This past week, as most security professionals know by now, a severe bug was discovered in the Cloudflare content delivery network’s service by noted researcher Tavis Ormandy. Organizations should pay attention when Tavis reaches out, just like they should when Brian Krebs reaches out – there’s a damn good reason, and it’s probably important. I’d like to publicly commend the team at Cloudflare for handling this as well as anyone could in that situation. They took him seriously, responded quickly, and worked their butts off to get the problem handled. From everything I’ve seen, a model vendor response to a serious issue. If you’re just learning about this, here are some links to get the background:
Project Zero page describing the bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Troy Hunt’s EXCELLENT writeup on this: https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/
Rather than just be another blog talking about this issue (I think it’s been covered well enough elsewhere), I’d rather focus on the bigger picture for a minute. As someone who works with many organizations on their virtualization and cloud architecture, strategy, and more, I believe this incident is one we should really take to heart for a few reasons.
The nature of security architecture has been changing for a few years now. CDN services like Akamai and Cloudflare are almost mandatory for many organizations who need security and availability controls applied to their internet traffic. The Cloud Access Security Broker (CASB) market is also growing rapidly, and processes organizations’ cloud data.
The entire nature of trust is changing with these trends. We’re relying on SSAE 16 SOC 2 reports and other *extremely* superfluous documentation offered by the service providers to guarantee that security best practices are being followed. What we really don’t know, however, is the TRUE nature of the software and architecture in place within these environments, because the providers never offer this. Ever.
We’re exposed using these services, of course. I’m as bullish on cloud as anyone. But we are not really modeling our threat surface around these services, and occasionally things will go dramatically wrong. I believe this is an opportunity for those in the bug bounty industry to shine – where we have the least visibility, and the most trust assumed. Not to knock Cloudflare, but Tavis called out their bug bounty – a T-shirt. That’s not a bug bounty, that’s just a token to say you have a bounty program. If you want the best hackers to REALLY find your issues for you, ethically and professionally, you need to step up. More than that, WE (the community using cloud providers and the brokering services that transit our data to and fro) need the best hackers in the world looking at these technologies with a much more scrutinizing eye than a CPA firm with a checklist.
I think this will hit a tipping point sooner rather than later, sadly. Cloudflare handled the problem admirably, and we really don’t know how exposed people’s data was (although everyone and their mothers are speculating wildly, of course, this being the infosec community). That may not be the case forever – sooner or later, someone is going to turn one of these CASBs or CDNs into the world’s biggest Man-in-the-Middle tool, and things are really going to get ugly.