Heartbleed – A High-level Look
Saturday, April 12th, 2014There has been a lot of information flying about on the Internet concerning the Heartbleed vulnerability in the OpenSSL library. Among system administrators and software developers there is a good understanding of exactly what happened, the potential data losses and proper mitigation processes. However, I’ve seen some inaccurate descriptions and discussion in less technical settings.
I thought I would attempt to explain the Heartbleed issue at a high level without focusing on the implementation details. My goal is to help IT and business leaders understand a little bit about how the vulnerability is exploited, why it puts sensitive information at risk and how this relates to their own software development shops.
Heartbleed is a good case study for developers who don’t always worry about data security, feeling that attacks are hard and vulnerabilities are rare. This should serve as a wake-up-call that programs need to be tested in two ways – for use cases and misuse cases. We often focus on use cases, “does the program do what we want it to do?” Less frequently do we test for misuse cases, “does the program do things we don’t want it to do?” We need to do more of the latter.
I’ve created a 10 minute video to walk through Heartbleed. It includes the parable of a “trusting change machine.” The parable is meant to explain the Heartbleed mechanics without requiring that the viewer be an expert in programming or data encryption.
If you have thoughts about ways to clarify concepts like Heartbleed to a wider audience, please feel free to comment. Data security requires cooperation throughout an organization. Effective and accurate communication is vital to achieving that cooperation.
Here are the links mentioned in the video:
- SANS Internet Storm Center: https://isc.sans.edu/
- SANS Webcast on Heartbleed: http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc
- Blue Slate’s Business Security Brief on Heartbleed (Video): http://www.blueslate.net/Dave/BusinessSecurityBrief/20140412-Heartbleed/
- OWASP Top 10 Web Vulnerabilities List: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project