Shift Left Security

Shift Left Security – Learn about this critical trend that will remain

Shift Left Security – a trend that will remain

Traditionally, organizations focus their security efforts near the end of a development and release cycle. While this can ensure that the rest of the software achieves a certain level of stability, high risks and vulnerabilities remain.
Shift Left Security is a remedy to this problem: Implement security as early as possible in your software development cycle (hence called “left”) and do it right from start. It spares you the headache and saves a lot of often unconsidered cost after the app has been released. It is the most important cornerstone of your solution for the digital world.

Shift Right: Dealing with security near the end of the development is not an option anymore

As a mobile app (or solution) moves through the different steps of conception, design, development, build, test and finally upload to the app store, adding security was often merely considered as last step. On top of that, additional development time and costs occur. Sad to say, sometimes security has just been put aside to meet time to market requirements.
There are plenty of examples where security has been introduced at the last stage of a project, means keeping security rather to the right. This has a tremendous negative impact on your project: Immediately with the release of the app also the risks and vulnerabilities are published. They are found by security researchers or hackers. In best case feedback is given to the developers and in the worst-case the knowledge is misused. In the latter case compliance violations and reputational damage may happen instantaneously – no pre-warning will be given!

Shift Left Security Economics – the importance of it!

Shift Left Security is economically driven by analysis of the software development processes and maintenance phase afterwards. Fixing issues after releasing the mobile app is about 20 times more expensive as if the problem would have been recognized and solved already during the definition phase of the project. That is merely the development side of costs as a study (Japers Jones, A short history of the cost per defect metric, 2013) shows.
Often unconsidered, forgotten or excluded from those cost discussions is financial impact of a security breach: consequential damages, cyber-attack (and recovery) costs and litigation costs. When considering those costs as well, a later study (Capers Jones, Achieving Software Excellence, v7, 2016) shows that poor quality software may be up to 2000 times more expensive than investing in high quality software right from the beginning. In this example cyber-attack costs contribute to around 45% of negligence in software quality.
The essence of all this: We need to focus on good software and on building good solutions, rather than finding fraud afterwards and spending money on mitigation measures. Shift-Left Security means: the earlier you do it right, the less cost you have afterwards.

Security winners focus on best practices

Shift Left Security is such a best practice. In your software development life cycle (SDLC), you must think about architecture and a secure design already at a very early stage. Secure design should include doing threat modeling, which helps you defining the base line and assessing the required security controls.
“Security can be achieved only when it has been designed in. Applying security measures as an afterthought is a recipe for disaster” („The Six Pillars of DevSecOps: Automation”, 2020), said the CSA (Cloud Security Alliance) about securing design. A very valid comment for any software development project.
As Build38 CEO Christian Schläger put it in a recent PwC interview: “So rather than mopping up the floor afterwards and spending SOC resources and plenty of analysts’ hours on forensics, I would like to see more quality software and solutions that can’t be hacked that easily anymore.”
In a nutshell: finding out what happened to a mobile app after it has already been released is simply too late: More money is spent on fixing, re-testing, and releasing the app again!

Shift Left Security – do it right, from start!

Shift Left Security is the new paradigm and your best investment protection scheme you can have. It helps you to save money throughout the whole lifecycle of a mobile app. It also supports you to reconsider how, where, and when security should be embedded into your app project.
Shift Left Security is also a crucial part of your considerations to become compliant: to eIDAS regulation, to the upcoming Medical Device Regulation (MDR) in 2021, to DiGA regulation, to PSD2, etc. It is about putting security controls into action.
Build38 gives you all the means to start with Shift Left Security now: We deliver you the most comprehensive security suite for Android and iOS, and give you the solution which is fastest to integrate on the market. Additionally, we support you in identifying the security relevant topics, give advice how to design security controls the right way and what to consider.

 

Curious now? Then contact Us and be part of the “Shift Left Security” movement!


