The disclosure of the Heartbleed bug on April 7th has been a wake-up call to us all about the differences between promised vs delivered security. Much has been written about the vulnerability found in the OpenSSL library; from the remarkably out-of-the-norm disclosure website constructed by the team over at Codenomicon to the incredibly simplified explanation by xKCD there is a wealth of information available about the cause and implications of the bug.
There are a number of factors to be taken into consideration regarding whether action is necessary:
“Am I running a vulnerable version of OpenSSL? If so, since when?”
“How do I generate new keys and get them to all my servers?”
Answering these questions is easier when your infrastructure is constructed by code. Finding the answer to when a vulnerable version of OpenSSL was introduced to your servers is attainable by commits to Github. There’s no question about yes or no or when. It’s in the infrastructure code.
The fine folks over at Chef have provided an excellent example how coded infrastructure can ease the challenges with regenerating and deploying certificates.
In the Chef eco-system, each server (or node) has its own certificate which is used for authenticating itself with Chef Server. In an environment with hundreds or maybe even thousands of servers, the task of replacing all those certificates may seem daunting. Now with an automated infrastructure managed with Chef. Thanks for the team at Chef, there is a simple cookbook to handle this. By applying the aptly named client-rekey cookbook to your server, each server’s certificate is properly regenerated.
Whether your automated infrastructure is coded with Chef, Puppet, CFengine, Ansible, or others, the key point to drive home is that it is coded.
All this is not to trivialize the impact vulnerabilities such as Heartbleed on consumers, businesses, or the technical teams supporting both. Instead, it is important to understand that there are optimal ways of responding. Through coded infrastructure you may quickly and safely respond to one of the largest security matters we as an informational society has faced.