Your SlideShare is downloading. ×
0
Lessons from Heartbleed
STRENGTHENING APPLICATION SECURITY ON BUSTED
TECHNOLOGY ARCHITECTURES
• Vince Arneja, VP Product M...
Quick Background on Heartbleed
• A vulnerability in certain versions of
OpenSSL
• Code added in December 31, 2011
• Adviso...
Not The First … Not The Last
• BEAST (2004 thru 2011)
• CRIME and Time (2012)
• BREACH (2013)
• Lucky 13 (2013)
• Heartble...
Heartbleed Differences
• Simple attack to launch – by anyone
• Within hours, data was being stolen
from vulnerable web sit...
5
Heartbleed Tidbits
• Heartbleed is the first computer systems bug to have its own
website (Heartbleed.com)
• Half a mill...
6
How the Heartbleed bug works
What Can We Learn From Heartbleed?
Security Controls Sometimes Fail
• In application security we know there is
perimeter security
o Firewalls, network segmen...
Option 1 – Review Your Threat Model
• What additional security controls should
be added?
• Where should those controls be
...
Option 2 – Reveal Sensitive Data Sparingly
• Does that piece of sensitive data need
to go all the way back to the user?
• ...
Option 3 – Encrypt Data At Application Layer
• Security controls under constant attack
• Crypto is hard to get right
• Tim...
12
Recent events
The internal data has now been
proven vulnerable, and
perimeter defense will only
delay the next breach, ...
13
Layered Approach…even for server
side
• Every enterprise server stakeholder now has to recognize
that scanning of serve...
14
Arxan’s Code/App Protection Platform
Provides binary hardening to protect the applications that
manifest a business’s c...
15
Summary
Perimeter defenses are not enough – heartbleed lessons
demand server side application security to protect your ...
16
Thank You and Questions
?
For more information contact: info@cigital.com | info@arxan.com
Upcoming SlideShare
Loading in...5
×

Lessons from heartbleed; Strengthening Application Security on Busted Technology Architectures_ss

219

Published on

Almost all Heartbleed affected servers are identified, final patches implemented, new passwords set and new keys are regenerated.

So now what? - security leaders are seeking expert guidance on how to strengthen application security on busted technology architectures to protect highly sensitive and vulnerable data.

This webinar provides key insights on the lessons learned from the Heartbleed Bug attack.

Hosted by leading application security experts Jim DelGrosso, Cigital, and Vince Arneja, Arxan, attendees will receive an:

Overview of why Heartbleed is a precedential attack relative to historical breaches (memory-centric attacks are possible!),
Exploration of attack consequences and possible limitations of remediation to similar attacks in the future (will patch remediation always be so fast?), and
Lessons learned and recommendations for deploying trusted applications and data protections on exploitable frameworks (build in application security!).

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
219
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Lessons from heartbleed; Strengthening Application Security on Busted Technology Architectures_ss"

  1. 1. Lessons from Heartbleed STRENGTHENING APPLICATION SECURITY ON BUSTED TECHNOLOGY ARCHITECTURES • Vince Arneja, VP Product Management, Arxan Technologies • Jim DelGrosso, Principal Consultant, Cigital
  2. 2. Quick Background on Heartbleed • A vulnerability in certain versions of OpenSSL • Code added in December 31, 2011 • Advisory made public on April 7, 2014 • A simple coding error in a very complex piece of software o http://xkcd.com/1354/
  3. 3. Not The First … Not The Last • BEAST (2004 thru 2011) • CRIME and Time (2012) • BREACH (2013) • Lucky 13 (2013) • Heartbleed (2014) • ? (?)
  4. 4. Heartbleed Differences • Simple attack to launch – by anyone • Within hours, data was being stolen from vulnerable web sites • Tools to check for vulnerable sites were widely available in days • Within a day or so, tools were available to extract private keys off servers • Patches started rolling out in days
  5. 5. 5 Heartbleed Tidbits • Heartbleed is the first computer systems bug to have its own website (Heartbleed.com) • Half a million widely trusted websites vulnerable to Heartbleed bug • Heartbleed has its own logo • Rated an 11 on a scale of 1 to 10 (Schneier on Security)
  6. 6. 6 How the Heartbleed bug works
  7. 7. What Can We Learn From Heartbleed?
  8. 8. Security Controls Sometimes Fail • In application security we know there is perimeter security o Firewalls, network segmentation, etc. o But this alone is not enough so we build security controls into our software • SSL/TLS is a heavily used control o Sometimes it fails o It's time to consider doing more
  9. 9. Option 1 – Review Your Threat Model • What additional security controls should be added? • Where should those controls be added? • Don't have a threat model? o Here's a good reason to create one
  10. 10. Option 2 – Reveal Sensitive Data Sparingly • Does that piece of sensitive data need to go all the way back to the user? • Can it be masked? • Does it need to be tracked but not displayed? o Maybe tokenizing the data makes sense
  11. 11. Option 3 – Encrypt Data At Application Layer • Security controls under constant attack • Crypto is hard to get right • Time to consider good design principles o Defense In Depth o Least Privilege o Separation of duties o Etc. http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security
  12. 12. 12 Recent events The internal data has now been proven vulnerable, and perimeter defense will only delay the next breach, in which the heart of the enterprise is exposed via memory scanning vulnerabilities.
  13. 13. 13 Layered Approach…even for server side • Every enterprise server stakeholder now has to recognize that scanning of server memory is IN FACT POSSIBLE. (vs yesterday’s belief that network defenses made this task impossible) • Tremendous emphasis on Cybersecurity • Next exploit may not be easily patchable, need for other controls and security measures in place • Security experts are strongly advising on deploying a layered and holistic security solution to protect the ‘soft and vulnerable’ center of an enterprise
  14. 14. 14 Arxan’s Code/App Protection Platform Provides binary hardening to protect the applications that manifest a business’s core assets – data and keys. Arxan’s unique application security embeds active Data Obfuscation Guards without changing server side code so that sensitive data, such as user credentials, passwords, or ids are protected from being sniffed out as a result of these memory- scanning attacks. Durable key protection can also be directly embedded into the server side code and protects the critical data within server side logic before it is deployed.
  15. 15. 15 Summary Perimeter defenses are not enough – heartbleed lessons demand server side application security to protect your data and keys Be proactive. Retroactive security *is not* security The assumption that the servers memory can’t be dumped has just been shown to be false on a massive scale Make user ids and passwords very difficult to identify in the memory dump
  16. 16. 16 Thank You and Questions ? For more information contact: info@cigital.com | info@arxan.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×