Covisint used OpenSSL when Heartbleed was revealed, and yet the company was completely safe from the exploit. How? Miller said his team understands OpenSSL’s internals and had long ago recompiled the project using only the parts they needed.
“There are two ways you can install OpenSSL: You can take the modules and install and use them, or you can take the object modules and recompile,” he said. “One of the things we did—and this is why Heartbleed did not effect us—the vulnerability was part of this Heartbeat module that was a UDP module. Very few of our systems use UDP, so I didn’t compile it into my OpenSSL implementations. We’ve had the same problems with [Secure FTP]; we recompiled the FTP modules to only allow puts. The only command available was put. You just don’t compile the functionality in, you compile it as small as possible.”
Mathieu Baissac, vice president of product management at Flexera, advocates for another tactic for software developers: staying on top of your updates.
That doesn’t just mean updating servers and your internal software; it means updating your products as soon as possible once they’re in the field. Baissac advocates speed as the solution, rather than simply preparedness on the code side. “There’s always going to be a Heartbleed, especially because it wasn’t even our software,” he said. “No matter how good their coding practice was, there was no way they could solve that themselves.
“When I think of Heartbleed, I don’t think about coding practices, but rather how do you get that fixed as fast as possible. There’s always going to be bugs and security issues. The thing you want to concentrate on is not relying on the end customer to go get their latest patch, because they never will. You’ve got to put things in your product so it is smart enough to say, ‘Do you have new firmware for me?’ ”
Flexera makes software that handles automated updating of OEM and ISV products from the field, enabling your products to automatically update themselves when there is new software available.
While that’s one solution, internally hosted applications still need to be kept up to date so that the services they provide to your customers do not expose them to any undue risk. Axway’s Mark O’Neill, vice president of innovation, advocates for developers to be careful with their APIs and how they implement them.
“In the case of APIs, if you look at the security models around APIs, often a developer is working around API keys,” he said. “It’s up to the developers to manage those keys, make sure they’re not including those keys in the application. Those are gotchas that developers have to be aware of. There have been recent examples where developers have put code into GitHub, but left the API keys in GitHub, leaving them vulnerable to social engineering-type attacks. If you look at the awareness of security around API keys, I don’t think it’s the level of SSL private keys. Everyone knows SSL private keys are sensitive and have to be stored on the file system, but in the case of API keys, that kind of practice can’t happen.”
But no matter what practices you put in place to handle software security, Adacore’s Dewar is still shocked at the lack of software security regulation and awareness out there.