Like everyone else, we wrote extensively in the last month about the serious security vulnerability in OpenSSL dubbed “Heartbleed,” which affected many of the world’s leading web sites and services, including Facebook and Google.
The large-type headlines about Heartbleed have passed. But that doesn’t mean that the danger has. As we have noted, we are entering a phase that might be considered Heartbleed’s ‘long tail.’ Most of the well-trafficked websites that were vulnerable to Heartbleed have gotten around to fixing the vulnerability. But public-facing web servers are only the beginning of the story for OpenSSL. Chasing down the vulnerability’s long tail in third-party applications and on internal web sites and applications is a much larger task. As I’ve noted: open source components make their way into all manner of applications and bespoke products these days, often without any effort to assess the security of the borrowed code.
For companies that need to protect critical IT infrastructure and data, this raises troubling questions. A wholesale review of open source application code is out of the question. Given that issues like Heartbleed will crop up in ways that are unpredictable, how do organizations that rely on open source or third-party software protect themselves from all the yet-to-be-discovered Heartbleed-type vulnerabilities out there?
|Listen on Security Ledger|
|Listen on Soundcloud.com|
|[soundcloud url=”https://api.soundcloud.com/tracks/152017825″ params=”color=ff5500&auto_play=false&hide_related=false&show_artwork=true&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]|
The folks over at DUO Security have some interesting thoughts on the topic and have explored it in a series of blog posts here and here. They’re worth a read, but the long and short of it is “don’t trust SSL.” Mind you – that’s different from saying ‘don’t use SSL.” What DUO means is that organizations can rely blindly on the integrity of SSL – or any other open source (or closed source) component. That’s the moral of the Heartbleed story.
What does that mean practically? I sat down with DUO’s Adam Goodman last week to try to answer that question. Adam and DUO advocate a “defense in-depth” approach to Heartbleed. The goal shouldn’t be just to use security technology like OpenSSL and to keep it up to date (it was only folks who had recently updated their OpenSSL package who were vulnerable to Heartbleed, after all). Rather, it’s a matter of hedging your bets by securing as many parts of your application and network infrastructure as possible.
[Check out Adam’s SANS Webinar: Protecting Against Heartbleed with Defense In Depth]
“The way we look at this is that instead of trying to concentrate all your security aspirations in one magical solution, you need to build security into every component of your system or at least have a holistic view of security on your system and put security in as many places as you can,” Goodman said.
Have a listen, and also steer on over to DUO’s Web site to check out a webinar that Adam and DUO did with The SANS Institute on the same topic. You can check that out using this link.