Akamai Diversity

The Akamai Blog

Akamai Edge 2014: Shellshock and Heartbleed Resources

Akamai Edge attendees will hear the names of two security vulnerabilities a lot this week: Shellshock and Heartbleed. Both shook the security industry to the core this year, and Akamai security staff spent countless hours working to protect customers against these threats.

Before Edge gets underway, here are some resources to get familiar with what we've done to address the threats.

More on the Web Security Track at Akamai Edge 2014:
This set of vulnerabilities is fresh on our minds. It has consumed much of the last two weeks. To keep customers informed of Akamai's defensive measures, we created a series of articles and blog posts:

A look at two of six security holes summarized last week in six CVE advisories. These were the last two to be published late last week.

Shellshock Update
CSO Andy Ellis' update to customers on the Shellshock situation, published Thursday afternoon.

Environment Bashing
CSO Andy Ellis' first post regarding the threat.

Akamai Launches New Protection for Shellshock-Bash
An update on what Akamai is doing to protect customers from the Shellshock-Bash vulnerability, by Akamai Director of Product Marketing Daniel Shugrue.

Shellshock-Bash CVE List: Where Akamai Fits In
A look at all of the CVE advisories now in circulation, and how they relate to Akamai's mitigation strategies, by Akamai CSO Andy Ellis, Akamai Chief Security Architect Brian Sniffen, and Akamai Senior Program Manager Bill Brenner.

Shellshock Bash Explained
In this podcast, Akamai's Martin McKeay, Michael Smith and Bill Brenner discuss the Shellshock Bash bug and what Akamai is doing to keep customers secure.

Through The Bashdoor
The Shellshock story as told by Akamai's Security Platform Statistics, by Ezra Caltum, Adi Ludmer and Ory Segal

The world awoke to the danger of Heartbleed in April, and it's been a top-of-mind topic for Akamai and its customers ever since. The first thing worth mentioning for Edge attendees is that Akamai Chief Security Architect Brian Sniffen will give a talk on the lessons of Heartbleed. Here is the talk description:

The Evolution of TLS/SSL - Improving the Foundations of Internet Security: In the wake of the Heartbleed vulnerability, attention has turned to TLS, the fundamental building block of Internet encryption and authentication. In this session we'll look at the evolving TLS standard and concentrate on new ciphers, authentication mechanisms, and asymmetric key changes - how they propose to impact the security of our data, and considerations for implementation and performance.

In recent months we've also released blog posts and a podcast outlining what Akamai has been doing to mitigate the vulnerability. All posts were written by CSO Andy Ellis:

The Brittleness of the SSL/TLS Certificate System
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy. 

Podcast: CSO Andy Ellis on Heartbleed
My "lessons learned" interview with Andy.

Heartbleed: A History
A history of Heartbleed.

Heartbleed Update
During the Heartbleed crisis, we gave a series of updates in The Akamai Blog. This was the third such update, which captured all the important points.