The heartbleed fiasco threw the entire CDN Industry into disarray. For the last couple of days, fixing the Heartbleed bug has the #1 concern for the C Level Execs at all of the CDNs. There has never been anything like it in CDN history. Being in the CDN business is hard enough, than at a moment’s notice, a historic problem falls on the lap of the CDN requiring immediate resolution, or else hackers have a field day with CDN’s customers. There are many lessons to be learned from this incident. The first one that comes to mind is the following.
Lesson #1 – Use Contrast Security
Any CDN using any kind of open source code must go back to the drawing board, and review every single line of code in the open source libraries to make sure there are no vulnerabilities of any kind. If an incident like this happens to only one CDN, and not the other CDNs, you can bet that CDN is going to lose a ton of customers and prospects, guaranteed. The competing CDNs sales reps are going to have a field day feeding FUD into the ears of prospects, scaring them away from the CDN with vulnerabilities.
During my research over the last couple of months, I came across this cool security company called Contrast Security. They offer a cloud based service that is orders of magnitude better than IBM Appscan. The online service scans custom code, and open source libraries, pinpointing vulnerabilities and providing actionable code-level remediation. I reached out to the Co-founder of Contrast Security, and asked him if a CDN would have used Contrast Security services, would the heartbleed problem have fixed. The short answer is Yes. But don’t take my word for it, here is his answer:
“Contrast finds problems like #heartbleed, except at the application layer, not the infrastructure. Most organizations were able to quickly scan for servers that were vulnerable to HeartBleed and get them patched. But when problems with application layer libraries crop up, most organizations have no infrastructure to find and eliminate them. That’s where Contrast comes in — we shine a floodlight on security in the application layer.” First Lesson CDNs Can Learn from Heartbleed Fiasco