Build38 wins the PwC Award for the “Best Cybersecurity Solution of the Year 2020"

T.A.K Client prevails against 25 cybersecurity solutions

Munich, November 5th – Build38 wins the PwC-Award for the best cybersecurity solution of the year. As part of the digital event, the German provider was able to prevail against 25 international security start-ups with its Mobile App and Fraud Protection solution T.A.K Client.

This year's PwC Luxembourg Cybersecurity DayS (October 26-29, 2020), which was attended by experts from all over Europe, focused on the topics IT security and digital trust. The main focus was on the importance of cybersecurity as an integral part of business strategies.

Various awards were provided during the event, including for the best cybersecurity solution of the year. In this category, 25 international start-ups received a nomination, of which only five companies – especially from the Mobile and Endpoint Security sectors - were shortlisted. These five companies were invited to an on-site pitching contest.

Munich start-up Build38 takes the lead

The jury consisted of venture capitalists, incubators and security experts. Build38 finally convinced in the live pitch with its Mobile App and Fraud Protection solution T.A.K (Trusted Application Kit). Various aspects contributed to the decision:

  • mature product with an established customer base,
  • particularly resource-saving support of mobile business processes,
  • variety of functions,
  • advanced development status of the solution.

„Despite the difficulties caused by Covid-19, the organizer mastered the challenge of creating an interesting and well-organized digital event“, says Christoph Brecht, VP Sales at Build38. „We are grateful for the award, which once again confirms that security for mobile apps is becoming increasingly important."

With its security solution Build38 prevents the manipulation of customer data in apps, ensures their integrity and thus reliably protects companies and their customers from cyber criminals.

PwC-Award Cybersecurity-Solution of the Year
Christoph Brecht, VP Sales at Build38, & Koen Maris,
Cybersecurity Leader, PwC Luxembourg


Contactless Payment, Part 2: Drives business and requires the right security!

In the first part of this blog series, we have already informed you that there is a strong trend towards cashless and especially contactless payment. Payment via smartphone is also becoming increasingly important. The SPoC and CPoC standards provided by the PCI play an important role here.

PCI SPoC and CPoC – what is this all about?

SPoC (Software-based PIN Entry on COTS) is – simply spoken – the software-based PIN Entry standard from PCI for mobile devices, in combination with a Secure Card Reader for PIN which is an extra piece of hardware, connected to the mobile device, e.g. by Bluetooth.

CPoC (Contactless Payments on COTS) is the second and more recent standard which makes accepting contactless payments even simpler. The NFC capability transforms mobile devices into a contactless payment reader.

Common to both standards are the mobile card reader app, the attestation and monitoring services. All of it just for upholding a high level of security and trust. Of course, besides that typical payment related services are part of the backend.

What role does Build38 play in this?

Build38 fulfills the strictest security requirements mandated by PCI:

  • Ensuring the app is running in a secure environment (and only there)
  • Obfuscation
  • Anti-repackaging technology
  • Secure PIN entry
  • Mitigation of detected threats already on the mobile device, etc.

On top of that Build38 provides the required attestation component which acts as verifier to determine the current security state of the app. It delivers additional security signals into the monitoring system which detects, alerts, and mitigates suspected or actual threats and attacks.

PCI security requirements can be overwhelming with all its complexities, yet there is nothing to be afraid of!

You understand payments at your best, and Build38 masters your mobile security!

At Build38 we believe that in a changing digital landscape, the app security is not a luxury. It is a necessity. Your developers should focus on what they are best at: delivering business value and world-class payment apps, while Build38 provides mobile app security. Build38’s Trusted Application Kit (T.A.K) is a highly secure, holistic and easy to integrate mobile app security framework.

It all starts with better understanding your mobile risks.

Get to know where you stand today!
Strengthen your policies and compliance posture!
Explore your options and get the right solution!

 

Contact us and launch your own CPoC or SPoC solution faster in the market!


