New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... ·...
Transcript of New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... ·...
![Page 1: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/1.jpg)
Betareadinessreview
Learnings,nextsteps,requestforsupport
DennisBatchelderAppEsteemCorporation
July2016
![Page 2: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/2.jpg)
AppEsteemprovidesasafehavenforcleansoftwaremonetizationvendors…
![Page 3: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/3.jpg)
…sowecansqueezeoutthedirtyplayers
whofundtheirbusinessbytrickingandcheatingcustomers
whogrowtheirbusinessbyoutbiddingthecleanplayers
![Page 4: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/4.jpg)
WehelpsecuritypartnersprotecttheircustomersfromPUA
BeforeAppEsteem Certifiedappsmakeabetterworld
![Page 5: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/5.jpg)
BetaReadinessApril- June:Prepare
ü RoadshowwithAVs,platforms,CSA,Complianceofficers(5shows,visits)
ü Recruitdev/researchteam(12onteam)ü Signupinstallers/downloaders/vendors (2
installers,3vendors,6CRXs)ü Figureoutmonetizationplan(feeschedule
socialized)Stillinprogress…
• Establishvalidationandcertificationscorecards(havedrafts)
• DeliverfirstcutofSRCLandseals(SRCLgoingoutnextweek)
• GetmoreSecurityPartnersintobeta(that’stoday)
• LandMOUwithCSAAugust- September:runbetas/pilot
• WindowsPE(August)• CRX(September)
![Page 6: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/6.jpg)
ProvidebasicinfoSignlicenseagreement
MaychoosecompliancepartnerAcceptclientCountersignagreement
Generateappkey
BuildanddistributeappViewtelemetry
Viewtelemetry
Updatebehaviorgraph;alertonanomalies
Anonymize,aggregate,publish
ConstructbehaviorgraphAnonymize,aggregate,publish
Submit/renewvendordisclosureeveryyear
Signoffondisclosureinterview
Investigateandapprove/reject
Viewapproveddisclosures
Submit/renewcertificationrequesteveryyear/everymajor
version
Signoffoncertificationrequest
Analyze,test,andapprove/rejectConstructbehaviorgraph
Generateseal
Viewapprovedcertifications
RebuildwithsealRegisterfinalpackage
Re-certifyandpublish”signature”
Fixappandresubmit SignsoffonchangesNotifyvendorofblockInitiateremediationprocess
Ifblocking:notifywhyConsume“signatures”
Viewtelemetry Viewtelemetry,alerts Viewtelemetry,alerts
Consume“signatures”
Howitworks
$2000
$200
1%ofLTV60
Fee
![Page 7: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/7.jpg)
Whatthebeta(pilot)willmeasure
Measuring
Canweincreasecustomeroffersatisfaction?
Canwereducevendorevasion?
Hypothesis:Offerscreenstrickcustomerstoclickingthroughandleavethemdissatisfied.Sealedappswithcertifiedofferscreenswillleadtobetterinformedandhappiercustomers.
Hypothesis:Today’sinstallersevadedetectionbymorphinghostinglocations,digitalsignatures,productupdates,brandnames,anddomains.Sealedappswon’tneedthis,whichreducesthecosttoprotect
MeasuringsuccessReducedsealedofferstartuprates.Increasesealedapplifetime
Measuring successLessevasion:reducedcertificates,domains,landingpages,productupdatesforsealedoffers
![Page 8: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/8.jpg)
Validation:whereweare
Whatwe’vedone• Collecteddataonourown• Conductedinvestigationsusingpublicdata(Glassdoor,lawsuits,IPownership)
Whatwe’velearned• Disclosuresandvendorcommentaryseemtobethemostappropriateapproach
• Compliancepartnerswillhelp• Structuredinterviewswillreduceourinvestigativetime
WhatweplantogatherandmakeavailabletosecuritypartnersCategory DataStructuralInformation Ownership, DBAs,
Addresses,Contacts,Licenses,sharedownershipcompanies
Business Relationshipsandpotentialconflictsofinterest
Partnerships,Affiliates,trademarkdisputes,areasnotfollowingguidelines
EvidenceofControls Affiliatemanagement,Advertisermanagement,IPprotection.Supplychainmanagement
Attestationsto followingcleanguidelines
Commitments
(Investigationresults) Publicreputation,news,posts
![Page 9: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/9.jpg)
Certification:whereweare
Wherewestarted• Google’sUnwantedSoftwarePolicies
