Using memory encryption in web applications to help reduce the risk of Spectre attacks

2021-03-25 06:00

As Google security engineers pointed out, these mechanisms do not prevent the Spectre exploit, but rather "Protect sensitive data from being present in parts of the memory from which they can be read by the attacker."

To further reduce the risk of data leakage, website owners should add an extra line of defense to protect the actual data in memory in the event that all other security controls.

As with all other application-level mitigations for the Spectre exploit, this memory protection technique does not completely deter the scraping of sensitive data from memory.

Plus, encrypting data in memory is already a requirement for high-risk applications, so it's only natural that it becomes recommended for web applications as well in the context of Spectre mitigation - especially those that handle sensitive data such as PII, PHI, or payment information.

For now, their best bet is to adopt a defense-in-depth approach at the application level and protecting data in memory can bring a much-needed extra line of defense with almost zero effort involved.

As I usually say, if there's something easy and cheap that you can do that greatly reduces the risk of data leakage in your web application, don't wait too long to do it.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/YCc5yeHRoho/

#attack #encryption #spectre #WEB

News URL

Related news