The "P Squared" security strategy - Procrastination Pays

procrastinationThere has been a lot in the press about the Heartbleed vulnerability lately. If you want more details on the vulnerability itself, read Tory Hunt's article entitled "Everything you need to know about the Heartbleed SSL bug".   Great, well-rounded article. What does Heartbleed have to do with procrastination you ask?  Well, if you'd done what a lot of companies do, you'd ignore old software and let it sit there.  Had you done that with OpenSSL, you're probably good!   You would not be scrambling to get emergency maintenance windows and having meetings with the CIO about the risk of rolling out half-testing OpenSSL patches versus taking the time to thoroughly test the patches.  You would not be carefully crafting a message to explain to your users that you were vulnerable and they need to be changing their passwords.

No, had you followed the what I call the "P2 security strategy" (aka - Procrastination Pays), you'd be chillin' like Bob Dylan.  You would be able to tell the CIO, "We're good.  That vulnerability does not affect us at all.  Tight security is how we roll."  You'd proudly tell your users that their data is safe with you because you were not susceptible to that latest bug in the Wall Street Journal.   Damn, it feels good to be a gangsta.

Realize this though.  You traded this one highly visible vulnerability for several other vulnerabilities.  It's just those vulnerabilities did not make the media circuit.   Your CIO does not even know the weaknesses exist.   There was one very similar (though less severe) vulnerability in early 2012 which is just about the time the Heartbleed bug was introduced.  So, you're probably susceptible to a very similar attack, but nobody knows it.

The moral of the story is this.  Keep your stuff up to date because you'll have to pay the piper eventually.