Heartbleed: when someone else's code becomes your problem

On April 7, 2014, the Heartbleed vulnerability in the OpenSSL library was disclosed. OpenSSL is a software component that provides traffic encryption for an enormous number of servers around the world. The vulnerability allowed an attacker to read the contents of a server's memory - potentially including encryption keys, passwords, and user data.

The scale of the response matched the scale of the problem: major services rushed out patches, recommended that users change passwords, revoked certificates. For most business owners all of this looked like "a technical crisis somewhere on the internet." In reality it was a lesson about how modern IT systems are structured - and about the responsibility a business carries for components whose existence it does not know about.

What OpenSSL is and why it affects everyone

OpenSSL is an open-source library created and maintained by a small community of developers. It is free. It is used in server software, operating systems, and network devices. By various estimates, at the time Heartbleed was discovered roughly two thirds of all secure web servers in the world used this library.

If your website has HTTPS, almost certainly somewhere in the chain of components that provides it there is something that uses or used OpenSSL. Your company did not make the decision to use OpenSSL. Your contractor may not have made that decision either - they simply used server software that contains OpenSSL inside it.

That is the core of the problem: modern systems are built on layers of dependencies that constitute a software supply chain risk most organisations have never mapped. The earlier Flame malware case showed how a delivery channel itself can become part of an attack.

The problem of invisible components

After Heartbleed, many organisations found they could not quickly answer the question: "Are we running a vulnerable version of OpenSSL, and where exactly?" Not because they were careless, but because OpenSSL was somewhere deep in the stack - in the operating system, in a third-party library, in the load balancer software.

This is not a story specific to OpenSSL. A modern web service can contain hundreds of third-party components - libraries, frameworks, utilities. Most of them have never been security-audited by the people using them. Most of them are updated irregularly.

Heartbleed showed that a vulnerability in one small component that nobody notices can put everything built on top of it at risk.

What changes in IT management after this

The right response to Heartbleed is not simply "update OpenSSL and move on." It is an opportunity to rethink how your organisation manages its dependencies.

Component inventory. Do you know what third-party software and libraries are used in your systems? Who is responsible for updating them? Is there a process for monitoring published vulnerability disclosures?

Response process. If a vulnerability is found tomorrow in a component you use - how quickly will you know about it? Who decides on the urgency of updating? Who carries it out?

Contractor accountability. If an external company maintains your systems - is it written into the contract that they must respond to critical vulnerabilities within a reasonable timeframe?

Questions for a conversation with your IT team

After the Heartbleed story, it is worth asking a few practical questions:

1. What third-party components and libraries are used in our critical systems?
2. Who is responsible for monitoring vulnerabilities in those components?
3. What is the response process if a critical vulnerability is discovered on a weekend?
4. When were server software and dependencies last updated?

These are not technical questions in the sense that you do not need technical knowledge to evaluate the answers. They only require that the team has answers at all.