hamid, who founded Social Capital with Palihapitiya in 2011, joined Kleiner Perkins as a general partner last August. At the time, Palihapitiya said it was “a great opportunity for Mamoon” and that the firm was “happy for him and Kleiner Perkins.”

The string of exits continued in June, when partner Arjun Sethi left to launch his own firm, Tribe Capital, which is reportedly focused on cryptocurrency and blockchain startups. He was immediately followed out the door by growth equity chief Tony Bates and vice chairman Marc Mezvinsky.

Bates and Mezvinsky had only been with the firm about a year. 

Social Capital invests across several sectors, with a portfolio that includes Slack, Bustle and cryptocurrency trading business Digital Currency Group. The firm is known for favoring innovative investment strategies. Last fall, for example, it began investing in startups sight unseen through a new program called “capital-as-a-service.”

via Click on the link for the full article

Google introduces multi-language, cross-platform cryptographic library

Google wants to ensure developers have the tools necessary to protect user data with the open-source release of Tink. This new project is a multi-language, cross-platform cryptographic library designed to ship secure cryptographic code.

“At Google, many product teams use cryptographic techniques to protect user data. In cryptography, subtle mistakes can have serious consequences, and understanding how to implement cryptography correctly requires digesting decades’ worth of academic literature. Needless to say, many developers don’t have time for that,” Thai Duong, information security engineer for Google, wrote in a post on behalf of the Tink team.

According to the company, Tink is already being used in its services like AdMob, Google Pay, Google Assistant, Firebase, and the Android Search App.

With the announcement of the open-source library, the team also announced Tink 1.2, a new version that supports cloud, Android and iOS. In addition, the latest release adds support for C++ and Objective-C. Operations the Tink library can perform include data encryption and digital signatures.

“Tink aims to provide cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Tink is built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, but includes countermeasures to many weaknesses in these libraries, which were discovered by Project Wycheproof, another project from our team,” Duong wrote.

Other features include support for key management, ability to show claimed security properties, isolates APIs for potentially dangerous operations, and enables custom cryptographic schemes or in-house key management systems.

The post Google introduces multi-language, cross-platform cryptographic library appeared first on SD Times.

via Click on the link for the full article

Mynewsdesk acquires web monitoring service Mention

Communications workflow company Mynewsdesk is acquiring French startup Mention for an undisclosed sum. Norwegian business media group NHST currently owns Mynewsdesk.

Mention lets you monitor keywords around the web. It’s a good way to hear what customers are saying about your brand on their blog, on Twitter, on Facebook or anywhere that is public.

You can also use Mention to generate reports, study competitors to see if people are talking about them and find influencers who use your products. It can be a useful tool for PR and marketing companies for instance.

Mynewsdesk wants to be an all-in-one tool for PR agencies. It can also help you track media coverage, but it goes a bit further than that. You can organize your media contacts in the service and segment your distribution list, write and distribute press releases and measure your campaigns.

It’s clear that Mention fits well with Mynewsdesk. Mention will stick around as a standalone product for now. But it feels like the monitoring feature of Mynewsdesk could benefit from Mention’s expertise in this area.

Mention currently has 750,000 users, including 4,000 customers. It generates $6 million in annual recurring revenue with a 35 percent growth rate year-over-year. Investors include eFounders, Alven and Point Nine Capital. Mention co-founder and CEO Matthieu Vaxelaire is becoming COO at Mynewsdesk.

via Click on the link for the full article

Apple’s new iOS 12 beta fixes the annoying ‘please update’ bug

iOS 12 beta testers have been plagued with a frustrating bug that continually pops up messages alerting them that a new iOS update is available when, in fact, it’s not. Apple has now fixed this bug, which is patched in the latest iOS 12 betas rolling out now, we understand.

The bug had first made headlines on Thursday, when a number of iOS 12 beta testers – including developers and those on the public beta program – began to complain on social media about the problem. All users were seeing a pop-up message that read, “A new iOS version is now available. Please update from the iOS 12 beta.”  

Users could close this window with a tap, but the same pop-up would reappear at regular intervals. There was nothing to be done about it, because the message itself was wrong – there was no new beta available for download at the time.

Some people figured out that you could adjust the system date and time to turn off the non-stop notifications, but this was bad advice. Messing around with the system clock can introduce a host of other issues, like missing calendar appointments or reminders, for example.

Apple was aware of the issue, and has thankfully introduced a fix before the long holiday weekend here in the U.S.

The fix is available in both the new developer beta and the public beta, out now.

via Click on the link for the full article

Wish, Netflix, Uber and ~100 others testing WhatsApp’s new Business API

Earlier this month, WhatsApp announced the launch of its first revenue-generating enterprise product, the WhatsApp Business API. The API allows businesses to respond to messages from WhatsApp users for free up to 24 hours, then charges for any responses after that point on a per message basis. Though still in a limited preview, the company is now supporting around 100 businesses directly on its API platform, including airlines, e-commerce companies, banks, and others like Uber and Netflix, and plans to onboard many more in the months ahead.

Because businesses have to first apply to gain access the API, there’s some misinformation floating around on backchannels about how to get approved.

For example, some industry sources have been telling partners that no U.S.-based businesses are being onboarded to the API at this point. This is untrue, WhatsApp says. In fact, there’s a public site where U.S. companies Uber and Wish are featured as “customer stories.” We also understand that U.S.-based Netflix is testing the API, though not for use in the U.S. for the time being.

