logo
allArticlesConferencesPresentations

Keynote: Panic in San Francisco: The Critical Vulnerability That Wasn't

Conference:  Cloud Native SecurityCon North America 2023

Authors:   Shane Lawrence

Summary

Lessons learned from a critical OpenSSL vulnerability and how to prepare for and respond to supply chain threats
  • In October, OpenSSL team found a critical vulnerability in an open source library used by millions
  • The panic and distraction caused by the vulnerability arguably cost more than an exploit could have
  • Suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats
  • Lessons learned from the experience of dealing with a critical vulnerability
The speaker recalls the panic and worry caused by a previous OpenSSL vulnerability, Heartbleed, and how it affected millions of servers and their private keys. The speaker also describes the anticipation and subsequent disappointment of the recent OpenSSL vulnerability, which turned out to be a dud.

Abstract

In October, the OpenSSL team found a critical vulnerability in an open source library used by millions. They warned that they would disclose the bug and release patch a week later. Their early warning and quick resolution were commendable, but in the intervening days a flurry of speculation and concern set the blogosphere ablaze and Twitter atalking. On release day, some websites promising to report details of the vulnerability struggled to keep up with the traffic as herds of security specialists, developers, and sysadmins-turned-devops-turned-platform-engineers refreshed the page in anticipation.  When details became available, many of us started to threat model the bug, evaluating how it might be used to harm our sytems. And most of us came to the same conclusion: it couldn't. The panic subsided, and the distraction arguably cost more than an exploit could have.  In this talk, Shane will summarize the vulnerability and some of his team's efforts to prepare for and respond to it, then consider lessons learned from the experience. Attendees will hear suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats so they can be prepared for the next vulnerability, whether it turns out to be a major risk or none at all.
Materials:
Tags:

Post a comment

Related work

OpenSSL Deep Dive - The Good, The Bad and The Not-So-Ugly

Conference:  Global AppSec Dublin 2023
Authors: Dan Murphy, Frank Catucci
2023-02-16

The Mouse is Mightier than the Sword

Conference:  Defcon 26
Authors:
2018-08-01

Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically

Conference:  BlackHat USA 2019
Authors:
2019-08-07

Your Trash Kernel Bug, My Precious 0-day

Conference:  BlackHat USA 2021
Authors:
2021-11-10

This is for the Pwners : Exploiting a WebKit 0-day in PlayStation 4

Conference:  BlackHat EU 2020
Authors:
2020-12-10

Beyond the Hype: Cloud Native eBPF

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Frederic Branczyk
2021-10-15