Almost all Heartbleed affected servers are identified, final patches implemented, new passwords set and new keys are regenerated. So now what? - security leaders are seeking expert guidance on how to strengthen application security on busted technology architectures to protect highly sensitive and vulnerable data. This webinar provides key insights on the lessons learned from the Heartbleed Bug attack. Hosted by leading application security experts Jim DelGrosso, Cigital, and Vince Arneja, Arxan, attendees will receive an: Overview of why Heartbleed is a precedential attack relative to historical breaches (memory-centric attacks are possible!), Exploration of attack consequences and possible limitations of remediation to similar attacks in the future (will patch remediation always be so fast?), and Lessons learned and recommendations for deploying trusted applications and data protections on exploitable frameworks (build in application security!).

1. Lessons from Heartbleed
STRENGTHENING APPLICATION SECURITY ON BUSTED
TECHNOLOGY ARCHITECTURES
• Vince Arneja, VP Product Management, Arxan Technologies
• Jim DelGrosso, Principal Consultant, Cigital

2. Quick Background on Heartbleed
• A vulnerability in certain versions of
OpenSSL
• Code added in December 31, 2011
• Advisory made public on April 7, 2014
• A simple coding error in a very complex
piece of software
o http://xkcd.com/1354/

3. Not The First … Not The Last
• BEAST (2004 thru 2011)
• CRIME and Time (2012)
• BREACH (2013)
• Lucky 13 (2013)
• Heartbleed (2014)
• ? (?)

4. Heartbleed Differences
• Simple attack to launch – by anyone
• Within hours, data was being stolen
from vulnerable web sites
• Tools to check for vulnerable sites were
widely available in days
• Within a day or so, tools were available
to extract private keys off servers
• Patches started rolling out in days

5. 5
Heartbleed Tidbits
• Heartbleed is the first computer systems bug to have its own
website (Heartbleed.com)
• Half a million widely trusted websites vulnerable to
Heartbleed bug
• Heartbleed has its own logo
• Rated an 11 on a scale of 1 to 10 (Schneier on Security)

6. 6
How the Heartbleed bug works

7. What Can We Learn From Heartbleed?

8. Security Controls Sometimes Fail
• In application security we know there is
perimeter security
o Firewalls, network segmentation, etc.
o But this alone is not enough so we build
security controls into our software
• SSL/TLS is a heavily used control
o Sometimes it fails
o It's time to consider doing more

9. Option 1 – Review Your Threat Model
• What additional security controls should
be added?
• Where should those controls be
added?
• Don't have a threat model?
o Here's a good reason to create one

10. Option 2 – Reveal Sensitive Data Sparingly
• Does that piece of sensitive data need
to go all the way back to the user?
• Can it be masked?
• Does it need to be tracked but not
displayed?
o Maybe tokenizing the data makes sense

11. Option 3 – Encrypt Data At Application Layer
• Security controls under constant attack
• Crypto is hard to get right
• Time to consider good design principles
o Defense In Depth
o Least Privilege
o Separation of duties
o Etc.
http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security

12. 12
Recent events
The internal data has now been
proven vulnerable, and
perimeter defense will only
delay the next breach, in which
the heart of the enterprise is
exposed via memory scanning
vulnerabilities.

13. 13
Layered Approach…even for server
side
• Every enterprise server stakeholder now has to recognize
that scanning of server memory is IN FACT
POSSIBLE. (vs yesterday’s belief that network defenses
made this task impossible)
• Tremendous emphasis on Cybersecurity
• Next exploit may not be easily patchable, need for other
controls and security measures in place
• Security experts are strongly advising on deploying a
layered and holistic security solution to protect the ‘soft and
vulnerable’ center of an enterprise

14. 14
Arxan’s Code/App Protection Platform
Provides binary hardening to protect the applications that
manifest a business’s core assets – data and keys.
Arxan’s unique application security embeds active Data
Obfuscation Guards without changing server side code so that
sensitive data, such as user credentials, passwords, or ids are
protected from being sniffed out as a result of these memory-
scanning attacks.
Durable key protection can also be directly embedded into the
server side code and protects the critical data within server
side logic before it is deployed.

15. 15
Summary
Perimeter defenses are not enough – heartbleed lessons
demand server side application security to protect your data
and keys
Be proactive. Retroactive security *is not* security
The assumption that the servers memory can’t be dumped
has just been shown to be false on a massive scale
Make user ids and passwords very difficult to identify in the
memory dump

16. 16
Thank You and Questions
?
For more information contact: info@cigital.com | info@arxan.com