One of my oft-repeated messages is to keep all systems patched and up to date. This article on eWeek, focusing on widely deployed OpenSSL, makes the point that it’s difficult to know if unpatched software is embedded in products that you buy-in. That’s why relying on software updates alone might give you a false sense of security. Businesses also need to undertake regular penetration tests to look for vulnerabilities.
Although patches for Heartbleed have been available publicly for two years, the flaw is still a risk and likely still being exploited by attackers taking advantage of unpatched servers.”There are many organizations that are still at risk because they don’t know what their third-party vendors are implementing in products that they run on their network,” Marcus Carey, founder and CTO of vThreat, told eWEEK. “People don’t even know how many computers are connected to their networks, let alone what software is running on them.”