What has happened with OpenSSL — the discovery of a flaw known as “Heartbleed” that put user data at risk around the world — is only a symptom of the bigger problem: that vendors and software suppliers are allowed (and not liable) to put out compromised software. What we need is a change so that software comes with a security guarantee, and not just a functional guarantee.
Many vendors make a profit off of solutions which are sometimes based on regular open source software which they use “as-is.” If we know anything about software, though, it’s that the No. 1 focus should be to test its functionality. In many organizations, however, security testing is limited and so we will continue to find new vulnerabilities like Heartbleed. The open source model is not the problem here. Those developing tools like OpenSSL are innovators, but their efforts are largely voluntary and their budgets for testing are therefore limited. That’s why manufacturers need to do a security assessment on any module they re-use and certify it themselves.
Penetration testing on online applications — where some organizations indicate the site’s assuredness by having a “stamp” — is an excellent practice, because it does root out vulnerabilities. In many cases, however, only a percentage of the site is actually tested in order to reduce costs. The word here is “due diligence” — those testing are essentially saying “We tried,” not “We guarantee.”
In fact, the underlying gap is that the test results and findings are only as good as both the tools — the library of known vulnerabilities and the algorithms — and those performing the actual penetration testing. For example, no web testing tool can ever completely test every variation of SQL injection. That’s why the better services are supplemented with manual inspection, where the results are directly relative to that person’s or group experience. What we need is a common penetration testing or security assurance standard.
It’s clear that antivirus and intrusion prevention systems (IPS) are no longer enough. Now security vendors are bringing out “threat intelligence,” “big data analytics,” “sandboxing” and “white listing” as technologies that will fill the gap. Many of these tools, though, are primarily fixated on the back door — protecting the end user’s data from being compromised. That doesn’t address the front door — applications facing the Internet, which are usually encrypted via SSL, making regular IPS devices mostly useless unless they also decrypt applications.
OpenSSL, meanwhile, is not so much a front door vulnerability as the foundation of the “house” itself. The SSL encrypted protected session (or tunnel) has become something we depend on for everyday online business and social privacy. We have heard about similar “delayed discoveries” from stuxnet, flame and others, but the difference here is that every SSL connection to your bank, social networking sites, online cloud services and remote site connections to your organization are vulnerable. Indirectly this means that your passwords to these sites may have been compromised. Use different passwords to each site (yes it can be painful but we’re talking about protecting your online identity) and the best you can do to protect yourself is change all the passwords to your sites you have used within the last two years, especially for banks and social networking,
Worse still, organizations may be vulnerable and not even know it, because not all applications list all the modules included. Even more worrisome, the module’s revisions may have been changed and no longer match the official versions. The only way to verify your security posture is to test, and there are many sites offering free testing.
Blocking 100 percent of attacks is near impossible, practically and financially. The real goal is to reduce the time to root out the things which could compromise security before they cause damage and start exfiltrating your intellectual property.
So the real question is …. Has your team uncovered any new threats today ? If your team is not connected with an external threat intelligence source like “Emerging Threats” then your “foundation” may already be rotten but you don’t have the visibility to uncover it.
Organizations must have clear and present visibility into the access of their data from any perspective. They should always keep the most current inventory possible of all applications, modules and libraries on their public facing services. They also need to have a clear and executive sponsored, supported and tested incident response plan. Until software comes with guaranteed security, that’s the only way to limit the damage something like Heartbleed can do.