nss Cybersecurity As a Service
nss Privileged Access Management
nss MSP & ITSP Integrated Solutions
nss Data Security Management
nss Password Management for MSPs
nss Vulnerability Assessment & Management
nss Application Security Testing for Enterprise
nss Link Load Balancing, Wifi & SDWAN
nss Next-gen threat resilience
nss Document Security
nss Server Load Balancing, Secure GW, WAN Optimization
nss Email Archiving
nss PKI Solutions & Identity Services
nss Tiered Backup Storage
nss Physical / Virtual Backup & Disaster Recovery
nss Secure Critical Communications
nss SIEM & Log Management
nss Threat & Vulnerability Management Platform
PRODUCTS
PRODUCTS
Facebook Twitter Linkedin Youtube Rss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss
nss

Array. How Safe is OpenSSL?

The passing of the one-year anniversary of the OpenSSL Heartbleed vulnerability – and a recent rash of highly exploitable vulnerabilities with names of lesser cachet – led me to wonder: Just how frequently are OpenSSL vulnerabilities reported, and what are their impacts?

While Array has developed our own proprietary SSL stack for production traffic, we do use OpenSSL for certain of our products’ functions such as our XML RPC and SOAP APIs, WebUIs and other non-traffic-related tasks. Thus, this exercise is categorically not about OpenSSL bashing – rather, it’s intended to gain a better understanding of the vulnerability landscape and to serve as a foundation for discussion on network security as a whole.

The infographic below was compiled from the NIST National Vulnerability Database, and lists vulnerabilities with Exploitability Subscores of 8.5 and higher (with 10 being the highest). While every attempt was made to ensure accuracy and completeness, the vast scope of the NIST database makes this a nearly insurmountable task.

As you will see, like almost every software ever created, OpenSSL has had its share of vulnerabilities over the years. Many were reported at or shortly after a major product release; after the 1.0.2 release on Jan. 22, 2015, for example, CVE-2015-0291 and CVE-2015-0292 were reported less than two months later.

In many ways, that’s the nature of the beast in open-source software development. The very structure that gives open source such great qualities – multiple developers (often volunteers) working together to create a freely-available code base – can also lead to errors because developers are working independently. However, with an entire community of developers, any errors are typically fixed very quickly, thus mitigating the impact.

And in all fairness, Array products were vulnerable to a couple of the vulnerabilities listed here, as well as a handful of others with lesser exploitability scores. Usually those vulnerabilities were related to the functions mentioned above, or to our older, end-of-sale products like the SPX and TMX Series. Follow the Array Support Twitter feed to keep up to date on all our product notifications.

Next time, I’ll dig deeper into the differences between open-source development and proprietary code bases, and offer concrete suggestions on keeping your network safe. Until then, let’s all be careful out there.

You can read the original article, here.

Are you ready to move on to the next level?
Contact us
Facebook Twitter Linkedin Youtube Rss

NSS

Visitor Info

Operating System: -
IP Address: 3.139.239.136

Contact us

Emergency Disinfection
Copyright © NSS. All Rights Reserved.
website by 9AM