Lessons from heartbleed; Strengthening Application Security on Busted Technology Architectures_ss

  • 137 views
Uploaded on

Almost all Heartbleed affected servers are identified, final patches implemented, new passwords set and new keys are regenerated. …

Almost all Heartbleed affected servers are identified, final patches implemented, new passwords set and new keys are regenerated.

So now what? - security leaders are seeking expert guidance on how to strengthen application security on busted technology architectures to protect highly sensitive and vulnerable data.

This webinar provides key insights on the lessons learned from the Heartbleed Bug attack.

Hosted by leading application security experts Jim DelGrosso, Cigital, and Vince Arneja, Arxan, attendees will receive an:

Overview of why Heartbleed is a precedential attack relative to historical breaches (memory-centric attacks are possible!),
Exploration of attack consequences and possible limitations of remediation to similar attacks in the future (will patch remediation always be so fast?), and
Lessons learned and recommendations for deploying trusted applications and data protections on exploitable frameworks (build in application security!).

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
137
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Lessons from Heartbleed STRENGTHENING APPLICATION SECURITY ON BUSTED TECHNOLOGY ARCHITECTURES • Vince Arneja, VP Product Management, Arxan Technologies • Jim DelGrosso, Principal Consultant, Cigital
  • 2. Quick Background on Heartbleed • A vulnerability in certain versions of OpenSSL • Code added in December 31, 2011 • Advisory made public on April 7, 2014 • A simple coding error in a very complex piece of software o http://xkcd.com/1354/
  • 3. Not The First … Not The Last • BEAST (2004 thru 2011) • CRIME and Time (2012) • BREACH (2013) • Lucky 13 (2013) • Heartbleed (2014) • ? (?)
  • 4. Heartbleed Differences • Simple attack to launch – by anyone • Within hours, data was being stolen from vulnerable web sites • Tools to check for vulnerable sites were widely available in days • Within a day or so, tools were available to extract private keys off servers • Patches started rolling out in days
  • 5. 5 Heartbleed Tidbits • Heartbleed is the first computer systems bug to have its own website (Heartbleed.com) • Half a million widely trusted websites vulnerable to Heartbleed bug • Heartbleed has its own logo • Rated an 11 on a scale of 1 to 10 (Schneier on Security)
  • 6. 6 How the Heartbleed bug works
  • 7. What Can We Learn From Heartbleed?
  • 8. Security Controls Sometimes Fail • In application security we know there is perimeter security o Firewalls, network segmentation, etc. o But this alone is not enough so we build security controls into our software • SSL/TLS is a heavily used control o Sometimes it fails o It's time to consider doing more
  • 9. Option 1 – Review Your Threat Model • What additional security controls should be added? • Where should those controls be added? • Don't have a threat model? o Here's a good reason to create one
  • 10. Option 2 – Reveal Sensitive Data Sparingly • Does that piece of sensitive data need to go all the way back to the user? • Can it be masked? • Does it need to be tracked but not displayed? o Maybe tokenizing the data makes sense
  • 11. Option 3 – Encrypt Data At Application Layer • Security controls under constant attack • Crypto is hard to get right • Time to consider good design principles o Defense In Depth o Least Privilege o Separation of duties o Etc. http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security
  • 12. 12 Recent events The internal data has now been proven vulnerable, and perimeter defense will only delay the next breach, in which the heart of the enterprise is exposed via memory scanning vulnerabilities.
  • 13. 13 Layered Approach…even for server side • Every enterprise server stakeholder now has to recognize that scanning of server memory is IN FACT POSSIBLE. (vs yesterday’s belief that network defenses made this task impossible) • Tremendous emphasis on Cybersecurity • Next exploit may not be easily patchable, need for other controls and security measures in place • Security experts are strongly advising on deploying a layered and holistic security solution to protect the ‘soft and vulnerable’ center of an enterprise
  • 14. 14 Arxan’s Code/App Protection Platform Provides binary hardening to protect the applications that manifest a business’s core assets – data and keys. Arxan’s unique application security embeds active Data Obfuscation Guards without changing server side code so that sensitive data, such as user credentials, passwords, or ids are protected from being sniffed out as a result of these memory- scanning attacks. Durable key protection can also be directly embedded into the server side code and protects the critical data within server side logic before it is deployed.
  • 15. 15 Summary Perimeter defenses are not enough – heartbleed lessons demand server side application security to protect your data and keys Be proactive. Retroactive security *is not* security The assumption that the servers memory can’t be dumped has just been shown to be false on a massive scale Make user ids and passwords very difficult to identify in the memory dump
  • 16. 16 Thank You and Questions ? For more information contact: info@cigital.com | info@arxan.com