Citrix NetScaler’s recently exposed security exploit, which allows attackers to bypass authentication and take full control of the load balancing infrastructure, is frightening. But it is hardly a standalone incident. Every product from every company may eventually succumb to a critical vulnerability. This raises some good questions around security. How does a vendor test the security of their product? If vulnerabilities are inevitable, what is the vendor response and customer strategy?
If you take a look at the load balancer discussions on various online forums, you will notice that load balancers often result in outages. Ironic, isn’t it?
This article originally appeared in Dark Reading on Apr 15, 2016.
The news coming out of Hackmageddon, that January reported an unusually low number of Attack Techniques", was quite disturbing. Did the security industry really manage to get the upper hand? Wait for it...oh, here comes another devastating vulnerability!
I recently read an interesting blog post on an ADC vendor’s site that demonstrates a Rube Goldberg approach to showing common SSL information. Now I won’t name names but I will admit that it inspired me to write a quick blog post to show the business-ready alternative to the science project approach!
I’m pretty certain that whoever first uttered the phrase “anything easy isn't worth having” was no IT administrator. This certainty derives from the seemingly path-of-least-resistance attitude that many enterprises hold when it comes to enforcing stringent levels of encryption security for public infrastructure including their websites. We’ve previously blogged on the excuses many enterprises make for their lax encryption practices, but it’s worth examining what I believe is the primary culprit for this: lack of visibility and insights into their security profiles.
The cold truth: You are rarely secure when you connect to an SSL encrypted web site. The browser shows a happy little lock icon, and you think nothing further on the subject. But recent revelations and exploits, such as NSA, nation states and others scooping up vast quantities of Internet data, courts ordering websites to give up their SSL keys, Heartbleed leaking session data, have proven that we need to revisit the level of security used by web sites.