Contactless Payment, Part 1: The smartphone and App replace the card reader

Cashless payments are more popular than ever. This trend was also accelerated in particular by Covid-19. In Germany, for example, an increase of 20 % was recorded in the first half of 2020. Every second payment was even made contactless.[1] Nevertheless, there is still some catching up to do in Germany compared to other countries that already have a higher rate of cashless payments.

In addition to the “classic” variant of cashless payment via bank card, contactless payment via smartphone is also becoming increasingly popular across Europe. As a recent survey shows, around 12 % of the Europeans surveyed already prefer paying by smartphone.[2]

Contactless payments will gain further momentum

With contactless payment, the card is held against a card reader at checkout and does not need to be inserted anymore. For small amounts it is even not necessary to enter the PIN. In view of the pandemic retailers have been encouraging customers to pay in this way to avoid contact and a possible infection.

With contactless payment by smartphone, the app on the smartphone replaces the bank card. For further strong growth two requirements will play an important role:

  • Retailers, small merchants, market, and street vendors must be enabled to accept mobile payments, without the need to invest in traditional card readers.
  • Mobile payment for small sums must be supported, as demanded by customers.

At this point the question arises as to how the first requirement can be implemented in an affordable and simple way.

PCI standards are paving the way

The PCI Security Standards Council (PCI SSC), founded 2006 by American Express, Visa, MasterCard, among others, is a “global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide”. They are the governing body for payment standardization, technical requirements, and certification of payment solutions.

PCI has already recognized that contactless payment must be available for everyone, means by using the smartphone or tablet, which PCI calls in their own language a COTS (commercial off-the-shelf) device. Therefore, two standards are available now: the SPoC (Software-based PIN Entry on COTS) and the CPoC (Contactless Payments on COTS) standard.

 

Learn more about these standards and how Build38 can ensure the security of payment apps in our next blog post.

 

[1] https://www.handelsblatt.com/finanzen/banken-versicherungen/coronakrise-kreditwirtschaft-trend-zu-bargeldlosem-bezahlen-haelt-schon-laenger-an/26289960.html?ticket=ST-350571-XZqIrSQGq5lLGZqhcQfl-ap4

[2] https://www.handelsblatt.com/finanzen/banken-versicherungen/umfrage-in-zwoelf-eu-staaten-die-coronakrise-verstaerkt-den-trend-zum-bargeldlosen-zahlen/26185710.html


Build38 is selected for the participation in the Swiss KICKSTART program 2020 edition

Build38 was selected after various rounds of pitching and presenting to be part of the 2020 cohort of the renowned Swiss accelerator program KICKSTART. This is for me a great honor but even more a great opportunity to conquer the Swiss market and show industry leaders like AXA, Mobiliar, Swisscom, PostFinance and others what Build38 and its Application Kit and Threat Insights can do.

Having worked for years in Switzerland I know that the entry barrier in such a mature market that values privacy and security tremendously high is hard. Your solution must be groomed to the needs of the Financial Service Industry of the country and then is ready to scale externally as well.

KICKSTART is different to other accelerators as it values PoCs and Co-Development above anything else. For us having a leading technology already a great way to extend services and build the envisioned platform for secure and easy-to-use app development further.

Needless to say, we are going to Zurich fully motivated and teaming tech and business development to get the most out of the program for us and the partners.

While myself and Joaquin did the pitching and started the program, Christoph and Marc will also take part and extend the local / virtual team.

Bear with us for news on features and use cases coming out of these labs!


Build38 selected for the 4YFN Awards competition at Mobile World Congress

Build38 is extremely honored to have been selected together with 12 other innovative young companies to compete for the 4YFN (4 Years From Now) Award. The Award, a highlight event that is part of the Mobile World Congress and Mobile World Capital Barcelona activities.

At Mobile World Congress, the largest mobile event in the world that brings together the latest innovations and leading-edge technology alongside today’s most influential visionaries, Build38 will have a prominent showcase. Combining the presence at the State of Bavaria Pavilion in Fira Gran Via with a booth and the participation as one of the 12 innovative young companies selected at the MWC startup event, the 4YFN Award competition. The semi-finals will take place on the 24th of February and the Final on the 26th, both at the Fira Montjuïc Exhibition Hall in Barcelona.

