On the Subject of OpenSSL and Email Security

Elliot Tilley
Jun. 10, 2014 by Elliot Tilley

First it was Heartbleed. Then last week, another 6 to 7 less serious flaws came to light. The recent OpenSSL security breaches have once again shown us the need to maintain vigilance in monitoring vendor notifications and other reputable advisories regarding software and operating system updates.

Messaging and email servers in particular, such as Momentum, need to be monitored and maintained especially carefully. By their nature, email servers need to be both accessible and easily found so that external parties can send you a message.  These email servers or senders also require an excellent sender reputation so that they can maintain very high levels of message and email deliverability. This makes them an excellent target for would-be attackers wanting to disseminate some kind of malicious messaging. Not only can cybercriminals find email servers easily via DNS, but they can also be fairly sure that these servers will be offering Internet facing messaging services (such as SMTP) that they can attempt to attack. If successful, these attackers will potentially be able to get at a great deal of messages sent based upon your sender reputation.

Message Systems doesn’t ship OpenSSL with Momentum – instead we rely on the operating system-supplied libraries on our supported platforms. As such, it’s up to our customers to maintain and configure these systems as securely as possible. This requires someone, whether they are a dedicated security resource or just the ‘IT guy with many hats’, to keep track of all applicable vendor notifications and advisories, and take action when necessary to promptly patch or update systems when serious issues arise.

This can seem like a fairly daunting task given the number of open source packages from all manner of developers and vendors that are typically ‘assembled’ into a modern operating system. Since the majority of our customers run on Red Hat or a derivative of it, Red Hat’s own security team and website are excellent resources to begin your email security and OpenSSL efforts. Red Hat provides timely notifications, patches and an authoritative commentary on the issues and their impact via their security blogs and other newsletters.

Information is key when it comes to security; the quality of that information even more so. Having access to up-to-date, accurate security advisories will allow you to see the issues in your own context. This will allow you to determine which of the many security notifications you’ll see each week apply to your specific deployment and configuration, and of those, which are serious enough to warrant immediate update and which can wait for a maintenance window.

Message Systems may not ship many of the affected libraries and software, but we do monitor security issues and advisories from all the vendors of our support platforms. If you need more information or want to know just how a specific issue relates to Momentum, then we’re always here to help.

With email deliverability so strongly influenced by sender reputation and the abundance of data stored and used to personalize the user experience, you can rest assured that would-be spammers, scammers and identify thieves are monitoring and acting on security vulnerabilities – and so should you.

When it comes to ensuring the integrity of your emails, the DMARC email standard is a must. Find out How DMARC Is Saving Email in this free E-Book.
How DMARC Is Saving Email

Related Content

5 Best Practices for Security Notifications

Learn the 5 best practices for security notification emails that product teams can use to build user trust and confidence.

read more

What GoT’s Casterly Rock Can Tell SaaS About Email Security

The defenses and vulnerabilities of castles in Game of Thrones should be a warning for SaaS providers about phishing and email security.

read more

Why Attestations Are Just One Part of Your Cloud Security Program

Attestations are a necessity for any cloud security program. Here’s why you need to look beyond just checking the boxes to ensure your perimeter is secure.

read more

Start sending email in minutes!

The world’s most powerful email delivery solution is now yours in a developer-friendly, quick to set up cloud service. Open a SparkPost account today and get started for free.

Get Started

Send this to a friend