Marc Seeger Devops Meetup - Lessons from Heartbleed

•

1 like•1,080 views

Marc Seeger

A presentation I gave at DevOps Boston on how we handled the Heartbleed bug at Acquia

Technology Business

Marc Seeger (@rb2k) 
Boston Devops Meetup 
May 20th 2014
at

Quick risk assessment
Lucid:
[00:35:27] root@bal-2.dev:~# openssl version
OpenSSL 0.9.8k 25 Mar 2009
!
Precise:
[00:34:37] root@master.dev:~# openssl version
OpenSSL 1.0.1 14 Mar 2012

Where’s Waldo OpenSSL
8000 EC2 Machines:
- 99.9% of them puppetized
- Candidates:
- Balancers
- SVN Servers
- Appliances
- ELBs
- 3rd party AMIs
- Unique little snowﬂakes 
(Jira, Crucible,…)

Rollout
Australia:
!
Con:
- Spiders
- Snakes
!
Pro:
- Ops is awake

Internal
• Pre-determined chat rooms
• Dial-in conference bridges
• A communication plan
Thanks SSAE-16, PCI and FedRAMP… I guess :)

Statuspage + Twitter
* Powered by StatusPage.io
*

Documentation
https://docs.acquia.com/articles/heartbleed-acquia-cloud

Proactive communication
Phone calls by Acquia support, TAMs, …

Since then:
Incident Commander
(shamelessly stolen from Heroku)
http://en.wikipedia.org/wiki/Incident_command_system

Since then:
Dedicated resource to vet security threats

We’re hiring
(shameless self promotion)
bit.ly/acquiajobs

Viewers also liked

Arquitetura de informaçãoPrinci Agência Web

Getting Tactical with LATAM Digital MarketingZeph Snapp

Ppt 01Pannathat Champakul

Wellness at Dartmouth_asessment and recommendationsBoyd Lever

Fb alopecia in a bulldogCentro de Dermatología Veterinaria ADERVET

Las 48 leyes del poderOrlando Escudero

Revista veja destaca fernando mendes na edição desta semanaEvandro Lira

Non-Specialized File Format ExtensionCSCJournals

Mag One Products Inc. Investor PresentationRedChip Companies, Inc.

MetodosPAULO Moreira

sukanya HR Resume updatedsukanya karumanchi

Planhub家璿周

SensoplanGlenn Porter

Bcg matricxNeha Singh

Contexto educativo fpdneftali morales sampedro

Tecnologia eduativamiguelsanchezz1

2008 cafe tiranaSzymon Konkol - Publikacje Cyfrowe

Viewers also liked (17)

Arquitetura de informação

Getting Tactical with LATAM Digital Marketing

Ppt 01

Wellness at Dartmouth_asessment and recommendations

Fb alopecia in a bulldog

Las 48 leyes del poder

Revista veja destaca fernando mendes na edição desta semana

Non-Specialized File Format Extension

Mag One Products Inc. Investor Presentation

Metodos

sukanya HR Resume updated

Planhub

Sensoplan

Bcg matricx

Contexto educativo fpd

Tecnologia eduativa

2008 cafe tirana

Similar to Marc Seeger Devops Meetup - Lessons from Heartbleed

Iot demoday nov_2014Simen Sommerfeldt

nodebots presentation @seekjobsEsteban (Steven) De Salas

DrupalGov2014 HeartbleedTimothy Hilliard

Kubernetes Native JavaAlex Soto

Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON

CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...PROIDEA

Fosdem10wremes

All Your IOPS Are Belong To Us - A Pinteresting Case Study in MySQL Performan...Ernie Souhrada

Exploring the Internet of Things Using RubyMike Hagedorn

AEO Training - 2023.pdfMohamed Taoufik TEKAYA

Techniques of attacking ICS systems qqlan

How to Run Solr on Docker and WhySematext Group, Inc.

