What does Heartbleed say about SaaS?

As previously noted, LogicMonitor was fortunate that none of its infrastructure or services were vulnerable to the Heartbleed vulnerability.  But the fact that many sites with excellent security were affected may lead some to question the wisdom of putting business information in the hands of a SaaS provider, no matter how secure, given that the services will necessarily be provided over the Internet.

I think the fact that SaaS providers that were affected remediated the vulnerability almost immediately (e.g. Stripe, Chargify) argues that SaaS providers are a great choice for such information.  The entire business of SaaS companies like LogicMonitor rests on our ability to earn and keep our customers’ trust, month after month. Consequently, SaaS providers have to react quickly to vulnerabilities.

Compare that to internally hosted software – while there may not be the same sense of urgency, due to a more limited exposure, premise based software will inevitably take longer to secure – the vendors will take longer to issue patches (understandably, as they have to be sure the patch will work in all the myriad software and hardware configurations and versions their customers may be running – this is one thing that is much easier for SaaS vendors), and then the internal IT staff will have to arrange the patching during a change control window.  VMware, for instance, has reported that ESXi 5.5 is vulnerable, but has not yet issued a fix. Our TechOps team certainly went into overdrive as soon as Heartbleed was announced – and had our services been vulnerable, I am confident that Puppet would have been pushing out updates that same day.

While some have used Heartbleed to tout the position that it proves all open source software (which many SaaS applications are built on) are inherently not to be trusted – vulnerabilities will exist in all software. (Hard to believe, but Windows has had a vulnerability or two.)

I think the real lesson here is to compare how quickly vulnerabilities are remediated in SaaS deployments, by companies with a compelling business interest in keeping your data secure, versus how quickly on premise software is secured after an announcement.  I think the results are pretty clear.