Early this morning I recorded remotely with Mark Cox Director of Product Security Engineering at Red Hat and one of the founders of the OpenSSL Foundation talking about the latest OpenSSL vulnerability. Listen in to find out what it means for you, the real actual picture of what it means for the industry and a proper picture of risk and mitigation.
I broke the Heartbleed SSL story to the world so this time I thought we'd do it properly and have something you could listen in to.
Click the link below to listen in or subscribe to my iTunes show,
Download the podcast in MP3 format here - or alternatively browse the RSS.
Ten days ago I did a podcast with Richard Clarke, ABC News Cyberterrorism correspondent and advisor to the White House and three former US presidents. Little did I know that three days later the world would react to the release of the information around the OpenSSL vulnerability now known as Heartbleed.
To get a podcast with Richard is a bit of a coup. He doesn't speak to very many media outlets in the IT space and certainly not with the reach and the focus around Cloud that I have. Since I put it on air almost 30,000 folk have listened to it and it's started conversations and featured in articles about who knew what within intelligence agencies and the NSA about who knew what and when they became aware.
My feeling is - does it matter ? I would hope, as a peace appreciating freedom appreciating citizen of the modern world that the agencies out there react and work in a manner that is forward thinking and communicative. Indeed all my own personal experience having worked in intelligence and in defence is that they are stretched, badly paid and badly appreciated and rely on relationships with industry just to tread water. I find it very hard to believe that the question who knew what when where is relevant to us going to Cloud.
More the question is on you the deployer, the architect, the developer to ensure you use a certified OS, you have a patch strategy, you own your reporting and your logging and you make sure you understand and breathe governance. Understanding blended control matrixes that allow you to own your footprint in public private or open hybrid cloud mated to a risk environment that conforms to your appetite or GRC tables.
Richard went on the record without being prompted - on my microphones - stating for a fact that mandated US Government behaviour was to patch and interact unless there was a massive stated case with interagency ministerial support to behave otherwise. I took him at his word and I'm no doubt many would argue otherwise. I looked him in the eye and that is genuinely good enough for me.
You can listen in to the podcast via iTunes or Stitcher or you can follow the link to the direct download / stream below and make your own mind up.
You can listen to or download the show here