Earlier this month, the OpenSSL project team announced that three days later it would be releasing a new version of OpenSSL to address a high-severity security defect. In the end, this vulnerability resulted in another non-event for our customers, but we thought it might be useful and informative to share the process we went through to prepare for the issue.
Triage
The announcement from the OpenSSL project team only said that a vulnerability would be patched, but kept the specifics of the vulnerability embargoed to limit the likelihood of an attack before they could release their patch. Obviously, it’s difficult to gauge the potential impact of a vulnerability when you don’t know the...