What is it?
“Heartbleed” is a vulnerability in the commonly used open-source cryptography library OpenSSL. Any server or web site using a vulnerable version of OpenSSL is at risk of having a variety of data exposed including private keys, usernames and passwords, session cookies and other sensitive data from users connecting to the service. It is estimated that up to 20% of the websites on the internet may have been effected by this vulnerability.
What is CA Veracode doing to help our customers?
CA Veracode has the broadest and deepest application security offerings in the industry. This means that we can help you comprehensively identify and quickly mitigate the risks from the Heartbleed vulnerability. For a limited time, we are offering these services to all of our customers at no charge.
We have two capabilities in particular to help you determine your risks from Heartbleed. These services will identify potentially vulnerable components in both your application code and public facing websites.
- Heartbleed Component Analysis: Our software composition analysis engine looks for evidence of use of OpenSSL, and produces a report detailing at risk applications.
- Heartbleed Web Perimeter Analysis: Our massively parallel Discovery technology detects the use of OpenSSL and produces a report of vulnerable websites.
How are these CA Veracode services different from traditional network vulnerability scanners?
- CA Veracode Discovery performs a deeper analysis -- using a combination of port checking, light web crawling, and DNS inspection -- to uncover new sites that you may not be aware of. Our customers often find many more websites with CA Veracode Discovery than they find with traditional, network-focused vulnerability scanners.
- Our approach leverages both static and dynamic analysis. Static analysis allows you to immediately identify OpenSSL vulnerabilities in applications that have previously been scanned on the CA Veracode platform, without requiring a dynamic scan of your domain.
- Our Web Perimeter Analysis uses a massively parallel, auto-scaling infrastructure compared to traditional network vulnerability management tools, enabling it to scan large and complex domains in a matter of days.