Heartbleed, the recent security flaw found in OpenSSL, is just one of many flaws discovered in this open source code base. Many load balancer providers have bolted on OpenSSL to manage SSL traffic through their product. Here are five questions you should ask to ensure you are not at risk for more OpenSSL flaws:
1. Do you use OpenSSL in your products?
As more and more flaws are found in OpenSSL, there comes a point when you have to ask yourself if it’s worth it? Heartbleed, the most recent security flaw has been publicly unknown for 2 years. Are there other flaws that we don’t know about that are currently being exploited? There are other ways to secure your SSL traffic. Security can no longer be an afterthought.
2. If yes, were you aware of the potential security risks that come with OpenSSL?
The fact that OpenSSL is being used in a product designed to process secure traffic should raise a red flag. It tells you that security is not the company’s first priority. You would be better off utilizing an SSL Proxy for SSL processing along with a load balancer for traffic management.
3. Do your engineers review the code changes that are checked into the OpenSSL library?
Code review is performed by professional engineering teams as a general best practice. Having an engineering team review every line of code before it is deployed should be an expected best practice in any reliable technology company. It will help reduce security flaws, downtime and other potential risks. When working with something as critical as SSL traffic, it is imperative that all code be reviewed to avoid bugs like Heartbleed.
4. What programming language are your load balancers written in?
This is often overlooked by many. Some programming languages are more secure than others. Did you know that if OpenSSL had been written in Java, Heartbleed could have been prevented? C, the programming language that OpenSSL was written in, has no protection against buffer overflows, which is essentially how Heartbleed has the potential to leak additional information.
5. What is your plan to replace OpenSSL in your products?
If your load balancer provider doesn’t have a plan to remove OpenSSL from their products, it’s time to consider another vendor for managing your SSL traffic. OpenSSL “only has one full-time developer and generates less than $2,000 in donations a year”. Are you willing to trust your IT infrastructure on code base with such little funding and development resources?