State of Application Security: State of Piracy
1 like875 views
The document discusses software piracy trends from 2012-2015. It found that the number of pirated assets increased from 1.6 million per year between 2012-2014 to an expected 1.96 million in 2015. The most commonly pirated items were Android apps, key generators, Apple software, Windows desktop software, and Apple apps. The document recommends organizations implement runtime protections in their applications, protect cryptographic keys, and ensure security investments are in line with application risk levels to help mitigate software piracy.
State of Application Security: State of Piracy
- 1. STATE OF APPLICATION SECURITY VOL. 4, 2015 STATE OF PIRACY 1.6M 1.96M ASSETS IS EXPECTED NUMBER OF PIRATED Pirated software found between Jan. 2012 and Mar. 2015 BREAKDOWN OF SOFTWARE PIRACY Between 2012 and 2014 the average Android Apps Key Generators Apple Software Windows Desktop Software Apple Apps number of pirated assets found per year 2012-2014 AVG./YR 2015* was 1.6M. In 2015, the total number of 41% 17% 13% 9% 5% KEY9,000 GENERATORS FOUND Software that generates product licensing keys to enable unauthorized access to software or digital media releases. What are they? APPLICATION RISKS ENABLING PIRACY DISTRIBUTION MODEL FOR REVERSE-ENGINEERING APPLICATION TAMPERING With readily available tools, hackers can quickly convert unprotected binary code back to source-code, repackage and distribute. VOLUME OF PIRATED RELEASES SPEED OF ILLEGAL DISTRIBUTION 100’s 100,000’s 0 sec 33 mins Scene FTP Top Sites Private Torrent Sites Public Sites Cyber- lockers Applications can be modified or injected with malware at run-time to steal keys, and alter execution in line with hacker objectives. 23.76% OF GLOBAL INTERNET BANDWIDTH IS CONSUMED BY TRAFFIC INFRINGING UPON COPYRIGHT. ECONOMIC IMPLICATIONS OF PIRACY 2 pirated assets is expected to hit 1.96M. (Source: iThreat Cyber Group & Arxan Technologies) TO INCREASE 22% PIRATED SOFTWARE IN 2014, THE UNMONETIZED VALUE OF PIRATED ASSETS REACHED $836,840,300,000$652 B $74 B $73 B $18 B $12 B $6 B Software Games Movies TV Music Adult Content UNADDRESSED APPLICATION VULNERABILITIES M1 Weak Server Side Controls M2 Insecure Data Storage M3 Insufficient Transport Layer M4 Unintended Data Leakage M5 Poor Authorization M7 Client Side Injection M9 Improper Session Handling M10 Lack of Binary Protections 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Jan-2015 June-2015 OWASP MOBILE TOP 10 97% OF MOBILE APPS LACK THE PROPER BINARY PROTECTIONS, LEAVING THEM VULNERABLE TO PIRACY. 50% OF ORGANIZATIONS HAVE ZERO BUDGET ALLOCATED TO PROTECTING MOBILE APPS. (M6 and M8 not included in analysis) A recent study analyzed over 96,000 Android apps to measure how well they addressed the OWASP Mobile Top 10 vulnerabilities. The graph below shows the percentage of apps that failed to address these vulnerabilities over time. RECOMMENDATIONS TO MITIGATE SOFTWARE PIRACY 35% 30% 25% 20% 15% 10% 5% Application Layer Data Layer Network Layer RETHINK YOUR SECURITY INVESTMENT APPROACH Consider how much money is spent on application security versus other areas. BUILD RUN-TIME PROTECTIONS INTO YOUR APPLICATIONS Implementing run-time protection will enable self-defense against tampering and malware attacks. Security Risk Spending A 2015 study from Ponemon Institute, sponsored by IBM Security, found that application security spending was not PROTECT YOUR CRYPTOGRAPHIC KEYS White box cryptography solutions can mask both static and dynamic keys. SECURITY RISKS VS. SPEND (Source: MetaIntelli, 2015 Research) Sources: 1. iThreat Cyber Group & Arxan Technologies 2. Study by NetNames/Envisional, sponsored by NBC Universal 3. Tru Optik, 2014 Research 4. MetaIntelli, 2015 Research 5. Ponemon Institute study, sponsored by IBM Security, Mar 2015 3 4 5 SECURITY INVESTMENTS NOT IN LINE WITH LEVEL OF RISK in line with the level of application risk. For additional details & full report, visit Arxan.com