ROBOTICS - Introduction to Robotics MicrocontrollerVibrant Technologies & Computers

Devops kc meetup_5_20_2013Aaron Blythe

Objectives andwarmupsmma8108

Apache Mesos at Twitter (Texas LinuxFest 2014)Chris Aniszczyk

The Departed: Exploit Next Generation® – The PhilosophyNelson Brito

IJTC%202009%20JRubytutorialsruby

Vulnerability & Exploit Trends: A Deep Look Inside the DataKenna

Similar to Marc Seeger Devops Meetup - Lessons from Heartbleed (20)

Iot demoday nov_2014

nodebots presentation @seekjobs

DrupalGov2014 Heartbleed

Kubernetes Native Java

Joxean Koret - Database Security Paradise [Rooted CON 2011]

CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...

Fosdem10

All Your IOPS Are Belong To Us - A Pinteresting Case Study in MySQL Performan...

Exploring the Internet of Things Using Ruby

AEO Training - 2023.pdf

Techniques of attacking ICS systems

How to Run Solr on Docker and Why

ROBOTICS - Introduction to Robotics Microcontroller

Devops kc meetup_5_20_2013

Objectives andwarmups

Apache Mesos at Twitter (Texas LinuxFest 2014)

The Departed: Exploit Next Generation® – The Philosophy

IJTC%202009%20JRuby

Vulnerability & Exploit Trends: A Deep Look Inside the Data

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada

2024 April Patch TuesdayIvanti

Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq

How to write a Business Continuity PlanDatabarracks

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery

Data governance with Unity Catalog PresentationKnoldus Inc.

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3

Rise of the Machines: Known As Drones...Rick Flair

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3

Decarbonising Buildings: Making a net-zero built environment a realityIES VE

TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc

How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe

So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda

Sample pptx for embedding into website for demoHarshalMandlekar2

Connecting the Dots for Information Discovery.pdfNeo4j

Scale your database traffic with Read & Write split using MySQL RouterMydbops

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024

2024 April Patch Tuesday

Genislab builds better products and faster go-to-market with Lean project man...

How to write a Business Continuity Plan

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...

Data governance with Unity Catalog Presentation

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx

Rise of the Machines: Known As Drones...

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx

Decarbonising Buildings: Making a net-zero built environment a reality

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy

How AI, OpenAI, and ChatGPT impact business and software.

So einfach geht modernes Roaming fuer Notes und Nomad.pdf

Sample pptx for embedding into website for demo

Connecting the Dots for Information Discovery.pdf

Scale your database traffic with Read & Write split using MySQL Router

Marc Seeger Devops Meetup - Lessons from Heartbleed

1. Marc Seeger (@rb2k)  Boston Devops Meetup  May 20th 2014 at

2. Act 1: Technology

3. How it all started 7:24 PM

4. How it all started 7:30 PM

5. How it all started 7:26 PM

6. How it all started 7:33 PM

7. How it all started

8. Quick risk assessment Lucid: [00:35:27] root@bal-2.dev:~# openssl version OpenSSL 0.9.8k 25 Mar 2009 ! Precise: [00:34:37] root@master.dev:~# openssl version OpenSSL 1.0.1 14 Mar 2012

9. Where’s Waldo OpenSSL 8000 EC2 Machines: - 99.9% of them puppetized - Candidates: - Balancers - SVN Servers - Appliances - ELBs - 3rd party AMIs - Unique little snowﬂakes  (Jira, Crucible,…)

10. Let the patching begin

11. Rollout Australia: ! Con: - Spiders - Snakes ! Pro: - Ops is awake

12. Rollout

13. Scan www

14. Waiting on ELBs…

15. Internal Certiﬁcates

16. Suddenly: “reverse” Heartbleed

17. Act 2: Communication

18. Internal • Pre-determined chat rooms • Dial-in conference bridges • A communication plan Thanks SSAE-16, PCI and FedRAMP… I guess :)

19. Statuspage + Twitter * Powered by StatusPage.io *

20. Documentation https://docs.acquia.com/articles/heartbleed-acquia-cloud

21. Proactive communication Phone calls by Acquia support, TAMs, …