Does Heartbleed exploit risk always justify patching?

As widespread as the Heartbleed OpenSSL vulnerability was, affecting nearly all enterprises, Heartbleed exploits were surprisingly limited.

According to Jay Heiser, research vice president with Stamford, Connecticut-based IT research firm Gartner Inc., despite its pervasiveness Heartbleed largely turned out to be a non-issue. In turn, this should spawn an interesting discussion among enterprises about whether the time, effort and cost of patching every Heartbleed flaw is ultimately justified.

"I'm sure there are instances in which some organizations could continue indefinitely [without patching Heartbleed]," Heiser said. "But I don't know how an organization would make that determination."

In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Heiser discusses Heartbleed and what it means for enterprises in the context of risk assessment, vulnerability management ROI and the ubiquitous use of vulnerable code.

"One piece of code was so pervasively used across the nexus by so many hardware devices and software implementations," Heiser said. "We may never again see an instance in which such a monocultural failure took place. But what other single points of failure are still out there?"

View All Videos
Related Discussions

ITKE asks:

Does the risk of a Heartbleed exploit always justify patching Heartbleed vulnerabilities?

0  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: