SlideShare a Scribd company logo

DevOps Boston - Heartbleed at Acquia

Marc Seeger, profile picture
Marc Seeger

This document summarizes Marc Seeger's presentation at the Boston Devops Meetup on May 20th 2014 about how his company addressed the Heartbleed vulnerability. The presentation was divided into two acts: technology and communication. Under technology, it described how they assessed risk, identified over 8000 machines that may be vulnerable, and began patching servers. It discussed rollout challenges and using internal and external monitoring. Under communication, it outlined setting up communication channels, status updates on their status page and Twitter, documentation, and proactive communication with customers. It concluded by describing post-mortem reviews and changes made since then like assigning an incident commander and adding security vetting resources.

TechnologyBusiness
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Marc Seeger (@rb2k)
 Boston Devops Meetup
 May 20th 2014 at
Act 1: Technology
How it all started 7:24 PM
How it all started 7:30 PM
How it all started 7:26 PM
How it all started 7:33 PM
How it all started
Quick risk assessment Lucid: [00:35:27] root@bal-2.dev:~# openssl version OpenSSL 0.9.8k 25 Mar 2009 ! Precise: [00:34:37] root@master.dev:~# openssl version OpenSSL 1.0.1 14 Mar 2012
Where’s Waldo OpenSSL 8000 EC2 Machines: - 99.9% of them puppetized - Candidates: - Balancers - SVN Servers - Appliances - ELBs - 3rd party AMIs - Unique little snowflakes
 (Jira, Crucible,…)
Let the patching begin
Rollout Australia: ! Con: - Spiders - Snakes ! Pro: - Ops is awake
Rollout
Scan www
Waiting on ELBs…
Internal Certificates
Suddenly: “reverse” Heartbleed
Act 2: Communication
Internal • Pre-determined chat rooms • Dial-in conference bridges • A communication plan Thanks SSAE-16, PCI and FedRAMP… I guess :)
Statuspage + Twitter * Powered by StatusPage.io *
Documentation https://docs.acquia.com/articles/heartbleed-acquia-cloud
Proactive communication Phone calls by Acquia support, TAMs, …
Since then: Post mortem
Since then: Incident Commander (shamelessly stolen from Heroku) http://en.wikipedia.org/wiki/Incident_command_system
Since then: Dedicated resource to vet security threats
Since then: Clean up intranet docs
Since then: Additional tooling
We’re hiring (shameless self promotion) bit.ly/acquiajobs

More Related Content

PDF
a framework for fingerprinting ICS honeypots
Mohammad Reza Zamiri
 
PDF
งานโลหะแผ่น5 3
Pannathat Champakul
 
PPS
Venetia panorama
Centro de Dermatología Veterinaria ADERVET
 
DOC
ไม้ตะกู
chokchai57
 
PDF
¿Quién controla los medios de comunicación en el perú?
Franck Campos
 
PPTX
Flateel
sachin chaudhary
 
PPT
The Most effective models for Customer Support Operations
David Loia
 
PDF
คุฏบะฮฺ อีดิลฟิฏริ ฮ.ศ. 1436
สำนักจุฬาราชมนตรี
 
a framework for fingerprinting ICS honeypots
Mohammad Reza Zamiri
 
งานโลหะแผ่น5 3
Pannathat Champakul
 
Venetia panorama
Centro de Dermatología Veterinaria ADERVET
 
ไม้ตะกู
chokchai57
 
¿Quién controla los medios de comunicación en el perú?
Franck Campos
 
Flateel
sachin chaudhary
 
The Most effective models for Customer Support Operations
David Loia
 
คุฏบะฮฺ อีดิลฟิฏริ ฮ.ศ. 1436
สำนักจุฬาราชมนตรี
 

Viewers also liked (17)

PDF
Arquitetura de informação
Princi Agência Web
 
PDF
Getting Tactical with LATAM Digital Marketing
Zeph Snapp
 
PPTX
Ppt 01
Pannathat Champakul
 
PDF
Wellness at Dartmouth_asessment and recommendations
Boyd Lever
 
PPT
Fb alopecia in a bulldog
Centro de Dermatología Veterinaria ADERVET
 
PDF
Las 48 leyes del poder
Orlando Escudero
 
PDF
Revista veja destaca fernando mendes na edição desta semana
Evandro Lira
 
PDF
Non-Specialized File Format Extension
CSCJournals
 
PPTX
Mag One Products Inc. Investor Presentation
RedChip Companies, Inc.
 
