OpenSSL as a standard for software development in the web environment has long been the front running standard for preparing secure, encrypted web connections at the server and site level of published websites. Over the years it has been a target of numerous attacks and exploit vulnerabilities and hence was the core subject of examination in the area of Secure Software Design & Development in the CSOL Masters program. As a submission for review, I selected 4 vulnerabilities as the subject of this submission and paper. Additionally, I took a brief look at some alternatives to OpenSSL. Ultimately, OpenSSL provides us a great opportunity to look back over a long standing historical code base that has been the subject of much scrutiny and helps us to pave an appropriate path for future, secure by design modalities and approaches. Many critics of OpenSSL point to the fact that in its inception, it was rushed to market and while a robust first step to attempt to secure online transactions and informational flow through the use of encryption technologies - ultimately, it has also been compromised several times over its lifecycle - partly because of new advancements in technology and a "we don't know what we don't know" phenomena as it pertains to technology and encryption algorithm advancement over the years. After all, predicting the future is still about as accurate as shaking the magic 8 ball and hoping that the answer provided is relevant and timely. There are numerous lessons and takeaways from reviewing and analyzing OpenSSL as a case study for Secure Software Design and Development.
open_ssl_examination.pdf | |
File Size: | 396 kb |
File Type: |