Skip navigation

Defense in Depth: Lessons Learned from Heartbleed

 

While the recent Heartbleed vulnerability in OpenSSL may have felt to many like a once-in-a-lifetime internet-scale calamity, it really was just the latest in a long string of failures in SSL/TLS infrastructure: in recent years, there has been a surprisingly long list of high-profile weaknesses discovered in protocols and implementations.

We should expect this. The problem is not that SSL/TLS and its various implementations are inherently bad: humans make mistakes and all software has bugs; any security protocol or system could easily fall victim to a similar fate (perhaps even more easily - SSL/TLS is, at least, widely used and widely studied).

Instead, these failures illustrate the value of a long-held security principle known as “Defense in Depth,” which holds that we must build security at every layer of our systems, such that they can remain secure even if one layer breaks.

Watch our webcast as we discuss how to lessen the impact of SSL/TLS failures, and some broader ways in which Defense in Depth can be applied across your organization.