Lessons learned from a critical OpenSSL vulnerability and how to prepare for and respond to supply chain threats
- In October, OpenSSL team found a critical vulnerability in an open source library used by millions
- The panic and distraction caused by the vulnerability arguably cost more than an exploit could have
- Suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats
- Lessons learned from the experience of dealing with a critical vulnerability
The speaker recalls the panic and worry caused by a previous OpenSSL vulnerability, Heartbleed, and how it affected millions of servers and their private keys. The speaker also describes the anticipation and subsequent disappointment of the recent OpenSSL vulnerability, which turned out to be a dud.
In October, the OpenSSL team found a critical vulnerability in an open source library used by millions. They warned that they would disclose the bug and release patch a week later. Their early warning and quick resolution were commendable, but in the intervening days a flurry of speculation and concern set the blogosphere ablaze and Twitter atalking. On release day, some websites promising to report details of the vulnerability struggled to keep up with the traffic as herds of security specialists, developers, and sysadmins-turned-devops-turned-platform-engineers refreshed the page in anticipation. When details became available, many of us started to threat model the bug, evaluating how it might be used to harm our sytems. And most of us came to the same conclusion: it couldn't. The panic subsided, and the distraction arguably cost more than an exploit could have. In this talk, Shane will summarize the vulnerability and some of his team's efforts to prepare for and respond to it, then consider lessons learned from the experience. Attendees will hear suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats so they can be prepared for the next vulnerability, whether it turns out to be a major risk or none at all.