Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

HP Enterprise Security Products handles Heartbleed

markpainter ‎04-16-2014 09:16 AM - edited ‎07-06-2015 01:14 PM

You know when you get your own icon, you've arrived. With an estimated 66 percent of websites impacted and reports of exploitation rolling in, Heartbleed has transcended the world of Internet security and become part of the public consciousness. Having to change all your passwords can do that. Heartbleed is unique in its combination of

criticality, ease of exploit, and pervasiveness, and deserves its infamy. 


Heartbleed is a litmus test for those of us in the security industry. How long before your products can check for

Heartbleed susceptibility? Are your own products vulnerable? How are you responding to your customers? I am very

pleased to see that HP Enterprise Security Products has responded in a way that shows we understand the seriousness of this vulnerability and its potential impact. Each of our key groups has put forth a solution or method of detection that will let organizations know where they stand. To wit:


Fortify : 

Fortify on Demand Heartbleed Update


HPSR Software security content update - Heartbleed bug detection



Heartbleed protection with HP TippingPoint


HP ArcSight:

Heartbleed does not kill you. Just yet!


HP Security Research:

Heartbleed causes heartache


One thing I'm not going to do is bash our competitors who A) can't check for this vulnerability or B) have vulnerable

products. For one thing, they know who they are. For another, I would much rather tout our capabilities than talk

about what somebody else can't do. HP has over 5,000 dedicated security professionals for a reason.


There's still lots of things in play with Heartbleed. Here's a few:


Open Source - use at your own risk:

Open Source software is catch as catch can in terms of security, even something as widely implemented as OpenSSLIt's one of the reasons Fortify on Demand offers free scans of open source components.


Time to fix: 

Since the ultimate fix requires an upgrade and the issue is critical, it will be interesting to see how long it takes

organizations to resolve the problem. I would put the over/under on the percentage of organizations who have this

resolved within 3 weeks at 70 percent. At 6 weeks, i'd put that at 85 percent. The last 15 percent are going to take awhile because A) organizations might not be aware they are impacted B) for them, the fix isn't currently convenient to apply  C) some implementations of OpenSSL don't protect things that require protection or support for that implementation has stopped altogether, and the timeliness of upgrade is simply not a matter of concern.


Loss of access:

Considering how long it had been in existence (two years), I am convinced that hackers all over the world lost a significant and favorite method of data retrieval when the update was released.  Certain government agencies definitely took this as bittersweet news.  


Who knew?

It appears from the change your passwords now page that some organizations received early warnings about the vulnerability. To quote Facebook: "We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed." Which begs the question...were they told, or did they discover it themselves?  I would tend to think the former applies here. Personally, I'm all for forewarning any site that boasts over 1 billion users.


Users have more responsibility than ever:

Welcome to global change your password week. This is one of the great upcoming challenges - how to get users more conscious of security.   Granted, there is nothing a user could have done to prevent theft of their information. But they are still responsible to change their passwords, and to stay cognizant of potential threats, and to stop clicking everything in sight (or on a site, even).  Education needs to be a key area of future security efforts as users still remain the number one reason networks are infiltrated. I expect big industry changes on this front in the next five years if for no reason other than necessity.  


Heartbleed's biggest weakness is also one of its biggest strengths:

The data it steals is random. While you can't target what you want, an attacker might actually find something of

greater value buried in the data.  It's one of the things that make this so dangerous.







0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all