There have been several significant security vulnerabilities announced in the last few weeks, with Heartbleed in web servers and Shellshock in shell command lines.

What’s new and different about these vulnerabilities?  There are two points to make here:

  • The vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  You don’t just have to worry about external web-based applications; you also have to consider web-based configuration programs that you may not even realise existed.
  • The vulnerabilities are in open-source code.  Vendors love to use open source components for applications and devices, especially embedded ones, because they’re cheap and legally unencumbered.  But there’s a down side: many open source components, even widely used ones like OpenSSL, aren’t always maintained as carefully as they should be.

What should organisations do?

In the short term, you should set up a task to search for, and patch, affected components.  This may need to include services run by outsourced or cloud providers.  If you haven’t done this before, bear in mind that you will probably have to do it again many times over the next few years; try to make it into a repeatable process.

You will probably run into all sorts of non-technical problems, such as obsolete systems with developers who can’t be contacted, or service providers who don’t see why they should take on new work that’s not in their contract.

This brings out two aspects of your IT ecosystem that you may need to be aware of as a security practitioner:  the supply chain (the route whereby software and hardware components get into your IT estate) and the service chain (the set of outsourced and cloud based service providers your organisation relies upon).

When you procure new IT components or services, you need to make sure security is considered right from the start.  Your suppliers must have clear obligations around issues such as right of audit, patching timescales and notification of vulnerabilities.  You’ll need to ensure that open source components are covered properly, too.  If you don’t think about these issues early on, you will create significant costs and risks for your organisation later.