• MMPC’sObjectiveCriteria• CSA’sGuidelines• Inheritedprinciples:Consumersneedconsent,control,andnounpleasantsurprises
Whatwelearned• Missingprinciple:consumersshouldn’tfeelcheatedafterpaying
• Importanttotracktheentirecreative->landingpage->installsupplychain
Addressinggapswe’vefoundGap NewRequirements
No appmonitoringrequirementleavesvendorswithoutverification
AppsmustlinkandnotevadeSRCLlibrary,musthonor“uninstall”command
Greatappscanstillhave badaffiliates,causingsuspensionsbyplatforms
Landingpagesmustblockobscured references,mustpublishaffiliaterestrictions
Normal“next” installflowleavesconsumerssurprised
Unrelatedoffersmusthaveunselected radiobuttonswheretheconsumermustchoosetocontinue
Need bettercontexttodoafairevaluation
Requireapps tosubmitavalueandmonetizationstatement
In-product upgradesneedevaluation
System utilitiesmusthaveareputable3rd partyvouchingfortheirvalue
Ad injectionhasstandardstoo SetthetoolbarbitforAppNexusauctions/equivalent
![Page 10: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/10.jpg)
Theseal:whereweare
Wherewestarted• WeheardconcernsofusingTaggants• Weplannedtorollourownsealto
supportourcapabilities
Whatwelearned• Weneedtobeopenandallow
competitors• Weneedtoreduceimplementation
friction• SeveralAVsalreadyimplemented
Taggants• Bettertopatchholesthanintroduce
brand-newsecurity
Taggant implementationplan• Singlesigner(AppEsteem)• Newdatainside:distributionrights,
certifications,vendorattestations
Identification Taggant v2info
DistributionRights
W3C’sORDL-JSONformat
Certifications Guidelines/versionnumbers
Vendorattestations
ValuestatementMonetizationstatement
Two-phasecommit1) Vendorsignsapp,submits2) AppEsteemcertifiesandbuildsseal3) Vendorpackagesseal,re-signsapp4) AppEsteemregistersapp
![Page 11: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/11.jpg)
Monitoring:whereweareWhatweplanned• EasylinkingwithourSelfRegulatingClient
Library(SRCL)• WorkwithPEs,CRXs,APKs• Reportheartbeat,timetolive,blocks,
anomalies• EasywayforSecurityPartnerstoreport
problems
BuiltforPEfiles• UsingMicrosoftDetours,auto-injectunsealedchildprocessestomonitorregistry,file,process,(soonnetwork)
• Screenshotsamplestocaptureoffers
BuildingforCRXs• CRXs:usingAspectJS tomonitor• Screenshotsamplestocaptureadinjection
Buildingabehaviorgraph
Category DataApp Information • Provenance
• Landingpage• Identification• Install locations
Components • Libraries• Children• Parents
Actions • Processes• Libraries• File, registry,process• Cookies,bookmarks,history,
tabs• Defaultoverrides• Advertising
![Page 12: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/12.jpg)
Remediation:whereweare
Wherewestarted• Goalistoencouragetherightbehavior• Hopetoneverneedtousethenuclearoptions
Whereweare• NeedslotsofIQinvestmenttogetthisright
Remediationthoughts:proportionalandescalatingresponse
Stage ActionsStopbadbehaviorimmediately
• Security Partnersblocknewinstalls
• Vendorinformedofspecificreasons
• Blocknewsealsfromvendor
Demonstrateurgency • Throttled/targetedremovals
• DeepinvestigationsRevokeapp • FullremovalsRevokecompany • Fullcleanup
![Page 13: New Beta readiness review - AppEsteemblog.appesteem.com/file.axd?file=/MSRA security partner... · 2016. 7. 21. · Beta Readiness April - June: Prepare ü Road show with AVs, platforms,](https://reader034.fdocuments.in/reader034/viewer/2022051905/5ff73e8465007133063ac415/html5/thumbnails/13.jpg)
SecurityPartners:timetocommitJRegisterasaSecurityPartner
• SecurityPartneraccessisFREE• http://appesteem.com ->REGISTER• Signourpartnershipagreement(we’llsendoutnext
week)
Whatyouget• Validatedcompanyandsealedcertificationdisclosures• Accesstosealedappsandanalysisresults• Distributionandbehaviortelemetry• Signaturesandonlinechecks
DuringBeta:pre-signoff• We’relearningthistogether:wewanttogetitright• ValidationandCertificationdisclosures
• Wewanttopivotasnecessary• Everyinstallpackage
• Wewanttoensureourbehaviorgraphsarecomplete• Worktohelpusgetremediationright
• Wewanttoputseriouspressureonthebadguys