Does Heartbleed exploit risk always justify patching?Date: Jul 18, 2014
According to Jay Heiser, research vice president with Stamford, Connecticut-based IT research firm Gartner Inc., despite its pervasiveness Heartbleed largely turned out to be a non-issue. In turn, this should spawn an interesting discussion among enterprises about whether the time, effort and cost of patching every Heartbleed flaw is ultimately justified.
"I'm sure there are instances in which some organizations could continue indefinitely [without patching Heartbleed]," Heiser said. "But I don't know how an organization would make that determination."
In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Heiser discusses Heartbleed and what it means for enterprises in the context of risk assessment, vulnerability management ROI and the ubiquitous use of vulnerable code.
"One piece of code was so pervasively used across the nexus by so many hardware devices and software implementations," Heiser said. "We may never again see an instance in which such a monocultural failure took place. But what other single points of failure are still out there?"