Following the recent publicity around the OpenSSL Heartbleed vulnerability, we are publishing our response to the bug. Mayden routinely has internal tasks triggered by potential security issues which can be raised by anyone within the company. These are dealt with as part of our larger Information Security program.
When an announcement such as the Heartbleed issue is made, it may come from many sources depending on the motives of the organisation finding the issue first. Mayden continually monitor both official and side channels for alerts related to our software. In this case, the official announcement from OpenSSL was made on Monday, 7 April here and also by a number of organisations who were involved in the discovery: https://www.openssl.org/news/vulnerabilities.html
Mayden spotted the issue during a routine check of technology feeds first thing on Tuesday, 8 April and recognised that this may apply to our systems. Immediately a high-priority task was raised with the data-centre team to survey all live hosts and report back. By midday Tuesday, 8 April, all live systems had been checked and declared clean. At this point, the media hype around the vulnerability was low.
Following this, a sub-task to check secondary systems and internal systems was created and also actioned. This was completed by midday Wednesday, 9 April. A number of new systems that were not yet live along with some development environments were found to have the issue and these have been patched. Normally, this would be a sufficient response to any one single issue.
In the case of Heartbleed, the main stream news and publicity will have incited many individuals and organisations to try and exploit the bug quickly before systems were globally patched. Some of these individuals will have written automated software which scan large sections of the internet for vulnerable servers. In response, Mayden initiated a further check. This time a different team verified no systems were running affected versions of code and test tools were used to test our systems using the same methods an attacker might.
We would like to assure all our clients that our systems are not affected by this vulnerability. As you would expect, Mayden already has processes in place to watch for and manage this type of event. Even without the publicity, our systems would have been checked and if necessary secured.
Our support teams are ready to handle any requests related to this or our Information Security processes for clients, if you have any questions, please get in touch.
