Roy's musings

There was a serious vulnerability reported in the OpenSSL library that can let the attacker to dump memory contents from the server. Thus the attacker can perform offline analysis of the memory contents and identify sensitive information like private key of the server, key material for SSL sessions, decrypted data that is in memory, etc. This affects any server that uses OpenSSL to implement HTTPS. I thought I will share some material in one place that will be helpful for people to understand the problem better. Description of the problem can be found here . A simple Python script to test your servers can be found here  or you can use this site . NVD entry for this issue can be found here . How some of the companies are responding: Heroku , AWS , Lastpass . Hope that helps.

Last week Friday I attended the Software Development Best Practices Conference 2007. It was an eventful day. There were two presentations which made me feel that I got much more in return than what I paid for. They are "Better Software - No matter what" by Dr. Scott Meyers and " Securing Software Design and Architecture: Uncut and Uncensored" by Dr. Herbert Thompson. In the photo, I am seen with Dr. Scott Meyers. (Thanks to Abhishek Pandey from Intuit for the photo) You can see the presentation slides of Dr. Scott Meyers in the SD Expo web site . Other sponsored speakers discussed more about their companies and the products that they were advertising, which is quite understandable. Dr. Thompson's speech was lively and full of information. He shared three incidents that happened in the past that drove him mad to believe that "bugs are everywhere" and security is the most critical aspect of any product. Of the three incidents, I loved the Bahamian Advent...

I recently came across Palisade web site . Instantly, I liked the contents in the web site and thought of sharing it with the readers. Hopefully you would find it useful too.