Handling the waves of Shellshock
by Andrew Kenney
2014 has been a busy year for the open source security world. First there was Heartbleed, with multiple security problems discovered in OpenSSL, then last week’s Bash Shellshock and Xen vulnerabilities made mainstream news, requiring a large portion of the Internet to be patched or rebooted.
Acquia’s mantra is “we won’t let you fail”, and this past week underscored our commitment to that ideal. Our technical teams patched 9000+ AWS instances to mitigate Shellshock, not once, not twice, but thrice as each new vulnerability was reported. Additionally, we relaunched hundreds of AWS instances to protect against a recently discovered Xen virtualization vulnerability. Throughout these incidents no Acquia Cloud Enterprise customer had any noticeable operational impact.
As a member of the Acquia team, I value our expertise in configuration management that enabled us to quickly patch our fleet of instances. I also value our experience in building resilient systems that prevented service disruption over the last week. But most of all, I value the professionalism of our staff, our belief in putting the customer first, and our belief in improving security the open source way.
Over time, Bash will be improved markedly, just like OpenSSL. An open and collaborative approach to running applications in the Cloud benefits all. During these incidents we worked closely with our trusted vendors and partners to ensure our platform was protected while providing them with suggestions to help their other customers. We’re all in this together.
Throughout these recent bouts of security uncertainty, organizations the world over have scrambled to not only to patch affected systems, but to first inventory and audit servers to determine the fallout. Such an effort is non-trivial, especially when the situation is often fluid.
I often advise customers to look at the comprehensive TCO for running their websites. Running a business online involves more than just power, pipe, ping, and a decent developer. High availability means planning for failure of every element of the stack, and security means ensuring you have a layered approach to defense and an ability to rapidly respond to threats.
Engineering talent is precious and should go towards creating value for your company, not patching servers in the Cloud. Leave that to us, so you can focus on your website.