Large organizations obviously need to determine where they have websites and network equipment that is vulnerable, in order to rapidly remediate this. Scanning your IP address range (both for internal addresses, and for IP addresses exposed to the Internet) should be done ASAP, to allow you to identify all sites, servers, and other equipment using Open SSL, and needing immediate patching.
In the last few days, it has become clear that we’re not just talking about websites/web servers. Numerous network equipment vendors have used OpenSSL in their networking products. Look closely at your routers, switches, firewalls, and make sure that you understand in which of these OpenSSL is also an issue. The impact of OpenSSL and Heartbleed on these infrastructure components is likely to be a bigger problem for organizations, as the top router manufacturers all have products affected by this vulnerability.
Taking a step back from the immediate frenzy of finding OpenSSL, and patching websites and network infrastructure to mitigate this security risk, it’s pretty clear that we have a lot of work to do as a security community on numerous fronts:
- Open source security components that gain widespread use need much more serious attention, in terms of finding/fixing software vulnerabilities.
- For IT hardware and software vendors, and for the organizations that consume their products, OpenSSL and Heartbleed will become the poster child for why we need more rigorous supply chain security mechanisms generally, and specifically for commonly used open source software.
- The widespread impacts from Heartbleed should also focus attention on the need for radically improved security for the emerging Internet of Things. As bad as Heartbleed is, try to imagine a similar situation when there’s billions of IP devices connected to the internet. This is precisely where we are headed absent big changes in software assurance/supply chain security for IoT devices.
You also need to ensure that your suppliers are implementing security practices that are at least as good as yours - how many web sites got caught out by Heartbleed because of something their upstream supplier did?