The big news today is that there is another huge security bug. You can tell it’s serious because it has its own catchy name, logo, and website.
All joking aside, though, the Shellshock bug is huge. The National Vulnerability Database maintained by US-CERT/NIST classifies Shellshock as 10/10 for both impact and exploitability. Basically, it’s about as bad as it can get – even worse than Heartbleed.
My colleagues are already preparing more technical articles on what to do to address the problem, and once their posts are up I will update this piece with links. [See below for updates!] What I want to talk about is the wider issue of how to approach these issues that continue to crop up.
The thing is, everyone with responsibility for a vulnerable system – and that means pretty much everyone in the world, if you include all the consumer systems that have this vulnerability – will be kept pretty busy for a while. The issue is made worse by the fact that the first round of patches did not address all of the possible vulnerabilities, so there may be some confusion about whether systems are patched or not.
While we are all running after Shellshock, though, we should not forget about Heartbleed and all the other issues. If security is a firefighting activity, you always run to the biggest, brightest and hottest fire. But what about all the other fires still smouldering away under the embers? And what about all the other business that is being neglected while everyone is running around trying to put fires out
This is why you cannot rely on firefighting to deal with security issues. Instead, you need to plan. Set up systems to catch flare-ups whenever and wherever they occur. Prepare automated responses to fix or quarantine the affected systems as soon as the problem is detected. Keep track of what you do so you can learn and improve.
BMC can help with all aspects of this problem. The best part is that it doesn’t even require special support: you can quickly and easily run commands against your entire environment (or a subset) to identify vulnerable systems, and then deploy vendor patches as soon as they become available. The good thing about Shellshock compared to Heartbleed is that at least once you have patched the OS, you’re done; the apps themselves are not vulnerable.
This way, when the next security bug with a memorable name, a cute logo and a website crops up, you’ll be ready.
There is a great recap on BMC Communities about things you can do right now using BladeLogic. Join the conversation, and keep checking back!