The Heartbleed bug is one of the more serious bugs I’ve seen in my 15 years of working in the security industry. Remediating Heartbleed is a daunting task, but the good news is that use of orchestration tools, popular with DevOps, can make remediating this bug a lot easier.
Given the prominent use of OpenSSL and the length of time the bug has been out, it’s probably safe to assume that most services are vulnerable. Most enterprises would follow traditional vulnerability management steps such as, inventory management, determining what’s vulnerable, and identifying what needs to be patched.
The use of DevOps orchestration tools and inventory detection methods provided by cloud environments not only make vulnerability management easier, but can also act as a force multiplier making cloud environments more secure than traditional datacenter environments.
To incorporate DevOps into the vulnerability management process, follow these steps:
Scanning Infrastructure
Inventory management can be accomplished with your centralized orchestration tools. For example, using Chef or Puppet servers to report what servers are in your infrastructure. In the case that some systems are not controlled with your orchestration tool, cloud vendors provide APIs that can list all servers running. Using both methods together ensures you have a complete system inventory, which is both more accurate and faster to obtain than traditional network scanning methodologies.
Discovery of Affected Systems
Now that you have a list of everything that’s in your enterprise, the next step aims to narrow down and pinpoint what is vulnerable. This can be done using a vulnerability management tool. For example, CloudPassage Halo® offers a software vulnerability management component and scans for vulnerabilities in packaged software rapidly and automatically, across all cloud environments and can tell you what’s vulnerable. CloudPassage was able to mitigate the entire Heartbleed vulnerability in just a couple of hours.
Decision Time & Take Action
Delivering patches to all of your servers is a matter of a few configuration settings. For example, using Chef, your recipe might look something like:
package “openssl” do
action :upgrade
end
And, then to restart affected services such as nginx, you could use the Chef knife command such as:
knife ssh -C 1 “chef_environment: AND recipes:*” “sudo /etc/init.d/nginx restart; sleep 60”
Validate
This is an important final step and is often overlooked, but should be followed according to best practice standards. This last step verifies and ensures that servers that were just patched no longer show up on your list.
While DevOps tools are still relatively new, they are well-tested and in heavy use in many organizations. When used properly, these tools can speed up the vulnerability management cycle. This is especially important for when serious, one-off threats such as, Heartbleed, surface and needs to be remediated quickly.
By Andrew Storms, Senior Director of DevOps for CloudPassage
CloudPassage® is the cloud security company and creator of Halo®, the industry’s only security automation platform purpose-built for virtualized and cloud infrastructure environments. Halo operates seamlessly across public, private and hybrid clouds.
Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments. Founded in 2010 and headquartered in San Francisco, CA, CloudPassage is backed by Benchmark Capital, Musea Ventures, Tenaya Capital, Shasta Ventures, and other leading investors.
