Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Security Vulnerabilities Heartbleed and a Hard Look at Security Strategy

Heartbleed and a Hard Look at Security Strategy

On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat (see Wikipedia for additional references).

See here for more information.

This bug, which many media sources have been pointing out this week potentially effects 50% or more of the internet, should serve as a sobering warning that traditional mechanisms we have relied on (such as SSL) to protect us when we are online, are vulnerable. It is simply not enough to rely as heavily as we have collectively relied on SSL for security when what is needed is a comprehensive and varied approach.

The key here is a diverse strategy, one that is designed to combat breaches and vulnerabilities at as many different points as possible. Encryption? Yes (this bug will be addressed, and OpenSSL will be stronger for it). Authentication? Yes. Securing both front and back end transactions, content management and security training for end users? Yes, yes, and yes. Vulnerability carries the most potential damage when protections in place are too few, and becomes more manageable when protection mechanisms are distributed in such a way as to minimize the potential for any one element to compromise the whole.