Others listed on WhatsApp’s website include Booking.com, MakeMyTrip, B2W, iFood, Singapore Airlines, Melia Hotels, KLM, Bank BRI, absa, Coppel, and Sale Stock.

WhatsApp isn’t limiting access to the API based on where companies are located, it says, nor does it have requirements for those businesses  – like how many messages they need to send per month.

The latter is another piece of misinformation out there, as businesses try to decipher who’s getting in. Some have been saying that API customers need to send at least 100,000 messages a month, if they expect WhatsApp to approve them during this preview phase. This is inaccurate, WhatsApp says.

There’s no requirement related to the number of messages being sent. Although the API is intended to be used by larger businesses, some today are using it for customer service which often means they’re receiving more messages than they’re sending, the company noted.

The API is now how WhatsApp generates revenue, as it ditched its subscription fee years ago. That’s why it’s worth tracking its progress. Businesses can also buy Facebook News Feed ads that launch customers into WhatsApp conversations they can respond to.

WhatsApp officially launched its Business app at the beginning of the year, which makes sense for smaller companies, and then rolled out the API this summer for the larger ones.

Bringing businesses into the WhatsApp ecosystem is a significant shift for the Facebook-owned company, as it turns what’s been a place where family and friends communicate into a place of business.

With that delicate balance in mind, WhatsApp says that businesses cannot reach out to customers using the API without the customers’ specific permission.

Instead, the API is designed to allow businesses to respond to customer inquiries, or provide them with other information they’ve requested. For example, an airline may send a boarding pass via the API; an e-commerce business may send a receipt; a bank may send over a bank statement.

Uber is using WhatsApp with its drivers to all them to connect to members of its team about questions and Netflix is sending account messages and suggestions as a part of its test.

Further down the road, the API could enable other types of customer interactions as well, like handling two-factor authentication requests, perhaps, instead of using SMS. But that’s not happening at present.

WhatsApp says there are now around 100 companies globally on the API platform.

The company is also working with a dozen or so solution providers. Businesses like VoiceSageNexmoInfobip, Twilio, MessageBird, Smooch, Zendesk, and others are already advertising their services in this area.

Companies interested in gaining access to the API can work with one of the solution providers or sign up directly via the WhatsApp website.

As WhatsApp brings on more businesses, it’s only vetting requirement of sorts is that it’s looking for those interested in creating quality experiences for customers, the company says.

Of course, even the invited intrusion of businesses into WhatsApp changes the nature of the platform.

As users invite more businesses to communicate with them, WhatsApp may start to feel like more like an email inbox or even a Twitter-like support channel.

Making sure there are easy-to-find settings that let users terminate their connections with businesses will be just as critical as the API becomes more widely adopted going forward.

 

via Click on the link for the full article

SD Times news digest: Atomist SDM 1.0.0-M.1, Visual Studio Editor productivity updates and Atlassian and InVision’s partnership

Software delivery automation company Atomist announced version 1.0.0-M.1 of its open-source Software Delivery Machine project. This new release provides fully local mode, which will make software available to developers everywhere, the company explained.

According to the company, with local mode developers can leverage the software delivery machine on their laptop, automate locally, create projects for any technology stack and enable code transforms across projects.

“The core ideas that drive Atomist are relevant for everyone developing software,” said Atomist founder and CEO, Rod Johnson. “We made Atomist SDM open source so that every developer can experience the way of working that Atomist enables. Once you’ve used a software delivery machine, it’s hard to accept working any other way.”

Visual Studio Editor gets productivity updates

The Visual Studio 2017 team is adding new features to its editor in order to boost developer productivity while they write their code. Improvements have come from direct feedback, UserVoice requests, and developer community tickets.

Some of the new updates include multi-caret support, quick commands such as duplicate line and expand/contract selection, C# code clean up and keyboard profiles for Visual Studio Code and ReSharper.

Atlassian and InVision partner on digital transformation

Atlassian and InVision are expanding their partnership to focus more on digital innovation. The companies plan to create a workflow for designing and developing digital experiences.

“First, we’ll deepen our existing integrations between InVision and Jira, Confluence, and Trello, as we bring Atlassian functionality directly into our product suite, including our upcoming release of InVision Studio. Second, we’ll jointly explore strategic initiatives that tie the work of designers and developers more closely together,” Mike Davidson, VP of partnerships and community at InVision, wrote in a post. “As part of this new commitment between our organizations, Atlassian has made a strategic financial investment in InVision.”

Mozilla’s approach to anti-tracking

Mozilla announced new plans to protect user data. The company plans to provide blocking tracking capabilities and a set of controls for user choice by default in Firefox.

The approach will happen through three key initiatives: improving page load performance, removing cross-site tracking and mitigating harmful practices.

“This is about more than protecting users —  it’s about giving them a voice. Some sites will continue to want user data in exchange for content, but now they will have to ask for it, a positive change for people who up until now had no idea of the value exchange they were asked to make,” the company wrote in a post.

The post SD Times news digest: Atomist SDM 1.0.0-M.1, Visual Studio Editor productivity updates and Atlassian and InVision’s partnership appeared first on SD Times.

via Click on the link for the full article