For the past two years, an undetected heartbleed software bug in OpenSSL allowed sophisticated hackers such as nation states, organized cyber-crime syndicates, and intelligent agencies, access to thousands of business applications, financial applications, payment applications, banking applications, and security applications. SSH protocol inventor Tatu Ylonen stated the heartbleed bug in OpenSSL is going to cost companies a few hundred dollars per server to a few thousand per server to fix.
Security Guru Bruce Scheier rates this software bug an 11 on a scale from 1 to 10, with 10 being the worse. At this point, what are you going to do? The industry will recover, corporations will lose billions, and life goes on, right. Actually, there is much the CDN industry can do to prevent a catastrophe like this.
Impact of Heartbleed Bug
- Netcraft: Bug impacts 17% of SSL web servers issued by trusted Certificate Authorities
- Apache and Nginx, which make up 66% of the web server market use OpenSSL extensively
- OpenSSL Heartbleed extension is used on 17.5% of web sites
- OpenSSL bug impacts 500,000 to 600,000 certificates
- Security Guru Bruce Schneier rates this catastrophic bug an 11 out of 1 to 10 (10 being the worse)
Impact of OpenSSL Bug on CDN Ecosystem
The impact of the Heartbleed bug in OpenSSL is major. The security implications go way beyond simply patching servers, re-issuing certificates and keys, and forcing users to change their passwords. The breach opens up a whole can of worms in the CDN ecosystem, as there are many CDNs and media based cloud companies using open source libraries extensively. The first one that comes to mind is FFmpeg. FFmpeg is the gold standard in open source encoding / transcoding software, whose libraries and programs are used by many players in the industry.
The question I have for the vendors offering cloud transcoding services, did they run every line of code through a scanner checking for vulnerabilities? I think the hardware based encoders using FFmpeg are secure in that software running on appliances are usually re-written completely, thoroughly vetted, and fine-tuned for the ASIC hardware.
At a minimum, any company offering cloud transcoding services based on FFmpeg should use an automated scanning tool that reviews every single line of code for vulnerabilities. If proprietary applications backed by billion companies have vulnerabilities, how much more will open source software? Products like the IBM AppScan or app scanning service like Contrast Security should be a tool used extensively in the application development life cycle. First Target, than OpenSSL, who or what’s next?