PDF
Metodos
PAULO Moreira
 
DOCX
sukanya HR Resume updated
sukanya karumanchi
 
PDF
Planhub
家璿 周
 
PDF
Sensoplan
Glenn Porter
 
PPTX
Bcg matricx
Neha Singh
 
PPSX
Contexto educativo fpd
neftali morales sampedro
 
PPTX
Tecnologia eduativa
miguelsanchezz1
 
PDF
2008 cafe tirana
Szymon Konkol - Publikacje Cyfrowe
 
Arquitetura de informação
Princi Agência Web
 
Getting Tactical with LATAM Digital Marketing
Zeph Snapp
 
Ppt 01
Pannathat Champakul
 
Wellness at Dartmouth_asessment and recommendations
Boyd Lever
 
Fb alopecia in a bulldog
Centro de Dermatología Veterinaria ADERVET
 
Las 48 leyes del poder
Orlando Escudero
 
Revista veja destaca fernando mendes na edição desta semana
Evandro Lira
 
Non-Specialized File Format Extension
CSCJournals
 
Mag One Products Inc. Investor Presentation
RedChip Companies, Inc.
 
Metodos
PAULO Moreira
 
sukanya HR Resume updated
sukanya karumanchi
 
Planhub
家璿 周
 
Sensoplan
Glenn Porter
 
Bcg matricx
Neha Singh
 
Contexto educativo fpd
neftali morales sampedro
 
Tecnologia eduativa
miguelsanchezz1
 
2008 cafe tirana
Szymon Konkol - Publikacje Cyfrowe
 
Ad

Similar to DevOps Boston - Heartbleed at Acquia (13)

PDF
DrupalGov2014 Heartbleed
Timothy Hilliard
 
PDF
How to exploit heartbleed vulnerability demonstration
Pankaj Rane
 
PDF
Heartache and Heartbleed - 31c3
Nick Sullivan
 
PPTX
Heartbleed Bug: A case study
Adri Jovin
 
PDF
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
PDF
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
NETWAYS
 
PPTX
A Technical Dive into Defensive Trickery
Dan Kaminsky
 
PPTX
Heartbleed
Punit Goswami
 
PPTX
Move Fast and Fix Things
Dan Kaminsky
 
PDF
DevOps & Security from an Enterprise Toolsmith's Perspective
dev2ops
 
PPTX
Heartbleed Comic
adamzurn
 
PDF
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon
 
PDF
Heartbleed Overview
SensePost
 
DrupalGov2014 Heartbleed
Timothy Hilliard
 
How to exploit heartbleed vulnerability demonstration
Pankaj Rane
 
Heartache and Heartbleed - 31c3
Nick Sullivan
 
Heartbleed Bug: A case study
Adri Jovin
 
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
NETWAYS
 
A Technical Dive into Defensive Trickery
Dan Kaminsky
 
Heartbleed
Punit Goswami
 
Move Fast and Fix Things
Dan Kaminsky
 
DevOps & Security from an Enterprise Toolsmith's Perspective
dev2ops
 
Heartbleed Comic
adamzurn
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon
 
Heartbleed Overview
SensePost
 
Ad

More from Marc Seeger (17)

PDF
The current state of anonymous filesharing
Marc Seeger
 
PDF
Lunch and learn: Cucumber and Capybara
Marc Seeger
 
PDF
NoSQL databases
Marc Seeger
 
PDF
building blocks of a scalable webcrawler
Marc Seeger
 
PDF
Communitygetriebe Android Systementwicklung
Marc Seeger
 
PDF
Eventdriven I/O - A hands on introduction
Marc Seeger
 
PDF
Alternative Infrastucture
Marc Seeger
 
PDF
Communitygetriebene Android Systemerweiterungen
Marc Seeger
 
PDF
Key-Value Stores: a practical overview
Marc Seeger
 
PDF
ZFS
Marc Seeger
 
PDF
The Dirac Video CoDec
Marc Seeger
 
PDF
Anonimität - Konzepte und Werkzeuge
Marc Seeger
 
PDF
Security In Dect
Marc Seeger
 
PDF
Social Media in der Unternehmenskommunikation
Marc Seeger
 
PDF
xDSL, DSLAM & CO
Marc Seeger
 
PDF
Ruby Xml Mapping
Marc Seeger
 
PDF
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
Marc Seeger
 
The current state of anonymous filesharing
Marc Seeger
 
Lunch and learn: Cucumber and Capybara
Marc Seeger
 
NoSQL databases
Marc Seeger
 
building blocks of a scalable webcrawler
Marc Seeger
 
Communitygetriebe Android Systementwicklung
Marc Seeger
 
Eventdriven I/O - A hands on introduction
Marc Seeger
 
Alternative Infrastucture
Marc Seeger
 
Communitygetriebene Android Systemerweiterungen
Marc Seeger
 
Key-Value Stores: a practical overview
Marc Seeger
 
ZFS
Marc Seeger
 
The Dirac Video CoDec
Marc Seeger
 
Anonimität - Konzepte und Werkzeuge
Marc Seeger
 
Security In Dect
Marc Seeger
 
Social Media in der Unternehmenskommunikation
Marc Seeger
 
xDSL, DSLAM & CO
Marc Seeger
 
Ruby Xml Mapping
Marc Seeger
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
Marc Seeger
 

Recently uploaded (20)

PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
Doc9.....................................
SofiaCollazos
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Software Development Methodologies in 2025
KodekX
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 

DevOps Boston - Heartbleed at Acquia