State of Application Security

The Presentation inside:

Slide 0

STATE OF APPLICATION SECURITY VOL. 4, 2015 STATE OF PIRACY NUMBER OF PIRATED ASSETS IS EXPECTED TO INCREASE 22% 2012-2014 2015* AVG./YR Between 2012 and 2014 the average number of pirated assets found per year was 1.6M. In 2015, the total number of pirated assets is expected to hit 1.96M. 1.96M 1.6M (Source: iThreat Cyber Group & Arxan Technologies) BREAKDOWN OF SOFTWARE PIRACY Pirated software found between Jan. 2012 and Mar. 2015 41% Android Apps 9,000 KEY GENERATORS FOUND 17% Key Generators 13% Apple Software Windows Desktop Software 9% 5% Apple Apps What are they? Software that generates product licensing keys to enable unauthorized access to software or digital media releases. APPLICATION RISKS ENABLING PIRACY REVERSE-ENGINEERING APPLICATION TAMPERING With readily available tools, hackers can quickly convert unprotected binary code back to source-code, repackage and distribute. Applications can be modified or injected with malware at run-time to steal keys, and alter execution in line with hacker objectives. DISTRIBUTION MODEL FOR PIRATED SOFTWARE Scene Public Sites Private Torrent Sites FTP Top Sites Cyberlockers 100’s VOLUME OF PIRATED RELEASES 100,000’s 0 sec SPEED OF ILLEGAL DISTRIBUTION 33 mins 23.76% OF GLOBAL INTERNET BANDWIDTH IS CONSUMED BY TRAFFIC INFRINGING UPON COPYRIGHT. 2 ECONOMIC IMPLICATIONS OF PIRACY IN 2014, THE UNMONETIZED VALUE OF PIRATED ASSETS REACHED $836,840,300,000 $652 B $74 B Software $73 B Games $18 B Movies $6 B Music TV $12 B 3 Adult Content UNADDRESSED APPLICATION VULNERABILITIES A recent study analyzed over 96,000 Android apps to measure how well they addressed the OWASP Mobile Top 10 vulnerabilities. The graph below shows the percentage of apps that failed to address these vulnerabilities over time. (Source: MetaIntelli, 2015 Research) OWASP MOBILE TOP 10 M1 Weak Server Side Controls M2 Insecure Data Storage M3 Insufficient Transport Layer M4 Unintended Data Leakage M5 Poor Authorization M7 Client Side Injection M9 Improper Session Handling M10 Lack of Binary Protections (M6 and M8 not included in analysis) 97% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% June-2015 Jan-2015 OF MOBILE APPS LACK THE PROPER BINARY PROTECTIONS, LEAVING THEM VULNERABLE TO PIRACY. 4 SECURITY INVESTMENTS NOT IN LINE WITH LEVEL OF RISK SECURITY RISKS VS. SPEND A 2015 study from Ponemon Institute, sponsored by IBM Security, found that application security spending was not in line with the level of application risk. 35% 30% 25% 20% 15% 10% 5% 50% Application Layer Data Layer Security Risk Network Layer Spending OF ORGANIZATIONS HAVE ZERO BUDGET ALLOCATED TO PROTECTING MOBILE APPS. 5 RECOMMENDATIONS TO MITIGATE SOFTWARE PIRACY RETHINK YOUR SECURITY INVESTMENT APPROACH Consider how much money is spent on application security versus other areas. BUILD RUN-TIME PROTECTIONS INTO YOUR APPLICATIONS Implementing run-time protection will enable self-defense against tampering and malware attacks. PROTECT YOUR CRYPTOGRAPHIC KEYS White box cryptography solutions can mask both static and dynamic keys. Sources: 1. iThreat Cyber Group & Arxan Technologies 2. Study by NetNames/Envisional, sponsored by NBC Universal 3. Tru Optik, 2014 Research 4. MetaIntelli, 2015 Research 5. Ponemon Institute study, sponsored by IBM Security, Mar 2015 For additional details & full report, visit

Slide 1