Software developers still reeling from the constant security failures throughout the open-source stack in 2014 can take at least some comfort from the proceedings at this year’s RSA Conference in San Francisco. Most of the solutions, talks and products discussed at the show are not focused on the developer-induced security flaws that caused such a ruckus last year.
Instead, most of the vendors and speakers at this year’s conference focused on practical threat assessment, mitigation and compliance. These topics covered security in the cloud, enterprise identity management, and tools to help map out just where an attack is coming from, live.
Mobile was an expectedly hot topic at the show as well, and Adrian Ludwig, from Google’s Android Security team, gave a talk yesterday detailing the state of Android security.
Google uses its applications, such as Gmail and Chrome, to monitor the security state of Android devices around the world. As a result, said Ludwig, Google has more than a billion sensors out there from which to draw data.
Ludwig said Google is “looking at potentially harmful applications. We break that down, region by region, and by types of apps. The traditional PC model of thinking about malware is that all malware is kind of the same: It can compromise your device at a holistic level. In Android, because of sandboxing, for a developer who wants to protect e-mail, we see maybe 10 to 20 out of every million installs of something that would go after that data. You compare that to how many devices are lost every day or stolen, and you start to realize that this is the real threat: physical-world threats.”
According to Ludwig’s numbers, only 1% of all Android devices installed a potentially hazardous application in 2014. When that number is restricted to Android devices that only install applications from the Google Play Store, that number shrinks to 0.15%. That number also shrank in 2014, with the fourth quarter seeing half the number of hazardous installs that the first quarter saw.
Ludwig said that the security landscape for the Internet of Things is similar to that of Android, but that there are a few areas where improvement is needed in order to ensure secure networks and devices. “Hardware security for consumers is a disaster,” he said.
“The business model for hardware security is incompatible with large-scale systems. So what we’re really interested in is how can we get the advantages of hardware security at scale, and how can we do that in a heterogeneous environment when you may not trust the devices in that environment.”
Situational awareness
One could be forgiven for mistaking RSA for a “situational awareness” conference: Large screens with live attack maps were on display from companies such as Norse. Other vendors offered the height of penetration technology for use by legitimate organizations with legitimate purposes.
Pwnie Express was on hand, once again, with a much larger booth and staff than previous years. The company makes stealth network intrusion devices that masquerade as everyday objects, like power supplies and light bulbs.
Red Hat was offering attendees insight into its identity solutions. FreeIPA is included with every version of Red Hat Enterprise Linux, and it offers identity-management options for enterprises that aren’t tied to Active Directory. The System Security Services Daemon, on the other hand, connects Linux systems to the central identity-management store.
Developer options
The general lack of focus on software developer solutions at the conference did not preclude the attendance of a few companies hawking software security tools. Checkmarx was showing off Checkmarx CxSAST, a source-code analysis tool that can find security problems before compilation. The tool supports more than a dozen languages, from Java and JavaScript to Apex and HTML5. CxSAST includes the CxSAST Viewer, which makes it easier for developers to visualize the problems and repercussions resulting from insecure code.
Veracode was on hand to push its static binary-analysis tools, which are offered as a SaaS product. HP’s Fortify binary scanning tools were also on display, as was Coverity with its security-analysis tools for software developers.
Many of the interesting talks at the show were entirely about future threats, and they made the case for creating security sections of enterprise infrastructure that, perhaps, aren’t being considered vulnerable right now.
Bryce Barnes, Internet of Things solutions architect for manufacturing and energy at Cisco, for example, is scheduled to speak Friday with Francis Cianfrocca, founder and CEO of Bayshore Networks, making the case for policies regarding the cybersecurity of industrial robotics.
Indeed, the Internet of Things was a popular topic for many speakers, who highlighted potential threats from devices ranging from game consoles to mobile phones. Other talks cautioned about the possible vulnerabilities associated with container-based systems and software-defined networking.