Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Fast Security Is Not Always High Security

DZone's Guide to

Fast Security Is Not Always High Security

The DoS vulnerability in OpenSSL is bad, but let's face it: good old fashioned DDoS is still the preferred method of attack.

· Performance Zone
Free Resource

Download our Introduction to API Performance Testing and learn why testing your API is just as important as testing your website, and how to start today.

Einstein said that our physical theories should be as simple as possible, but not simpler. The same is true of security: security policies should move as fast as possible, but not faster. There is a "speed of light" for security, just as there is for physics. Try to go faster, and bad things happen.

Last week a new release of OpenSSL came out with some patches for a number of low severity issues, and one high severity issue. The latter issue related to a denial of service attack resulting from the build-up of memory allocations if a client continually attempts to renegotiate during an OCSP Status Request extension with an excessively large size.

While this is bad, the consequences of this attack can be mitigated in a number of ways, and let's face it: good old fashioned DDoS is still the preferred method of attack if a bad guy wants to shut down a website. That means this vulnerability adds an incremental risk on top of what is already a very large problem, rather than opening up an entirely new vector.

So while I don't disagree with the CVE classification, when the notification came through on Thursday ActiveState didn't hold up the pending quarterly release of ActivePerl Enterprise to our customers. Getting timely updates with well-tested security is what ActiveState aims to offer, which doesn't necessarily mean the very latest bits, because with any new release it can take time to identify new bugs that have been introduced.

The OpenSSL community has a really tough job, and any developer who looks at what they are doing will be amazed by how well they do it. libssl is a complex system that has to be robust against the combined ingenuity of all the black hats on the planet while providing seamless and transparent security to billions of people. The developers and testers work hard to get updated bits out as fast as possible, all the time. It's a delicate balance between shipping iron-clad code and shipping code that is missing patches for known vulnerabilities.

ActiveState adds another layer of security and protection to this process. For Critical vulnerabilities we typically ship fixes to our enterprise customers within 24 hours of the patch being released. But for anything less than Critical, we serve our enterprise customers best by sometimes not simply shipping the latest bits ASAP, because sometimes the best security is provided by going as fast as possible, but not faster.

Find scaling and performance issues before your customers do with our Introduction to High-Capacity Load Testing guide.

Topics:
severity ,release ,enterprise ,request ,new release ,vector ,activestate ,latest

Published at DZone with permission of Tom Radcliffe, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}