Traenk wonders what's missing in the OpenSSL message.
There is another critical patch for OpenSSL. As before, with Heartbleed, I'm jaded.
I've spent a decade working through OpenSSL security issues. I set my watch to announced OpenSSL patch events. Neat technology, but I've never felt it was fully useable without the ability to patch it quickly.
As I predicted, we are again facing an OpenSSL patching crisis, and we seem to drown again in media hype. Maybe we'll get a cool name too? Eyebleed, after reading all the articles, eyebleed is my suggested new name.
At what point does the security world look past the 'free' price of acquisition and give a stronger review of maintenance costs? I'm sorry to write this, a guy who has enjoyed the Open Source movement, but security software is in a special class. Open Source's production and review processes may not be good enough for effective security software.
Good security software takes a lot of effort and code study. Volunteer, best effort support, and emailing good intentioned souls may no longer be enough, not when your organization's data is now open to the competition or to the marketplace. Now what?
And that's my message to my fellow security peers and betters. We've seen two important patches released in less than as many months. When working Heartbleed, did you commit to a lightening fast patch process? Did you identify all the commercial apps with an OpenSSL dependency (and will those be patched fast enough)? Who is on point for your OpenSSL analysis, the person with knowledge of OpenSSL dependencies in the tools you buy or in the commercial tools you sell? And for those of you who generated keys, certificates, etc with OpenSSL...