Tag Archive for: Developers’

App-etite for Notification: FTC Says “Welcome to the Jungle” to Mobile Health App Developers in Policy Statement on Health Breach Notification Rule | Wyrick Robbins Yates & Ponton LLP

/in


Last week’s news that the Federal Trade Commission is taking steps to begin rulemaking on consumer privacy and artificial intelligence drew plenty of attention from privacy professionals, and suggests 2022 could be an interesting year for federal regulation of privacy and data security. But that development is only one of a series of moves the Commission has recently made in this space.  In September, a divided Commission issued a Policy Statement that adopts a surprisingly broad interpretation of the FTC’s existing Health Breach Notification Rule, and suggests the FTC is seeking opportunities to use its existing authority to crack down on mobile health apps’ lax privacy and data security practices.

In that Policy Statement, the FTC takes the position that the Health Breach Notification Rule, which applies to “vendors of personal health records,” covers any mobile app that processes health information and that can draw personal information from multiple sources. The FTC also states that the Rule broadly requires notification of any unauthorized access to consumer health information, including the sharing of a consumer’s health information without the consumer’s authorization.

Mobile health app developers should take careful note of the Policy Statement’s interpretations and assess their offerings’ compliance posture accordingly.

Overview of the Health Breach Notification Rule

The FTC issued the Health Breach Notification Rule in 2009 to impose breach notification requirements on companies that process consumer health information, but are not subject to HIPAA. To that end, the Rule requires a “vendor of personal health records” to notify affected consumers and the FTC whenever  “unsecured [personal health record] identifiable health information [is] acquired by an unauthorized person” as a result of “a breach of security of unsecured [personal health record] identifiable health information.” A “vendor of personal health records” is an entity that (1) is not a HIPAA covered entity or business associate and (2) offers or maintains “personal health records.”

“Personal health records” are in turn defined under the Rule as electronic…

Source…

Daily grabs another $40M so developers can add video, audio features to any product – TechCrunch

/in


We’ve all embraced video calls, whether it is with our work colleague or our physician, but for developers, it remains a challenge to build both real-time audio and video features into products.

That’s where Daily comes in. The company provides APIs so developers can add those features into products or websites using just two lines of code. Use cases include video calls, audio-only apps, webinars, live classes, interactive collaboration, e-commerce, customer support, IoT and robotics.

Since being founded in 2015, the company has amassed a customer list that includes AppFolio, HotDoc, Pitch, Kumospace and Teamflow, and its customers report seeing up to 80% fewer video call errors after using Daily, Kwindla Hultman Kramer, co-founder and CEO of Daily, told TechCrunch via email.

Following an 18-month time period of rapid growth, which included seeing from 10 times to 30 times increase in all the metrics the company tracks — overall traffic volume, freemium sign-ups, paid usage and the number of customers scaling applications on top of the platform — Daily today announced $40 million in Series B funding.

“The most interesting trend we’re seeing is that new use cases for video and audio are showing up every week,” Hultman Kramer said. “We’ve seen the growth of events platforms, new social/spatial video environments, live commerce, live classes, fitness and workout applications, and a huge amount of experimentation in education and tutoring, just to name a few.”

Renegade Partners led the round, which included new investors Heritage Group, Cendana Capital and Sean Rose, and participation from existing investors including Lachy Groom, Tiger Global, Freestyle Ventures, Slack Fund, Root VC, Moxxie, Haystack Ventures, Todd & Rahul’s Angel Fund, David Eckstein and Aston Motes.

The latest round brings total funding to over $60 million, which includes a $4.6 million round raised in May 2020. The company is not sharing its valuation, but Hultman Kramer revealed that valuation stepped up three times with each of the three funding rounds the company raised in the last 18 months.

The global video conferencing market was valued at $5.8 billion in 2020 and is expected to…

Source…

How to improve relations between developers and security teams and boost application security

/in


Chris Wysopal shared a history lesson about the evolution of application security and advice on how to make all apps more secure.

chris wysopal congressional hearing 1998

Veracode CTO Chris Wysopal shared the highlights of his career in application security during an OWASP event, including his 1998 testimony to Congress as a member of the hacking collective The L0ft.

Image: Chris Wysopal

In December 1996, application security expert Chris Wysopal published his first vulnerability report. He found that data could be edited or deleted in Lotus Domino 1.5 if permissions were not set properly or URLs were edited. That security risk — broken access control —  is the number one risk on OWASP’s 2021 Top 10 list of application security risks.

“We know about this problem really well and knowledge about the problem isn’t solving the problem,” he said. 

Wysopal, who is Veracode’s CTO and co-founder shared a short history of his time as an application security researcher, from his time with The L0ft hacker collective to testifying in front of Congress to doing security consulting with Microsoft in the early 2000s. Wysopal spoke during a keynote at OWASP’s 20th anniversary event, a free, live, 24-hour event held on Friday.

Wysopal said that he started out as an outsider in the tech world, which gave him a unique perspective to call out problems that software engineers, company leaders and government officials did not see. Over the last 25 years appsec researchers have moved from critics standing on the outside looking in to professional colleagues working with software engineers to improve security. 

SEE: How DevOps teams are taking on a more pivotal role 

“As William Gibson said, ‘The future is unevenly distributed, and I think we can learn from the past and learn from those already living in the future,” he said. 

He shared advice on how to build closer working relationships among developers and security experts as well as how the appsec profession has evolved over the years. 

Building relationships to improve security 

Wysopal said he sees the latest…

Source…

4 ‘Exotic’ Programming Languages Popular With Malware Developers

/in


When it comes to cybercrime, even malware developers need to brush up on certain programming languages to stay current.

Increasingly, malware authors are turning to four “exotic” programming languages—Go, DLang, Nim and Rust—to either give new life to older malware or as effective methods to hide their malicious code from security tools, all while avoiding analysis efforts by researchers. That’s according to a recent report published by BlackBerry’s Research & Intelligence division.

In many cases, malware developers are turning to these four languages to create new arrays of droppers and loaders that help form the first stage of an attack, according to BlackBerry.

Once these malicious tools have avoided detection and implant themselves within a network, the loader or dropper written in one of these languages can then retrieve second-stage malware, such as Remote Access Trojans (RATs) or malicious versions of legitimate tools such as Cobalt Strike, the report noted. All the while, this malware helps create a layer of obfuscation, making analysis of the attack more difficult.

“Each of these languages is relatively new and has little in the way of fully supported analysis tooling,” the researchers wrote. “As such, they can appear quite alien under the hood. It is because of their relative youth and obscurity that the languages themselves can have a similar effect to traditional obfuscation and be used to attempt to bypass conventional security measures and hinder analysis efforts.”

At the same time, cybercriminals and underground developers are eager to show off their skills. Building malware requires creativity, said Matthew Westfall, principal security consultant at tech firm nVisium.

“While commodity and weaponized malware have long dominated the threat landscape, an investigation into the world of non-commercial virus research shows there is still an active cohort of enthusiasts who are motivated by the thrill of implementation,” Westfall told Dice. “The challenge of ‘giving life’ to new languages and technologies through self-replicating code may be a more resilient force than strategic or financial gain, and it…

Source…