Acano’s Chief Security Officer Talks about Rapid Resolution of Vulnerabilities

Spoiler alert: Acano resolved the OpenSSL “heartbleed” vulnerability in its software within two days. OpenSourceA vulnerability in the OpenSSL cryptographic software library was reported on April 7th. The news sent virtually every tech maker scrambling. The Acano solution uses OpenSSL to provide TLS support and as such it was vulnerable. Yesterday we provided new software releases that fix the vulnerability.

We asked Acano Chief Security Officer Steven Johnstone about reacting to heartbleed and other security issues:

“Our approach to vulnerabilities is very simple. We have a detailed Security Incident Response Plan which makes clear to our entire organization what needs to be done and in what timescale. When a vulnerability in one of our open source components – or any component – is discovered we react immediately, are open and honest with our customers and execute on our plan. “That’s exactly what we did with heartbleed. And in doing so, we managed to get our organization behind a big effort to notify customers and get a software release out as quickly as possible.  At the same time, we’re users of systems which were vulnerable and had to recover our own IT infrastructure. A busy few days! “

And what is Acano’s philosophy on OpenSSL and open source?

“OpenSSL is really important to Acano. It’s the foundation upon which we build our cryptographically protected services. We are not alone in this:  Google,  Amazon, Cisco, Juniper, Yahoo, Red Hat, Ubuntu … it could be used by a favourite website, in your smartphone and in your network router. “You may not realise that OpenSSL is developed by a team of *volunteers*. They rely on donations and commercial contracting performed through the OpenSSL Foundation. Their software can be incorporated into products, modified and redistributed at no cost. However, if you rely on an open-source project heavily it’s a good idea, and a good thing, to give back to the project to keep it healthy. That’s why we donate to the OpenSSL Foundation. “We really believe in the power of open source – communities of developers working together to build upon each other’s ideas. It mirrors the philosophy of the Acano solution, where everyone is invited to collaborate. Acano will continue to support open source communities through use, credit, donations and engagement.”

References