Heartbleed

ASM Signs Distribution Agreement with the only Technology Vendor Inherently Safe from Heartbleed

By | Date posted: September 22, 2014
  • Forum Sentry by Forum Systems was the only API gateway safe from the Heartbleed OpenSSL cryptographic vulnerability
  • Forum Systems now available to the UK channel through ASM Technologies
  • Forum Sentry is the first API gateway to achieve international security certification with Network Device Protection Profile (NDPP) compliance

Read more

Six New OpenSSL Security Vulnerabilities Discovered Since Heartbleed

By | Date posted: June 11, 2014
Heartbleed

In a recent security advisory from June 5th, 2014, six new vulnerabilities were disclosed on OpenSSL’s website. It’s important that these news OpenSSL flaws are being discovered quickly and getting fixed. But these new discoveries are indicative of other potential devastating security flaws that remain buried in the labyrinth of OpenSSL code.  Once again, the discoveries expose the risk of using OpenSSL to process SSL traffic for
your mission critical infrastructure and applications.
Read more

OpenSSL is Fṓṝked

By | Date posted: May 12, 2014
Heartbleed

The flensing began rather quickly with the OpenBSD team cleaning up 90,000 lines of code within a week of Heartbleed.  OpenSSL then got royally fṓṝked by OpenBSD and LibreSSL was born.  The divergence between OpenSSL and LibreSSL continues while OpenSSL fights against change and LibreSSL tries to modernize and flense the OpenSSL codebase.

Read more

How Java™ Could Have Prevented Heartbleed

By | Date posted: April 29, 2014
Heartbleed

OpenSSL continues to cast a shadow over the IT industry’s poor choice of programming languages for developing secure software. Neils Ferguson and Bruce Schneier’s mantra, that using a programming language without protection against buffer overflows is tantamount to criminal negligence, is a continuous reminder of memory related security bugs that plague our industry. Read more

Load balancers that use OpenSSL

By | Date posted: April 18, 2014
Heartbleed

A list of market leading load balancers that use OpenSSL to protect HTTP and FTP traffic includes F5, Citrix, Radware, Riverbed, and Barracuda.  Load balancers spread traffic amongst multiple servers and enable high availability for business transactions. They serve as a central conduit for critical business transactions. The load balancer vendors have done a good job in patching their products to prevent the latest OpenSSL vulnerability: Heartbleed.

Read more

Heartbleed exposes privates

By | Date posted: April 14, 2014
Heartbleed

This is as serious as it gets. Heartbleed exposes your corporate private keys. Your crown jewels, your keys to the castle….well you get the idea. Your corporate privates are indeed exposed, they may not have been stolen yet, but they are unequivocally exposed through Heartbleed. It took researches less than 3 hours to extract private keys from a server as a result of a challenge issued by CloudFare.

Read more

OpenSSL Security Vulnerabilities and other C-based Risks

By | Date posted: April 11, 2014

One of the most significant OpenSSL security vulnerabilities is the latest Heartbleed OpenSSL security flaw (CVE-2014-0160). This OpenSSL security vulnerability is again a re-affirmation that usage of C-based security modules by an enterprise company greatly increases its risk posture. You can be certain that IT security folks out there felt that they were making the right architectural decisions to secure the enterprise. The problem isn’t the intent, the problem is the premise. Applications, wrapped in security band-aids , is not a sound enterprise risk mitigation strategy. Sure, Apache and OpenSSL are widely available and have been around for a long time, but look where it has led us.

Read more