Jason Sabin CTO of DigiCert Inc. Passionate about simplifying security, including digital certificate management for device & user identity.
This spring marked the seventh anniversary of Heartbleed, the vulnerability discovered in the OpenSSL cryptographic library widely used on servers and embedded devices around the world.
Heartbleed unveiled a vast tier of exposures in open-source software that had been quietly metastasizing for decades. Companies suffered at scale in replacing vulnerable certificates when Heartbleed was revealed. Yet even today, some companies that replaced certificates continue to lack effective crypto-agility and modern certificate management capabilities.
Security teams should consider protocols, libraries, algorithms or digital certificates where cryptography is being used in their organization. They should also review how cryptography is being used and ensure they can quickly identify and remediate issues.
A Massive Influx Of IoT Devices Without Proper Security Controls
IoT devices are all around us, but many lack proper security. Hackers can tap into WiFi-connected devices, cameras, security motion sensors, industrial equipment and other connected devices for personal gain. They can also insert malicious viruses to use these devices to exploit computers, servers and storage systems.
To strengthen device identity and authentication, data encryption and data and device integrity, many industries and device manufacturers are turning to public key infrastructure (PKI) and digital certificates. For decades, organizations have relied on PKI to protect website communications due to its scalability, proven use and ability to provide non-repudiation. Within IoT, PKI is used to authenticate devices to the network, sign firmware and over-the-air updates on devices as well as sign other objects, messages and data.
Absent best practices in PKI deployments and certificate management, the impacts of Heartbleed could pale in comparison to the risk represented by the billions of IoT devices deployed throughout the world today if another vulnerability is discovered.
Applying The Lessons From Heartbleed
When Heartbleed hit, companies needed to patch the versions of OpenSSL they used. At that time, Heartbleed leaked a device or server private key. Installing new certificates with a new key pair automatically on their devices was difficult, and only a few companies had certificate management that could locate and automatically update them.
Most of the digital certificates and private keys affected by Heartbleed were (and often still are) managed using spreadsheets. Administrators had to manually find out which certificates were deployed on all their servers and devices, then install each one. Imagine doing that with tens of thousands, or even millions, of devices.
Enterprises should consider whether their company is fully prepared for the next time they may be required to replace their digital certificates at scale.
The rise of quantum computing could create such an event. A DigiCert survey found that 71% of IT decision-makers believe quantum computers will be able to break existing cryptographic algorithms by 2025. Post-quantum cryptography (PQC) can strengthen cryptography, decreasing the possibility of security breaches. But many companies lack a clear understanding of the crypto they deploy, making it nearly impossible to rapidly locate and update all the exposed servers and devices when a fresh vulnerability emerges.
Now consider all the crypto libraries currently going into IoT devices. Moving forward, companies are going to have to respond if quantum computers render current crypto algorithms outdated or a similar vulnerability is discovered. They will need to consider adding security patches and new key pairs and replacing digital certificates in all their IoT devices.
Addressing Security Vulnerabilities Today, While Future-Proofing With Crypto-Agility
Digital certificates authenticate the identities of connected devices, encrypt sensitive data and provide security for device boots and over-the-air updates. This includes about every piece of hardware and software that interconnects to a digital service.
One way to keep crypto libraries and digital certificates updated is to integrate PKI with IoT device management platforms via an automated certificate management system. These systems can be deployed on-site or delivered as a managed service. They could also be used to distribute advanced algorithms, such as PQC updates.
Strengthening Confidence With Internal Open-Source Reviews
Open-source libraries are fundamental to many of today’s software solutions. Although most undergo rigorous review cycles, organizations should still perform their own reviews of the libraries they are utilizing. The Heartbleed incident was based on an OpenSSL vulnerability that nobody had noticed until two years after the bug had slipped through.
Organizations should examine their open-source code not only through static and dynamic analysis, but also look for vulnerabilities in the wild. Many tools are available that let enterprises import open-source libraries and perform a basic analysis of their security posture.
Audits are critical as well because the majority of open-source libraries have not been cryptographically signed. Developers create a fork out of the project, make sure their release is stable and add the library to their application, then code-sign the application when complete.
This can introduce issues, even if an organization signs the final application code. If the developer team incorporates a vulnerable open-source library that signed application could still contain an existing vulnerability that could expose personal information or other sensitive data. An audit should encompass not only the application, but also its open-source elements, before signing.
Nurturing A Security-By-Design Culture
Safer CI/CD processes require a strong security-by-design mindset and training and communication of best practices are essential to strengthening this culture.
First, developers will need to learn how to integrate their signing processes with the tools and processes they use every day. A code signing solution should support integration into CI/CD pipeline and other build processes that allow developers to build their functionality, request a certificate and sign the finalized code at the right time, without exception.
Enterprises must train their team to adopt a specific, step-by-step process for developing and securing code. Randomly choosing a certificate in the middle of a build and signing at the end only plants the seeds for future problems. Although training requires time and resources, the investment will be well worth it.
As post-quantum and other new technologies emerge and digital transformation advances, the cycle of change will accelerate. When it comes to security, the best protection is preparation.
This is a syndicated post. Read the original post at Source link .