Lessons from Heartbleed

STRENGTHENING APPLICATION SECURITY ON BUSTED TECHNOLOGY ARCHITECTURES

• Vince Arneja, VP Product Management, Arxan Technologies • Jim DelGrosso, Principal Consultant, Cigital

Quick Background on Heartbleed

• A vulnerability in certain versions of OpenSSL

• Code added in December 31, 2011• Advisory made public on April 7, 2014

• A simple coding error in a very complex piece of softwareo http://xkcd.com/1354/

Not The First … Not The Last

• BEAST (2004 thru 2011)• CRIME and Time (2012)• BREACH (2013)• Lucky 13 (2013)• Heartbleed (2014)• ? (?)

Heartbleed Differences

• Simple attack to launch – by anyone• Within hours, data was being stolen

from vulnerable web sites• Tools to check for vulnerable sites were

widely available in days• Within a day or so, tools were available

to extract private keys off servers• Patches started rolling out in days

5

Heartbleed Tidbits

• Heartbleed is the first computer systems bug to have its own website (Heartbleed.com)

• Half a million widely trusted websites vulnerable to Heartbleed bug

• Heartbleed has its own logo

• Rated an 11 on a scale of 1 to 10 (Schneier on Security)

6

How the Heartbleed bug works

What Can We Learn From Heartbleed?

Security Controls Sometimes Fail

• In application security we know there is perimeter securityo Firewalls, network segmentation, etc.o But this alone is not enough so we build

security controls into our software

• SSL/TLS is a heavily used controlo Sometimes it failso It's time to consider doing more

Option 1 – Review Your Threat Model

• What additional security controls should be added?

• Where should those controls be added?

• Don't have a threat model?oHere's a good reason to create one

Option 2 – Reveal Sensitive Data Sparingly

• Does that piece of sensitive data need to go all the way back to the user?

• Can it be masked?

• Does it need to be tracked but not displayed?oMaybe tokenizing the data makes sense

Option 3 – Encrypt Data At Application Layer

• Security controls under constant attack• Crypto is hard to get right• Time to consider good design principles

oDefense In Deptho Least Privilegeo Separation of dutieso Etc.

http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security

12

Recent events

The internal data has now been proven vulnerable, and perimeter defense will only delay the next breach, in which the heart of the enterprise is exposed via memory scanning vulnerabilities.

13

Layered Approach…even for server side

• Every enterprise server stakeholder now has to recognize that scanning of server memory is IN FACT POSSIBLE.  (vs yesterday’s belief that network defenses made this task  impossible)

• Tremendous emphasis on Cybersecurity• Next exploit may not be easily patchable, need for

other controls and security measures in place• Security experts are strongly advising on deploying

a layered and holistic security solution to protect the ‘soft and vulnerable’ center of an enterprise

14

Arxan’s Code/App Protection Platform

Provides binary hardening to protect the applications that manifest a business’s core assets – data and keys.

Arxan’s unique application security embeds active Data Obfuscation Guards without changing server side code so that sensitive data, such as user credentials, passwords, or ids are protected from being sniffed out as a result of these memory-scanning attacks.

Durable key protection can also be directly embedded into the server side code and protects the critical data within server side logic before it is deployed. 

15

Summary

Perimeter defenses are not enough – heartbleed lessons demand server side application security to protect your data and keys

Be proactive. Retroactive security *is not* security

The assumption that the servers memory can’t be dumped has just been shown to be false on a massive scale

Make user ids and passwords very difficult to identify in the memory dump

16

Thank You and Questions ?

For more information contact: info@cigital.com | info@arxan.com