Introducing Zero Trust Posture Management (ZTPM)— Extending Zero Trust Beyond Network Access
All aspects of the OpenSSL critical vulnerability patch will be managed by AppOmni
By AppOmni
Today, the OpenSSL Project released a patch to address a “critical” vulnerability formally known as CVE-2022-3786. This marks only the second time since the OpenSSL Project’s inception in 1998 that the organization has announced a critical vulnerability, its most severe designation.
OpenSSL’s broad reach means the patch must be installed across servers, laptops, on-prem software, and much more to prevent issues with software libraries, private keys, certificate signing requests (CSRs), SSL/TLS certificates, and identify certificate information.
An OpenSSL Project critical vulnerability “affects common configurations … which are also likely to be exploitable.” The official definition goes on to include examples that can potentially reveal user details and server data, among other distressing scenarios.
Thankfully, organizations with a “SaaS first” stack are largely protected from any OpenSSL issues related to this vulnerability.
Why SaaS App Owners and Users Are Unaffected by the OpenSSL Vulnerability
Well-established SaaS companies take responsibility for remediating OpenSSL concerns (assuming any exist) in their SaaS apps. Even if your team deploys custom code that relies on OpenSSL libraries, such as Salesforce’s Apex, the SaaS vendor is responsible for the libraries used by the runtime that executes the code.AppOmni and other respected SaaS companies use a shared responsibility model. Unlike on-prem software, a SaaS vendor maintains the solution’s infrastructure, network, and application. The customer manages application configuration for the SaaS platform – the “shared” portion of shared responsibility. And SaaS companies employ Security and DevSecOps teams to hunt for SaaS-to-SaaS bugs and vulnerabilities.
Steps You Should Take Now
If you rely on on-prem software, contact your security and IT teams immediately to ensure they’re managing the OpenSSL patches. This discussion is particularly urgent if business-critical programs run in on-prem environments.
Unfortunately, emerging and up-and-coming SaaS vendors may not fully adhere to the shared responsibility model, or they might not have hired security experts to monitor for these events. Don’t hesitate to ask if they’ve identified any OpenSSL vulnerabilities and patched them.
OpenSSL Critical Vulnerability Responses and Resources
If major SaaS companies share their plans for addressing this patch, we’ll continually update this section. If you’d like to submit a vendor response for us to post here, please send the details to info@appomni.com.
To better understand the full impact of the OpenSSL critical flaw, check out these resources:
- CrowdStrike, Oct. 28, 2022 — “Discovering the Critical OpenSSL Vulnerability with the CrowdStrike Falcon Platform”
- Dark Reading, Oct. 27, 2022 — “Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn”
Related Resources
-
Introducing Zero Trust Posture Management (ZTPM): Extending Zero Trust Beyond Network Access
Get an introduction to Zero Trust Posture Management (ZTPM). Learn how it extends Zero Trust principles and helps enterprises establish Zero Trust architectures.
-
Know Before You Go: AppOmni at RSA Conference 2024
Meet AppOmni at RSA 2024, connect with our SaaS security experts, and learn how AppOmni helps organizations prevent SaaS data breaches and achieve secure productivity.
-
AppOmni Guidance on the Digital Operational Resilience Act (DORA)
Learn how traditional and non-traditional financial services institutions can comply with DORA requirements with AppOmni.