Corsec Perspectives

How Heartbleed Affects Your Security Certifications

How Heartbleed Affects Your Security Certifications

Much has been in the news over the past couple of months about the security vulnerability known as Heartbleed. It is of vital interest to businesses and consumers, but especially so for businesses with products intended to provide security for their users. There are some specific and unique impacts to companies who are planning or are in the midst of obtaining a security certification for any of their products. Here is a quick summary of what the issue is and how it potentially affects your certification activities.

What is Heartbleed?

Heartbleed is a vulnerability that allows an attacker to access a server’s memory, where sensitive information such as usernames, passwords, encryption keys and other sensitive data may be stored. It does so by exploiting a weakness in OpenSSL, a widely used open-source software used to encrypt web communications. This vulnerability is one of the most significant and disruptive in recent years.

How long has Heartbleed been an issue?

Even though the issue only came to public attention via media reports in April 2014, the Heartbleed bug dates back to December 2011. It affects OpenSSL version 1.0.1 (released in March 2012) and all subsequent versions to and including 1.0.1f (released Jan. 6, 2014). Beta versions of OpenSSL, version 1.0.2, are also vulnerable. Earlier versions of OpenSSL (0.9.8, 1.0.0) are not affected, nor is OpenSSL 1.0.1g.

How widespread is the effect of Heartbleed?

OpenSSL is commonly used on servers running Apache and nginx. It’s been estimated that up to half of the active Internet servers in the world use Apache, with another 14 percent using nginx. Websites that were affected by Heartbleed include such prominent names as Yahoo!, OK Cupid, Imgur and Eventbrite. Unaffected were Google, Microsoft, Twitter, Facebook and Dropbox, among others.

Beyond https servers, Heartbleed could affect anything that has an OpenSSL dependency, such as VPN implementations, instant messaging clients, email and more.

If we are seeking a security validation, do we need to assure evaluators that our product or system is not vulnerable to Heartbleed?

Yes, if your product or system uses an affected version of OpenSSL, and your certification work is In Process or In Evaluation. If you determine that it is vulnerable, you will need to mitigate or fix the issue before the evaluation effort can move forward. Each validation process has a different set of requirements for addressing Heartbleed. You will need to check with your specific certification authorities as to how they want you to handle the issue from an engineering standpoint, document the changes you have made, if required, or demonstrate why no changes were needed, if applicable.

We have already completed certification for our product. Do we need to recertify?

If your product uses an affected version of OpenSSL and it has already been certified or validated, you are not required to recertify. However, we would strongly urge you to demonstrate to your customers, potential customers and other stakeholders that you are committed to information security, and have thoroughly reviewed if your product or system is vulnerable to the Heartbleed bug. You should be prepared to take whatever steps are necessary to remediate the situation, up to and including recertification.

We invite you to visit our Resource Center for help on this. If you want direct assistance from Corsec in determining if your product(s) is vulnerable to Heartbleed, we are more than happy to help. Please click here, or email us at info@corsec.com to request an assessment.

For continual updates on how Heartbleed is affecting your products’ security certifications, please follow us on Twitter at @CorsecSecurity, visit us on LinkedIn, or subscribe to our blog.

The Differences: Common Criteria Consultants Versus Labs

The Differences: Common Criteria Consultants Versus Labs

When someone starts to learn about Common Criteria (CC) evaluations, figuring out the difference between a CC consultant and a CC lab can be tricky. In Part 1 of this blog post, we looked at some differences in the specific work that consultants and labs perform. Now, in Part 2, we will look at the…

Common Criteria Consultant or Lab: Which Do You Need?

Common Criteria Consultant or Lab: Which Do You Need?

Your federal sales team has declared they can’t effectively sell to either the US Government or other government markets without Common Criteria (CC), and, as a result, your company has made the decision to pursue a CC evaluation. Now, you just need to figure out how to achieve this evaluation.  When you first start to…

Why a UC APL Listing Means More Than Just DoD Revenue

Why a UC APL Listing Means More Than Just DoD Revenue

What is the Unified Capabilities Approved Products List (UC APL) and why is it important to you? You’ve probably heard that it has to do with the Department of Defense — absolutely true and certainly very important. But there are other reasons that you should be concerned about getting your product onto the UC APL.…

Common Criteria Certification: Opening Doors to Opportunity

Common Criteria Certification: Opening Doors to Opportunity

Do you need to open the door to sell your IT security product to the U.S. government? That seems like it should be a process that is simple to work through, but think again. Any IT security product that will be used by the U.S. government for national security systems, either to handle classified and…

Maximize ROI: Market Your Certification

Maximize ROI: Market Your Certification

Taking the time, effort and resources to achieve FIPS or Common Criteria certification or UC APL listing is a big deal. It’s not an insignificant investment, and when it’s finally completed, you want to see a significant return, right? The most obvious solution is just to sell more product. And while this may seem both…

Entropy Testing for FIPS and Common Criteria: Tips for Meeting Requirements

Entropy Testing for FIPS and Common Criteria: Tips for Meeting Requirements

In the second post of our two-part series, we continue our discussion with panelists from Computer Sciences Corporation: Lachlan Turner, Jason Cunningham, and Maureen Barry. Continuing where we left off with last week’s post, we’ll dive deeper into entropy and answer some of the many questions now arising about new requirements, tools and testing, and…

Entropy Testing for FIPS and Common Criteria: What You Need to Know

Entropy Testing for FIPS and Common Criteria: What You Need to Know

In the world of cryptography, data is only safe as long as the keys used to protect that data are kept secure.  While, on one hand, this means that keys must be protected against unauthorized access, it also means that keys must be created in a way that makes them difficult for an attacker to…

A Look Back: 2013 for FIPS, Common Criteria and UC APL

A Look Back: 2013 for FIPS, Common Criteria and UC APL

The end of the year is a great time to look back at important milestones and use what we’ve learned to plan for the upcoming year. This year, clearing the air where myths and misconceptions were concerned was a theme that we saw come up repeatedly at Corsec, and laying the groundwork for smooth process…

FIPS: What’s Real and What Isn’t—Webinar Recap, Part 2

FIPS: What’s Real and What Isn’t—Webinar Recap, Part 2

As I mentioned in my previous post, because of the level of detail, time, and cost involved, there is a lot of confusion over what is really required to validate your product to FIPS. Last week, I went over myths one through five from our recent webinar, “Top 10 Myths About FIPS.” Here, I’ll discredit…

Latest News

How Heartbleed Affects Your Security Certifications

Much has been in the news over the past couple of months about the security vulnerability known as Heartbleed. It is of vital interest to businesses and consumers, but especially so for businesses with products intended to provide security for their users. There are some specific and unique impacts to companies who are planning or…

The Differences: Common Criteria Consultants Versus Labs

When someone starts to learn about Common Criteria (CC) evaluations, figuring out the difference between a CC consultant and a CC lab can be tricky. In Part 1 of this blog post, we looked at some differences in the specific work that consultants and labs perform. Now, in Part 2, we will look at the…

Connect with Us

13135 Lee Jackson Memorial Highway, Suite 220 | Fairfax, VA 22033 | Tel: 703.267.6050

x
menu