Do You Know What’s In Your Code?

Wednesday, September 23, 2015

A large-scale attack on iOS developers was recently uncovered, which may have infected dozens (if not hundreds) of Chinese-developed applications on the App Store. The apps in question were developed using a tampered version of the Apple Xcode development tool, dubbed “XcodeGhost,” which appears to have been distributed to Chinese developers looking for a faster download than the official version from Apple’s Mac App Store, according to Lookout, a mobile cybersecurity company.

Ryan Olson, director of threat intelligence for Palo Alto Networks, says “Developers are now a huge target.”

If you’re a developer of funny cat apps, maybe not so much—but if your app is intended to help a small- to medium-sized business run their operations, then your vigilance and security posture have never been more important.

If your application comes into contact with sensitive data, such as credit card numbers, you must be compliant with the PCI Payment Application Data Security Standards (PA-DSS). If that data passes through your organization’s data centers—no matter how briefly—then your entire business is in scope for full PCI DSS compliance, either as a merchant or a service provider, depending on your model. For software development companies whose products must interact with sensitive data—such as developers of POS systems or other business tools—there is a lot at stake.

Unless you change the stakes by removing the sensitive data altogether.

Criminals know where to find the good stuff, as the ongoing reports of data breaches confirms. By using technologies like encryption and tokenization, a software application (and the company who developed it) can be insulated from any interaction with sensitive payment data. For a software company, this could be the difference between a worst-case data breach scenario or simply cleaning up a malicious intrusion.

Heartland Secure™ offers developers powerful protection and drastic reduction in compliance requirements. End-to-end encryption protects cardholder data from the moment of the swipe, tap or insert, and tokenization replaces the card number with a non-sensitive value. EMV chip card technology for the prevention of fraudulent charges rounds out the Heartland Secure service offering. Additionally, and especially in recognition of the complexity of EMV for software developers, Heartland offers a suite of semi-integrated peripheral applications—Heartland Secure: Out of Scope—which completely handle all payment complexities and security technologies, keeping the developer and their software out of scope.

Ready to make your software Heartland Secure? Visit to get started.