Heartbleed Response and tDAR Security

Last week, internet security experts announced a major flaw ‘heartbleed‘ in commonly used encryption software (OpenSSL).  We take the security and safety of data entrusted to tDAR seriously.  We wanted to take a moment and both outline what we’ve done regarding the ‘heartbleed’ bug, but also take a moment to discuss how we protect your data. 

Was tDAR affected?

Like much of the internet, tDAR’s infrastructure was running a version of OpenSSL that was affected. We have seen no evidence that this bug was exploited.  The Digital Antiquity staff took immediate action on a number of fronts including:

  • immediately patching each of the affected servers within hours of the announcement
  • working with our vendors to re-issue the SSL certificates that may have been compromised in the process

How do we handle server security?

The security of client’s data is of critical importance to us.  We take a number of standard approaches to managing the security of tDAR.  These include:

  • Limiting access to each of our machines and running and testing firewalls that limit this access
  • Running Enterprise focused OS versions which tend to be more conservative from a security standpoint and undergo more testing.
  • Patching our servers regularly, usually daily.
  • Limiting the services and applications running on our machines.
  • Coordinating with external IT specialists in the University and elsewhere to test our servers for common vulnerabilities.

How do we handle application security?

  Beyond testing and patching our servers, we also test the application regularly.

  • We work with external IT specialists to run common security analysis tools on our software to identify vulnerabilities.
  • We try to hack our own software.
  • We run over 1000 tests on our software prior to release, many of these are focused around rights and permissions. A number of these tests also attempt to perform actions that a user would not have rights to perform, eg. escalate permissions.