Shellshock, Heartbleed – the carnage continues

Publish date:

There have been several significant security vulnerabilities announced in the last few weeks, with Heartbleed in web servers and Shellshock in shell command lines. What’s new and different about these vulnerabilities?  There are two points to make here: The vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  […]

There have been several significant security vulnerabilities announced in the last few weeks, with Heartbleed in web servers and Shellshock in shell command lines.

What’s new and different about these vulnerabilities?  There are two points to make here:

  • The vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  You don’t just have to worry about external web-based applications; you also have to consider web-based configuration programs that you may not even realise existed.
  • The vulnerabilities are in open-source code.  Vendors love to use open source components for applications and devices, especially embedded ones, because they’re cheap and legally unencumbered.  But there’s a down side: many open source components, even widely used ones like OpenSSL, aren’t always maintained as carefully as they should be.

What should organisations do?

In the short term, you should set up a task to search for, and patch, affected components.  This may need to include services run by outsourced or cloud providers.  If you haven’t done this before, bear in mind that you will probably have to do it again many times over the next few years; try to make it into a repeatable process.

You will probably run into all sorts of non-technical problems, such as obsolete systems with developers who can’t be contacted, or service providers who don’t see why they should take on new work that’s not in their contract.

This brings out two aspects of your IT ecosystem that you may need to be aware of as a security practitioner:  the supply chain (the route whereby software and hardware components get into your IT estate) and the service chain (the set of outsourced and cloud based service providers your organisation relies upon).

When you procure new IT components or services, you need to make sure security is considered right from the start.  Your suppliers must have clear obligations around issues such as right of audit, patching timescales and notification of vulnerabilities.  You’ll need to ensure that open source components are covered properly, too.  If you don’t think about these issues early on, you will create significant costs and risks for your organisation later.

Related Posts

Cybersecurity

Empowering our employees to become cyber savvy in the new normal

Date icon October 14, 2021

Celebrating Cybersecurity Awareness Month at Capgemini

Cybersecurity

Capgemini Named a MSSP Leader in Everest Group Report

Geert van der Linden
Date icon September 6, 2021

Capgemini has continued to make significant investments to ensure its customers are able to...

Business Process Outsourcing

Building a successful supplier network – a real-world case study

Date icon August 5, 2021

Onboarding suppliers to digital purchasing and invoice networks alone won’t deliver the...