The Build38 team is excited to deliver a memorable pitch and show how Apps can enable service providers to have additional revenue through new use-cases and reduce fraud in the mobile channel.


Build38 exhibiting at the Singapore Fintech Festival & SWITCH

We are very excited to share that we will be present at the Singapore FinTech Festival & SWITCH. As one of the startups selected by the Catalonia Trade and Investment agency, we will be at the Catalonia International Pavilion of the SFF x SWITCH. Come and visit us, enjoy some souther european hospitality and learn interesting facts, like that Build38 largest workforce chunk is based in Barcelona, a vibrant and innovative city that has become a key place for entrepreneurship in Europe and globally. Meet our Asia Pacific Managing Director, Pedro Hernandez, and talk to our Head of Product Architecture, Marc Obrador, for the latest insights on Mobile App Security and Fraud Management.

The Singapore FinTech Festival & SWITCH exhibition will be held between the 11th and 13th of November at the Singapore Expo (Hall 1 to 6), 1 Expo Drive. Singapore 486150. Opening times are 10am to 6pm.


Together stronger – Build38 helps fellow Insuretechs with Best in Class analytics and App security

Trust and Analytics are essential for Insuretechs – afterall this is what you sell. Trust is hard to generate – especially for young Insuretechs but for everyone in the industry easy to lose. Munich Insuretech Hub start-up Build38 focuses on trust in mobile Apps – the number one sales channels for the digital natives and is highly praised for its advanced technology, analytical skills and easy integration by Gartner and customers.

 

Build38’s head architect Marc Obrador on Wednesday started prepping fellow Insuretechs for the mobile market, dangers from hackers and attackers and gave a well-received lesson on countermeasures and design principals. Several case studies made the participants review their current strategy: misuse of your process interfaces by malicious attackers or the competition can render your service useless or cause financial damages. Like in the case of one platform app that didn’t secure its interfaces and let an attacker flood its platform with illegal orders to subscribed insurance companies. After trust was lost, so was the business case for this young company. Or when the competition took apart the source code of an app and stole company secrets on underwriting and calculations – another major blow to a young fintech that could have been prevented.

Build 38’s service is the Trusted Application Kit T.A.K (www.build38.com ) that integrates in the app by design and secures code, IP, user data and compliant PSD 2 authentication. The server component gives you great analytics on an app level that let’s you market and control your services better and basically enhances your app to become “self-defending” against attackers and the competition. Marketeers love the insights they gain and because the SDK approach makes development faster, they can try out much more flavours and variances in less time.

As a special treat and to great applause from the teams, Build38 offered the solution free of charge to all fellow Insuretech Startups for the first year: “there is absolutely no reason why you publish an unsecure app”, says Build38 CEO and Co-Founder Dr. Christian Schlaeger. “T.A.K is fast and easy to integrate and lets you focus on the important stuff for your startup: business models and innovation. For us it is a moral obligation and part of the Munich team spirit to make T.A.K usable to every young company in the Munich Insuretech Hub – together we are stronger!”


Insights from our CEO at EuroCIS Düsseldorf

First pictures from our CEO Dr. Christian Schläger and Head of Finance Tillmann Gmelin at EuroCIS in Düsseldorf, starting this morning. We took all the experiences from Tel Aviv with us to welcome Build38 guests with analytics and insights on app hardening  - and a fair amount of chocolate. Christian will be there for today, if you want to chat with our CEO, take the chance.


Build38 is exhibiting at RSA Conference 2019 in San Francisco “where the world talks security”. The team will be present at Moscone Center booth #101 in Early Stage Expo. For appointments, feel free to get in touch beforehand. Better.

000 days 00 hours 00 minutes 00 seconds

RSA 2019 San Francisco 2019/03/04 - 2019/03/08