Cloud services may be the beneficiary of the Heartbleed flaw, according to DOSarrest CTO Jag Bains.
Bains said that while the magnitude of this event is larger than any previous event, it illustrates how cloud services have been able to significantly reduce exposure for those who use it.
“By concentrating their web technologies to leverage a cloud provider, enterprises were able to focus on whether their cloud service provider were vulnerable or not, and determine how fast they were going to fix their systems if they were,” he said. He called it a “much more appealing situation instead of auditing hundreds of systems and work flow processes”.
In an email to IT Security Guru, Ian Pratt, co-founder of Bromium, said that micro-virtualisation has a role to play on the server where it could have helped mitigate the effects of Heartbleed. “If a separate micro-VM is created on the server for each customer of a website as they log in, complete with its own SSL/TLS stack, the ability for bugs like this to leak session keys or data belonging to other users is eliminated,” he said.
“In fact, micro-virtualisation can protect you from a very broad category of server-side vulnerabilities, and is a very interesting area of development beyond the current client-side uses case of Bromium vSentry.”
Asked if he was surprised that so many popular websites had implemented open source software, Pratt said that this is a natural choice for many popular websites as it gives them an ability to customise the software and to scale to millions/billions of users.
He said: “OpenSSL is a popular and well respected implementation of SSL/TLS that has government FIPS certification. It’s a natural choice for anyone implementing a web site using an open source software stack.
“This bug is a really bad one, but you can’t look at a single bug and draw conclusions about software in general. Popular open source projects typically have a security defect rate that is at least as good (and many would argue better) than equivalent proprietary software products.
“The sad fact is that it’s quite possible that similarly bad bugs may be lurking in proprietary implementation of SSL/TLS, they just haven’t been discovered yet. Diversity in both implementation and algorithm is good, hence it is fortunate that a site developer can choose from a variety of open source implementations (e.g. GnuTLS, NSS, CyaSSL etc) as well as a number of proprietary ones.”
