Heartbleed Will Require Rehab - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Heartbleed Will Require Rehab
Oldest First  |  Newest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Author
4/21/2014 | 9:52:58 AM
Do you know where your (potentially vulnerable) software is?
This raises a good question for readers: does your organization have a good catalog of the commercial and open source software deployed on websites and systems that could be subject to attack? How quickly could you track down where a software module with a newly discovered vulnerability was installed and figure out what to do about it?
Ulf Mattsson
Ulf Mattsson,
User Rank: Strategist
4/21/2014 | 11:23:52 AM
I think that we need to take real proactive steps

I agree that "Patches are just band-aids ", and I think that we need to take real proactive steps.

We know that the vulnerable technology has been in place on up to two-thirds of all websites for approximately two years, the damage may already be done, and organization that uses OpenSSL rushes to fix the vulnerability before hackers can steal more data.

So what can we do to try to prevent the data theft?

Waiting for better software or protocols isn't really an option.  While new software will inevitably come along, there are limited guarantees, especially in the case of open-source technology such as OpenSSL, that it will be bug-free.  In fact, we should expect that they will be breached.

The most viable option is proactive security of the data itself.  By tokenizing or encrypting sensitive data at the point of creation or acquisition, it can be made useless to potential thieves, even in memory.

There's no perfect answer to fix years of exposure, but moving forward, adopting the most proven, vendor-backed data security solutions that protect the data itself can offer significantly reduced risk over protocols alone.

Ulf Mattsson, CTO Protegrity

IW Pick
User Rank: Apprentice
4/21/2014 | 12:03:09 PM
Vetting the code
Vendors should do a better job in vetting open-source code they use in their products. Especially if these products are to be used in a critical security role.

User Rank: Strategist
4/21/2014 | 2:23:36 PM
Re: Vetting the code
I highly recommend reading Poul-Henning Kamp's article, "A Generation Lost in the Bazaar," http://queue.acm.org/detail.cfm?id=2349257#content-comments and its full comments (http://queue.acm.org/fullcomments.cfm?id=2349257). My comment, restated, is that a  "quality improvement institute, factory and service" might help.

Open source is well established now in industry, and the problems are apparent to all. However, the benefits are seen as even greater. This creates an opportunity to improve existing open source software and future development and maintenance processes. (Not surprisingly, this same opportunity exists for closed source software.) Therefore, there should be a willingness on the part of government and industry to fund quality improvement. (I don't attempt to specify whether such organization(s) are for-profit or not-for-profit, but their products would need to be open for use without compensation for them to benefit open source developers.)

There are several approaches that should be pursued: (1) Improved training and education for developers; (2) Identification and promulgation of better or best practices (in choices of languages, tools and development processes); (3) Identification of existing software most in need of remediation or replacement; (4) Funding remediation/replacement of the most important needs; (5) Outreach to existing projects with offers to help adopt better practices; (6) Outreach to academia to encourage training in better practices; (7) Advice for starting new projects following best practices appropriate for the project size; (8) Funding development of tools to support better or best practices. (9) Review of existing tools and offering constructive suggestions for improvement, perhaps with funding.
Charlie Babcock
Charlie Babcock,
User Rank: Author
4/21/2014 | 9:01:27 PM
After the ER, a long term rehabilitation
Yes, recovery from HeartBleed will be "a long term rehabilitation," as well as short term emergency room visit. That's exactly right.
User Rank: Ninja
4/22/2014 | 6:12:54 PM
Heartbleed Virus is just the tip of the iceberg
The Heartbleed bug is obviously a major challenge for financial institutions, but bank websites handle a variety of tasks. [...]

I would think what with the billions in bail out money that the banking cartel has taken from taxpayers that it would use some of its money to hire competent I.T. departments instead of applying another layer of million dollar bonuses to executive officers. 

State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll