This post is from the Arxan blog and has not been updated since the original publish date.
Meltdown, Spectre prove there are no trusted environments for high-value applications
If there’s a lesson from the newly discovered Meltdown and Spectre exploits, it’s that pretty much every company that publishes high-value mobile, desktop or server apps should be doing more to improve its security posture. The two widespread flaws pose an immediate threat to effectively all x86, AMD and ARM processors for Desktop, Android and iOS users. In other words, nearly every cell phone, desktop PC, and server on the market today is vulnerable.
Because Meltdown and Spectre are flaws at the architectural level, anything stored in an application’s protected memory -- encryption keys, user credentials -- can now be exposed. This means anti-virus, anti-malware, perimeter and firewall security won’t be effective; and OS patches have proven challenging to implement thus far.
Systems vulnerable to these exploits should effectively be considered jailbroken or rooted. The bottom line for publishers of high-value apps such as mobile banking, connected medical, connected vehicles or games: your apps are vulnerable to compromise and running in an untrusted environment.
The appropriate response when dealing with zero trust environments? Deploy apps with security designed in them from the start. Secure applications need to be tamper-proof, so bad actors can’t gain access to code to insert malware to exploit these new vulnerabilities. Applications also need integral encryption to prevent other applications from using these new vulnerabilities to access sensitive data.
Arxan’s Application Protection was designed to specifically counter threats to applications when running in zero trust environments. To counter these threats, Arxan code protection includes a layered guard network that protects against static and run-time binary tampering, while Arxan data protection utilizes encryption to protect critical data at rest and in memory.
These new hardware-based vulnerabilities highlight that today’s high-value apps are always running in zero trust environments. Businesses that depend on providing secure applications to their customer base need to expand their security posture to include securing critical assets like code, keys and private data. A reliable protection solution that includes best-in-class, binary code protection and white-box encryption solutions is a must to mitigate today’s security risks.
Arxan Spectre & Meltdown thought leadership in the news:
- Rusty Carter, VP Product Management in "Finance Monthly": Meltdown & Spectre: 2 Ways Your Banking Device Is Vulnerable
- Rusty Carter, VP Product Management in “Global Banking & Finance Review”: How Vulnerable Is the Financial Sector to Spectre and Meltdown?
- Rusty Carter, VP Product Management in “Security Current”: Inspecting Spectre: Here’s How CISOs Can Protect Their Systems
- Rusty Carter, VP Product Management in “International Business Times”: The banking industry is having a Meltdown over Spectre
- Rusty Carter, VP Product Management in “Health Matters”: Meltdown and Spectre – the newest vulnerabilities to affect the health industry