Whatever scanner you choose to use, make sure to scan your resources thoroughly, both before and after you patch.
Why? Read through this thread:
https://access.redhat.com/site/solutions/781793
Redhat released a patch, but people who scanned their systems after the patch were still showing as vulnerable. Turns out an add-on called mod_spdy was still vulnerable to Heartbleed, which made the patch from Redhat ineffective.
So, even after you've patched, scan again.
I would argue it would be a good idea to set up a recurring, regular scan (possibly adding this to your external/internal port scans) for the foreseeable future. I'd like to think that no one will create new software with the vulnerable versions of OpenSSL, but the chances a vulnerable version could get slipped into a product (by accident or intentionally) is probably pretty high.
No comments:
Post a Comment