Does Heartbleed exploit risk always justify patching?

Does Heartbleed exploit risk always justify patching?

Does Heartbleed exploit risk always justify patching?

Date: Jul 18, 2014

As widespread as the Heartbleed OpenSSL vulnerability was, affecting nearly all enterprises, Heartbleed exploits were surprisingly limited.

According to Jay Heiser, research vice president with Stamford, Connecticut-based IT research firm Gartner Inc., despite its pervasiveness Heartbleed largely turned out to be a non-issue. In turn, this should spawn an interesting discussion among enterprises about whether the time, effort and cost of patching every Heartbleed flaw is ultimately justified.

"I'm sure there are instances in which some organizations could continue indefinitely [without patching Heartbleed]," Heiser said. "But I don't know how an organization would make that determination."

In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Heiser discusses Heartbleed and what it means for enterprises in the context of risk assessment, vulnerability management ROI and the ubiquitous use of vulnerable code.

"One piece of code was so pervasively used across the nexus by so many hardware devices and software implementations," Heiser said. "We may never again see an instance in which such a monocultural failure took place. But what other single points of failure are still out there?"

More on SSL and TLS VPN Security

  • canderson

    Why SSL security matters

    VIDEO - This video introduces SSL and describes SSL certificates and certificate authorities. It explains the concept capturing plain text traffic and SSL-encrypted traffic to show how easily an attacker can grab data as it travels across seemingly secure networks.
  • canderson

    Cryptoseal CEO Ryan Lackey on cloud VPN service

    VIDEO - Video: The Cryptoseal CEO explains how his work as a military contractor in Iraq influenced his work at the cloud VPN service vendor.
  • Port monitoring critical to detecting, mitigating attacks using SSL

    News - As SSL traffic increases, so inevitably will the number of attacks using it to hide. A session at RSA Conference 2015 explained why hackers love SSL, and how enterprises can defend against them.

    ( Apr 29, 2015 )

  • Comparing the top SSL VPN products

    Feature - Expert Karen Scarfone examines the top SSL VPN products available today to help enterprises determine which option is the best fit for them.
  • Four criteria for selecting the right SSL VPN products

    Feature - SSL VPNs can offer critical protection for enterprise network communications. Expert Karen Scarfone examines the most important criteria for evaluating SSL VPN products.
  • Microsoft Schannel (Microsoft Secure Channel)

    Definition - The Microsoft Secure Channel or Schannel is a security package that facilitates the use of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS) encryption on Windows platforms.
  • What is the best VPN traffic monitoring tool for enterprises?

    Answer - Monitoring VPN traffic is a critical task. Expert Kevin Beaver explains what to look for in a VPN traffic monitoring tool and offers a few free and open source options for enterprises to consider.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest