Heartbleed causes heartache


See on Scoop.itprojectbrainsaver

The latest and scariest news in security is the “Heartbleed” bug. This
evocative name comes from the fact that there is a buffer overread flaw
in the implementation of the “heartbeat” extension to TLS that leaks
information, potentially including usernames, passwords, secret keys and
other communications. This serious flaw has been present in OpenSSL, a
very popular open source implementation of the protocol used to secure
the internet, for years. In the coming weeks, we’ll be thinking a lot
about how this could be avoided. This type of flaw, a failure to check
boundaries during buffer reads and writes, is one of the oldest in the
industry. These issues are incredibly challenging to detect manually and
highlight the value of a secure development lifecycle. Particularly in
security sensitive code, we need to recognize that a rigorous process,
using automated tools and manual review, is necessary. Furthermore, we
need to pay more attention to open source components in our applications
– as we spend more time and effort on secure development in enterprise
software, we can’t neglect the growing part of our infrastructure that
relies on these efforts. Finally, we need to pay attention to human
factors. In the wake of all of the news reports of what is an extremely
technical problem, a lot of people are going to want to make sure they
do the right thing. For those responsible for potentially vulnerable
servers, there is a lot of guidance out there. But let us remember how
confusing this can be for users. This news provides an opportunity for
attackers to pray on their fears. One facetious example I’ve already
seen is a website offering to check if your private key is secure. I
fully expect to see emails in the coming weeks inviting me to update my
password with my financial institutions and favorite ecommerce sites.
Two guidelines I plan to follow: 1) Do not follow links from emails, use
the usual bookmarks, links or URLs to ensure you are navigating to the
correct site. 2) Do not update your credentials until the site has been
patched. The latter is the more challenging (there is a site that will
check URLs), but I hope sites will be open about addressing this
critical issue.

See on h30499.www3.hp.com