Heartbleed: A Q&A with CERT

By Will Dorman on May 16, 2014

heartbleed-iconThe Heartbleed bug, a serious vulnerability in the Open SSL crytopgrahic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption used to secure the internet.

Heartbleed, fundamentally a coding mistake and one that could have been prevented, left many questions in its wake:

  • Would the vulnerability have been detected by static analysis tools? 
  • If the vulnerability has been in the wild for two years, why did it take so long to bring this to public knowledge now? 
  • Who is ultimately responsible for open-source code reviews and testing? 
  • Is there anything we can do to work around Heartbleed to provide security for banking and email web browser applications? 

In late April 2014, researchers from the Carnegie Mellon University Software Engineering Institute and Codenomicon, one of the cybersecurity organizations that discovered the Heartbleed vulnerability, participated in a webinar panel to discuss Heartbleed and strategies for preventing future vulnerabilities.

View the entire webinar, click here.

Will Dorman

wdorma@advisen.com'

Will Dorman has been software vulnerability analyst with the CERT Coordination Center since 2004 with a focus on web browser technologies, ActiveX, and fuzzing.